Category: Commentary

  • The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS

    The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS

    Security Brief for Central Banks and Regulators
    QPQ AG, Zug, Switzerland – 20 April 2026

    On 7 April 2026, Anthropic announced Mythos and Project Glasswing simultaneously. The two announcements cannot be understood separately: Mythos is the model; Project Glasswing is the defensive response to what it could do.

    What it could do: Mythos autonomously identified and exploited a 27-year-old vulnerability in OpenBSD – an operating system known specifically for its security record – granting root access from anywhere on the internet, without authentication, without human involvement after the initial instruction. Root access means complete control: the ability to read every file on the system, install anything, delete anything, impersonate any user, and move silently to every connected system – invisibly, at machine speed.

    Mythos found this flaw, built the exploit, and executed it autonomously. It can chain three to five such vulnerabilities end to end, and it found thousands of them across every major operating system and browser in production use.

    The Response

    Confronted with this, Anthropic initiated Project Glasswing, giving approximately 50 selected organisations – including Amazon Web Services, Apple, Google, JPMorganChase, Microsoft, and Nvidia – early access to scan and patch their own systems.

    Within days, the US Treasury Secretary and Fed Chair convened Wall Street’s largest bank CEOs for the first joint emergency meeting of its kind since October 2008. The Bank of Canada convened its Financial Sector Resiliency Group. The Bank of England is convening its Cross Market Operational Resilience Group within the fortnight.

    On 13 April 2026 the Cloud Security Alliance, SANS, OWASP, and a contributor list spanning the former directors of NSA cybersecurity and CISA, the Google Chief Information Security Officer, and the former US National Cyber Director consolidated this into an emergency framework: eleven priority actions for how the industry should respond, with their own caveat that “long-term goals should be considered a quarter away at most.”

    Why That Response is Doomed to Expensive Failure

    The official response has treated this as a security problem requiring better defences: the same tools, the same approach, the same vendors, with more urgency and even bigger cybersecurity budgets. From their perspective this is understandable. It is also wrong for two reasons.

    Firstly, the dynamics are now permanently in the attacker’s favour.

    An attacker needs one route to one credential. A defender has to stop every route, every time, forever. An attacker failing a thousand times costs nothing; one success compromises everything. A defender catching 99.9999% of attempts still lets 0.0001% through, and at machine speed, that fraction is all that is needed. One access point is enough to move laterally across every connected system.

    Defensive AI does not close that gap; it cannot. Even the best-performing models hallucinate between 0.7% and 2% on the easiest tasks. The attacker needs the defender to be wrong once, and can run millions of probes in parallel at machine speed, across every exposed data set in the institution.

    Moreover, however you judge Anthropic’s actions in this, Mythos is the first of its kind, not the last. Whatever emerges to compete with or succeed Mythos will share its properties. The defender is not up against a single model; they are up against a category of capability that will proliferate.

    In this context, more defences and bigger cybersecurity budgets merely inflate the cost of inevitable compromise, harvesting and exploitation; the only variable is when.

    The Architectural Error

    Secondly, and most importantly, treating it as a security problem understates and mis-categorises it: correctly, it is an architectural problem that has been present for thirty years and has now become impossible to ignore.

    The internet was built to share information. HTTPS made that transmission secure and universal. It works for its purpose. That is the Internet of Data, and it is what the cybersecurity industry has been built to defend.

    What the internet was never built to carry is economic activity: the transmission of value, financial credentials, identity, payment instruments, sensitive economic records.

    These have a property information does not have: they must not be copied. A news article exists to be copied; that is how it reaches its reader. A payment that has been copied is not a payment – it is an error, or it is theft. The property that makes the Internet of Data useful is the property that makes it unsafe for economic activity.

    The financial system has run economic activity over information infrastructure for thirty years because no alternative existed. Thirty years of patches – tokenisation, encryption in transit, zero-trust, multi-factor authentication, hardware-backed credentials – are the industry’s accumulated attempt to close the gap, but ultimately it amounts to trying to make a car do what a ship does.

    A car and a ship are not competing designs. They have different properties suited to different purposes. A car cannot cross an ocean and a ship cannot drive down a motorway. Both are necessary, and both have tooling appropriate to purpose. What the financial system needs – and has always needed – is an internet of economics with the appropriate tooling to protect rather than share data.

    The Architectural Answer

    The correct response is to remove sensitive economic data from the connected attack surface entirely. Not to defend it better in place. That separation now exists, is operational, and is open sourced, ready for immediate deployment.

    QPQ AG, incorporated in Switzerland, has built the Internet of Economics – an open economic resource layer, together with the tooling to operate on it. All of it is open sourced, free to use, implement, and operate. One such tool is Gajumaru Remote

    Instruction Dispatch and Serialisation – ‘GRIDS’ – the authentication and authorisation component, and the part that the Mythos announcement has made urgent.

    The mechanism is straightforward to describe, once the purpose is understood. In the current architecture, customer authentication requires credentials and authentication material – passwords, session tokens, two-factor codes, signed cookies – to transit or sit on connected systems, where they can be harvested by an attacker who reaches those systems. Under GRIDS, the credential does not sit on any connected system. A cryptographic key, held inside the hardware secure enclave of the customer’s own phone or laptop, produces a mathematical proof that the customer has authorised this specific instruction. The institution receives the proof, verifies it against the customer’s public key – the mathematical counterpart, which is useless to an attacker – and acts on it. Nothing capable of authenticating anyone is ever present on a connected system.

    GRIDS is a dead-drop signature protocol: the execution context (the connected device) and the signature context (the device holding keys) never share a direct connection.

    How it works:

    1. The connected device (terminal, computer, browser-facing interface) generates a transaction or authentication request and encodes it as a GRIDS URL or QR code.

    2. This is passed – via URL paste or optical QR scan – to the signing device. No network connection between the two contexts.

    3. The signing device decodes the request, displays what is being asked, and awaits approval.

    4. The user approves. The signing device signs cryptographically and returns the signed response via QR code or URL.

    5. The connected device receives cryptographic proof. No credentials. No private keys. No sensitive data of any kind transited the connected layer.

    At no point do private keys exist on the connected device. Not briefly, not in transit, not encrypted in transit: not at all. The key is held in the signing context and never leaves it.

    Each authentication creates a one-off cryptographic exchange between the institution and the customer’s device, open only for the duration of that specific instruction. When the instruction completes, it is gone. There is no persistent channel left behind for an attacker to find. There is no session state to hijack, no token to replay, no credential to retrieve in a subsequent breach. The attack surface that Mythos is built to exploit – the continuous presence of authentication data on connected systems – does not exist in a GRIDS flow, because the data is never placed on a connected system in the first place.

    Anthropic has confirmed that Mythos can bypass two-factor authentication (‘2FA’). A GRIDS flow has no two-factor authentication to bypass. The entire category of harvestable credentials is absent.


    There is no login. There is no password. There is no web socket exposure.

    The same architecture applies to payment authorisation, to staff authentication into internal systems, to inter-institution messaging, to any interaction that currently depends on credentials being transmitted or stored. The institution’s connected systems hold public keys, delivery records, audit trails – none of which can authenticate anyone. They hold nothing Mythos is looking for.

    No Account. No Password. No Database to Hack. This Is How Authentication Should Work.

    End of the Mythos AI Threat: No Login. No Password. No Attack Surface – GRIDS Live Demos

    GRIDS, Mythos AI, and the end of payment credentials in the public domain

    Three Stages of Implementation

    GRIDS is not a single product. It is an architectural protocol with a staged implementation path. Each stage addresses the remaining trust assumption of the stage before it.

    Stage 1: Operational Now – Open Sourced

    GajuDesk (desktop, all platforms) and GajuMobile (iOS and Android, releasing Q2 2026) implement GRIDS using the device’s hardware security enclave as the signing context.

    Private keys are held in the secure enclave and never touch the broader operating system or any network-connected software layer.

    This is a categorically different security posture from any browser-based financial interface: – Zero external software dependencies. Every line of code is written in-house and open sourced and auditable. No NPM packages, no frameworks, no anonymous dependency chains of the kind exploited in the September 2025 NPM supply chain attack that compromised 18 packages with more than 2 billion combined weekly downloads. – No browser plugin environment. The wallet does not run inside a browser. –

    No web sockets, no logins, no passwords, no credential transmission of any kind.

    Stage 1 has two honest limitations. The first is that the device holding the key is itself network-connected. The secure enclave is strong – the key never leaves it and cannot be extracted by software running on the operating system – but the device sits on the internet. That is a smaller attack surface than the current architecture by orders of magnitude, since Mythos or similar AI models cannot harvest a key that they cannot reach, but it is not zero.

    The second is hardware provenance: a device manufactured under unknown conditions may carry hardware-level vulnerabilities that software inspection cannot detect.

    Stage 1 is a strong immediate answer and remains useful for everyday transactions. The cost of compromising a well-implemented secure enclave on a connected device exceeds the value of most individual transactions by orders of magnitude. Stages 2 and 3 add coverage for flows where that calculus does not hold: high-value transactions, institutional treasury, inter-bank messaging, sovereign payment infrastructure. For those flows, the next stage removes the network connection entirely.

    GajuDesk and GajuMobile – working applications that put GRIDS at the centre of their operation – are free to download and use. The GRIDS protocol is open sourced in its entirety under GPL3, auditable by anyone; any institution can implement it into its own infrastructure without any licensing cost. QPQ’s commercial offer is the integration expertise of the team that built it, and the Stage 2 and Stage 3 hardware programme.

    Stage 2: GRIDS Hardware Wallet – In Development

    A dedicated, air-gapped signing device whose sole function is to hold keys and execute cryptographic signing operations. It has no network connection of any kind: no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical – QR codes displayed on its screen and read by its camera.

    The connected device never has the keys. Every category of attack that depends on keys being present on a networked device – NPM supply chain attacks, browser exploitation, OS vulnerabilities, Mythos-class systematic scanning – is structurally eliminated. There is nothing to find because the keys are not there.

    This stage is in development, dependent on Series A funding which QPQ is currently raising. Institutions wishing to accelerate this stage through partnership or advance commitment are invited to engage directly.

    Stage 3: Full QPQ Hardware Stack – Sovereign Deployment

    This is the stage most directly relevant to central banks and sovereign institutions. Stage 3 eliminates the remaining trust assumption of Stage 2: hardware provenance.

    Stage 2 trusts that the GRIDS hardware wallet is manufactured without compromise.

    Stage 3 addresses this by manufacturing both the signing device and, in partnership with sovereign actors, the connected devices within auditable, controlled facilities.

    QPQ plans to establish global GRIDS device fabrication facilities in Switzerland and Japan – jurisdictions chosen for their regulatory stability, manufacturing capability, and alignment with the institutions QPQ serves. These facilities will be open to audit and inspection by any sovereign partner. The signing devices produced will have fully verified component-to-assembly manufacturing chains. No black-box components. No unverifiable supply chains.

    For sovereign partners who want the capability in their own hands rather than purchased from ours, QPQ is open to establishing fabrication facilities within partner jurisdictions, including full technology transfer.

    For a central bank seeking to protect national payment infrastructure, the full stack means:

    • Signing devices manufactured in a facility you can audit, in a jurisdiction you trust

    • A GRIDS protocol you can inspect, verify, and deploy on your terms

    • Connected devices (terminals, mobile) whose manufacturing chain is verified to the same standard

    Two Paths

    QPQ has a commercial interest, and has stated it: Stage 1 open source and free; Stage 2 and Stage 3 hardware as the paid programme. That is the shape of our commercial offer.

    The cybersecurity industry framework has its own commercial shape and does not state it. Its lead author has their own AI security tool recommended by name in the document, without disclosure. Training organisations, venture funds invested in security companies, and vendors of the specific products the document recommends are represented across the contributor list.

    The more important difference is what each path resolves. The framework’s path buys time. Each additional investment in defence postpones the point at which a Mythos-class capability reaches a credential it can harvest, but none of the investment removes the credential from the place it can be harvested. The question the framework does not answer is where the spending ends, and what the institution is left with when it does.

    Every cybersecurity budget that has risen for thirty years has been paying to defer an outcome the architecture makes inevitable. At machine speed against an attack surface that grows rather than shrinks, deferral has a shelf life.

    The architectural path has an end state. Once sensitive economic data is no longer on the connected attack surface, the attacker has nothing to harvest and the defensive cost it incurred can be recovered. The institution is not buying more time, it is removing the risk.

    The difference between QPQ’s position and the cybersecurity industry framework is not that one is commercial and the other is not. It is that one clearly defines its commercial interest, provides a free option with no compulsion to pay for anything, and actually solves the problem.

    The Supervisory Question

    “Adequate” security under every major prudential framework has meant adequate defence of credentials on connected systems, because there was nowhere else to put them. There is now. The question that follows is whether the standard should continue to mean what it has meant, or whether architectural removal of credentials from the connected attack surface should become part of what adequate protection requires.

    The regulated population has been moving in this direction for a decade – tokenisation, data minimisation, zero-trust, secure-enclave credentials – and GRIDS is the completion of that direction rather than a deviation from it. The consequence for supervised firms would be significant. Cybersecurity budgets that have risen indefinitely to defend data on connected systems would reduce, because the attack surface those budgets defend would no longer exist in GRIDS flows. The security posture of the regulated estate would transform, because compromise would no longer depend on the next patch cycle outpacing the next exploit.

    It is a question for the supervisory community, not for us. We have set out the diagnosis and the architecture as honestly as we can. The standard-setting is yours.

    What We Are Proposing

    Immediate:

    A 15-20 minute live demonstration, on your own machine or ours. Download GajuDesk from gajumining.com/downloads; we will send installation instructions and a mining licence so you can log in yourself during the session. If local installation is precluded by policy, we screen share our own live operations.

    Near term: 

    QPQ will work with any central bank, government agency, and related regulated firms to implement Stage 1 GRIDS across institutional interfaces – authentication, payment authorisation, inter-institutional communication. The protocol is open source. The cost is implementation time and any specific customisation, not licensing.

    Medium term: 

    QPQ will accelerate Stage 2 hardware wallet development in partnership with institutions that commit to the programme. A sovereign institution’s commitment to deploy GRIDS hardware wallets across a defined user base changes the manufacturing economics and accelerates the timeline.

    Long term: 

    QPQ is seeking sovereign partners for Stage 3 fabrication facilities. This is the Internet of Economics at institutional scale: national economic infrastructure in which sensitive financial data never touches the internet-connected layer, manufactured in a jurisdiction whose integrity can be assured.

    Technical Summary

    ▶ Full Technical Reference: Un-White Paper – Section VIII: Security Architecture

    qpq.swiss · gajumaru.io · gajumining.com

  • Mythos, Glasswing,and Why We Built What We Built

    Mythos, Glasswing,and Why We Built What We Built

    QPQ AG | 14 April 2026

    Greg Chew

    On 7 April 2026, Anthropic announced Claude Mythos Preview and Project Glasswing. On 13 April 2026, the Cloud Security Alliance, SANS, OWASP, and contributors from across the senior tier of the global security establishment published a response framework for the broader industry. Both announcements are relevant to what QPQ has built and why we built it.

    What Mythos Is

    Mythos is a general-purpose AI model not specifically trained for cybersecurity. Its vulnerability discovery capabilities emerged from general improvements in code, reasoning, and autonomy.1 In testing, Mythos fully autonomously identified and exploited a 27-year-old vulnerability in OpenBSD, allowing an attacker to remotely crash any machine running the operating system simply by connecting to it. No human was involved after the initial instruction. Across every major operating system and browser in production use, the model found thousands of previously unknown vulnerabilities. Internal testing cited in the security community’s response showed it generating 181 working exploits against Firefox where the previous generation of capable models succeeded twice.2

    What Project Glasswing Is

    Confronted with what Mythos could do, Anthropic did not release it. They gave approximately 50 organisations – AWS, Apple, Cisco, Microsoft, Google, JPMorganChase, the Linux Foundation, and others managing critical software infrastructure – early access so they could scan their own systems before comparable capability becomes broadly available.1 Comparable capability at frontier labs is expected within months; open-weight models accessible to anyone, within a year.

    The Architectural Problem Mythos Has Proved

    The Internet of Data works because information can be copied. Redundancy is the feature: data cached, retransmitted, reconstructed across nodes. Every packet lost can be resent. The architecture is brilliant at what it does. A payment that can be replicated is not a payment – it is a vulnerability. A title of ownership that exists in two places simultaneously is not ownership. Every attempt to transmit value across the Internet of Data requires a trusted intermediary whose sole function is to maintain a single authoritative record of who has what, because the network was designed for copying, and copying is precisely what must not happen. The intermediary is not an inefficiency – it is the architectural patch for a fundamental mismatch between what the internet was built to carry and what economic exchange requires.

    The financial system has been conducting economic activity – authentication, payment authorisation, credential management, sensitive data transmission – over an infrastructure designed to carry information. This was not a choice. No alternative existed. It is a structural consequence of building value exchange on top of a network designed for copying: every bank, every payment processor, every financial application runs on browsers, on operating systems, on software dependency chains that carry credentials over connected networks.

    Anthropic’s Mythos model has demonstrated what this means in operational fact: those connected systems can now be scanned and exploited at machine speed, systematically and at scale. Every authentication system your institution operates, every payment credential your platform holds, every API key in your software stack sits within a comprehensively exploitable vulnerability class.

    The Web Was Never Designed to Carry Economic Value. Post-Quantum, Post-AI, It Cannot.

    What the Security Establishment’s Response Prescribes

    The joint briefing published on 13 April 2026 sets out eleven priority actions. Their core logic: deploy AI defensively to find your vulnerabilities before attackers do, harden your environment, and build a permanent VulnOps capability for continuous autonomous vulnerability discovery and remediation.

    The prescription has a structural problem the document acknowledges directly. It lists “Unmanaged AI Agent Attack Surface” as CRITICAL: “Agents are necessary to counter AI-speed threats, but they are privileged, insecure by default, and not covered by existing security controls.”2 No mention here of the tendency of AI agents to hallucinate – evidence shows they do so to a significant degree – fine if you are an attacker for whom there is no loss in a failed attack; not so good for a defender who cannot fail once.

    The document is also honest about the human cost: “Burnout and attrition in security functions represent a direct operational risk.”2

    Long-term planning horizon recommended: 90 days.

    Here are the assumptions built into every one of the eleven actions.

    • There is an external dependency tree to scan.
    • There is a browser execution environment to harden.
    • There are cryptographic keys on connected devices to protect.
    • There are credentials that can be made phishing-resistant.

    The prescription offered is rather more aligned to what those involved have to offer, in much the same way that if you ask a surgeon whether to cut or to medicate, they will more often than not prescribe to cut – there is a solution bias driven by their knowledge and skillset. For organisations where the attack surface is genuinely given, the recommendations are correct.

    This official response – patch faster, follow best practice – assumes defenders have time to respond. Ciaran Martin, former head of the UK’s National Cyber Security Centre, stated the condition precisely: the timeline for finding and fixing vulnerabilities collapses to seconds, minutes and hours, rather than days, months or years.6 The assumption is no longer valid. None of them are.

    The Two Domains That Must Be Separated

    The Internet of Data – browsing, research, communication, information – operates on the existing internet. It works for its purpose and needs no redesign.

    The Internet of Economics – financial authorisation, payment, identity, sensitive credential transmission – requires a structurally separated architecture. One in which the data that Mythos would target is never placed on connected systems in the first place.

    The solution is not more defence in depth, more dependency auditing, more AI agents to defend against yet more AI agents. It is to remove those attack surfaces altogether. Separate the signing and execution context – you cannot reach the sensitive data because it is not on the connected system. Build from scratch. Dependency chains that no human can fully audit cannot be made safe by AI agents that hallucinate.

    Building the Internet of Economics

    QPQ is building the Gajumaru blockchain – the resource layer that makes the Internet of Economics possible: a layer on which value can be transmitted with the same freedom that information moves today, without the intermediary patch. The moment you build for that, the security architecture has to change categorically. The thing being carried cannot be reconstructed if lost, cannot be allowed to exist in two places, and cannot be entrusted to a system that tolerates copying. That different engineering requirement is why the architecture described below looks nothing like what the CSA document assumes.

    Removing the dependency supply chain

    GajuMobile and GajuDesk were written from scratch, in-house, with zero external dependencies. Every line of code was written by QPQ engineers. The September 2025 NPM supply chain attack, which compromised 18 packages with over two billion combined weekly downloads and planted malware to redirect cryptocurrency transactions5 had no relevance to QPQ’s wallet stack because QPQ’s wallet stack has no connection to that supply chain. When Craig Everett, QPQ’s CPO, and Peter Harpending investigated how MetaMask handled NPM security, they found LavaMoat: a JavaScript sandbox written in JavaScript, running inside the JavaScript environment it was attempting to make safe. We described it at the time as:

    “Their security concept is: instead of taking this really complicated situation and simplifying it so it’s understandable and tractable, they made it more complicated by writing inside a dangerous context a runtime that they claim is going to be safe in the dangerous context. With no guarantee.”

    For the full video, click here:
    NPM Supply Chain Hack, Unserious Crypto, Serious Gajumaru Full

    Departing the browser execution environment

    QPQ also refused to conflate the signing and operation environments. Entirely. GajuMobile and GajuDesk are genuinely native applications – built without web-rendering frameworks such as Electron, which is how many nominally desktop applications are actually constructed and which reintroduces the full browser execution environment and its attack surface behind a desktop icon. The attack vectors that originate in browser plugin architecture do not apply. The applications are also securely authenticated at the user level before any wallet function is accessible, as described in the GRIDS section below.

    GRIDS: Gajumaru Remote Instruction Dispatch and Serialisation

    GRIDS is a dead-drop signature protocol. The device that holds private keys is physically separated from the device that connects to the internet. They communicate only optically, via QR code. The internet-connected device – the one Mythos would scan – never has the keys. Not in transit. Not briefly. Not at all.

    How it works

    1. The connected device generates a transaction or authentication request, encoded as a GRIDS URL or QR code.
    2. This is passed – via URL paste or optical scan – to the signing device. No network connection between the two contexts.
    3. The signing device decodes the request, displays what is being signed, and awaits approval.
    4. The user approves. The signing device signs cryptographically and returns the response.
    5. The connected device receives cryptographic proof. No credentials. No keys. No sensitive data transited the connected layer.

    There is no login. There is no password. There is no web socket exposure. Mythos scans the connected infrastructure and finds no financial credentials, because the credentials are not there.

    ▶ Full briefing with live demo, under 7 minutes:
    No Login. No Password. No Attack Surface. — GRIDS Live Demo

    ▶ Operational walkthrough:
    No Account. No Password. No Database to Hack. This Is How Authentication Should Work.

    ▶ Full Technical Reference:
    Un-White Paper

    What Is Available and When

    What GRIDS eliminates, and when, depends on which stage of the hardware programme is in place.

    Stage 1: Operational Now – Open Sourced. 

    GajuDesk (desktop, deployed, operational, all platforms) and GajuMobile (iOS and Android, releasing Q2 2026) implement GRIDS using the device’s hardware security enclave. Every line of code is written in-house with zero external software dependencies. Open source under GPL3, auditable by any government or agency, and available at no cost to any institution that chooses to implement it. At Stage 1, keys are stored in hardware isolation within the device’s secure enclave and cannot be extracted; signatures are performed inside the hardware. The device itself may be network-connected, which is why Stage 1 is correctly described as probably secure rather than definitely secure. QPQ did not manufacture those devices, and hardware supply chain provenance is an attack vector at sufficient adversary capability. That “probably” is honest and it motivates Stage 2.

    Stage 2: GRIDS Hardware Wallet – In Development. 

    A dedicated, air-gapped signing device with no network connection of any kind: no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical: QR codes displayed on its screen and read by its camera. At Stage 2, every category of attack that depends on keys being present on a networked device – including Mythos-class systematic vulnerability scanning of connected systems – is structurally eliminated. The keys are on a device that has no network interface through which they could be reached or transmitted. Mythos scans networked devices for exploitable vulnerabilities. A device with no network connection is not in the scan. This stage is in development, dependent on Series A funding QPQ is currently raising. Sovereign institutional commitment to Stage 2 deployment accelerates the timeline.

    Stage 3: Sovereign Hardware Manufacturing – National Security Partnership (Planned). 

    Stage 3 addresses the final trust question in Stage 2: hardware provenance. Who made the signing device, under what conditions, with what components? QPQ plans to establish GRIDS device fabrication facilities in Switzerland and Japan – jurisdictions chosen for regulatory stability, manufacturing capability, and strategic alignment – open to audit and inspection by sovereign partners, with fully verified component-to-assembly manufacturing chains. QPQ is open to establishing facilities in additional jurisdictions where the commercial case is made and the strategic relationship is right, including full technology transfer arrangements. The protocol is open. The manufacturing is the partnership. QPQ is actively seeking sovereign partners for Stage 3 co-development. This is a national security conversation as much as a commercial one.

    The Verdict

    QPQ’s node infrastructure faces the same threat environment the CSA document describes. AI-discovered vulnerabilities at the OS and protocol level are a genuine threat that wallet architecture does not address, and the CSA document’s recommendations for continuous scanning, rapid patching, network segmentation, and hardened infrastructure apply to QPQ’s operations as they apply to anyone running networked systems.

    The architectural question – whether specific attack surface categories can be eliminated rather than managed – is a different question, with a working answer that the briefing’s authors could not have known existed. They have no excuse now.

    QPQ AG builds the Gajumaru blockchain ecosystem. Groot has been operational since 22 October 2024. First sovereign customer: Liechtenstein Trust Integrity Network (LTIN), deploying national economic infrastructure on this architecture in Q3/Q4 2026. This post is based on publicly available information from the cited sources and is not a legal opinion. Corrections are welcome.

  • Killing the Whale Subsidy: Why A2P State Channels are the Only Path to Provider Profitability

    Killing the Whale Subsidy: Why A2P State Channels are the Only Path to Provider Profitability

    The current unit economics of online services are broken. Whether you are providing raw compute, AI inference, or streaming media, you are likely trapped in a losing investment cycle: burning venture capital to subsidize a sea of free-tier users, while praying a few enterprise whales overpay enough to keep the lights on.

    The culprit isn’t the service, it’s the tyranny of payment overhead. We have, as an industry, normalized this to such a degree that the problem has become invisible. When credit card fees and administrative friction make it impossible to charge less than $10, you can’t capture the massive, granular demand of the emerging agentic economy.

    Enter A2P (Agent-to-Provider) micropayments via Gajumaru State Channels.

    By orchestrating Gajumaru’s state channel implementation, we are enabling a radical shift from SaaS subscriptions to pure utility billing. This isn’t just a technical upgrade; it’s a business model revolution for providers:

    • Sub-Cent Settlement: Stop losing 30 cents + 3% to processors. State channels allow agents to pay providers for every single token, frame, or CPU cycle in real-time, with near-zero transaction costs.
    • The End of Onboarding Friction: Real users, and the agents they deploy, aren’t afraid of spending pennies. They are afraid of $20/month commitments for services they use sporadically.
    • Instant Liquidity: Instead of waiting 30 days for a payout cycle, providers see value flow into their channels as the service is rendered.
    • From Streaming to Scaling: This model is the holy grail for high-bandwidth services like streaming, where the cost-per-user can finally be mapped 1:1 to revenue-per-second.

    For providers, the message is clear: Stop waiting for the next VC round to cover your growth metrics. By adopting A2P orchestration, you can finally move to a Pay-as-you-Flow model that turns every interaction into immediate, granular revenue.

  • JPMorgan and MIT Built a Payment Token Blueprint. They Forgot the Foundation.

    JPMorgan and MIT Built a Payment Token Blueprint. They Forgot the Foundation.

    Originally posted by Greg Chew via LinkedIn

    The MIT DCI / Kinexys research paper on payment tokens is the most serious institutional thinking on blockchain-based payments to date. It identifies every problem correctly.

    Then it builds on infrastructure that guarantees those problems can never be solved.

    The collaboration between MIT’s Digital Currency Initiative and JPMorgan’s Kinexys division produced something rare: a genuinely thoughtful analysis of what regulated financial institutions need from blockchain-based payment systems.

    The 39-page report, Designing Payment Tokens for Safety, Integrity, Interoperability and Usability, catalogues requirements, maps existing standards, identifies gaps, and proposes solutions.

    It deserves serious engagement and discussion, especially as we emerge into what I believe will be a big year for blockchain rather than the crypto casino. So here is my take in that spirit.

    The Problem They Name But Cannot Solve

    Deep in the report, the authors make a striking admission about the state of blockchain standards:

    There is general apprehension about the proliferation of standards, where specifications developed by individual parties are framed as standards even when adoption is limited. The benefits of standards are realized through convergence and alignment, and there is a need to move beyond ‘your’ standards versus ‘my’ standards, towards the convergence of ‘our’ standards.

    This is exactly right. The blockchain ecosystem is drowning in competing standards that serve their creators’ interests. ERC-20, ERC-721, ERC-1400, ERC-3643, ERC-4337. The report maps fifteen different token standards against its functionality requirements. Each was proposed by parties with stakes in their adoption. None provides neutral ground.

    The authors recognise that “reaching consensus on a single set of standards may be challenging for ecosystem participants.” Their proposed solution is “composable standards”, modular, narrow specifications that institutions can mix and match.

    But composable standards still require a foundation to compose upon. And here’s where the analysis breaks down.

    Building on SandBuilding on Sand

    The entire prototype is built on “EVM-based blockchains”, meaning Ethereum or its derivatives. The report acknowledges governance concerns but defers them:

    Concerns stem mainly from the governance of open blockchains, particularly public blockchains where there is no central operator. In such scenarios, operating part of the infrastructure, such as hosting nodes and mining blocks, might be required to mitigate the risks.

    Required by whom? Mitigated how? The report offers no answers because there are no good answers on Ethereum.

    The Consensus Problem

    Anonymous proof-of-stake enables collusion without accountability. Four entities – Lido, Coinbase, Kraken, and Binance – control approximately 60% of Ethereum’s staked value. The Ethereum Foundation makes governance decisions that affect all participants. When JPMorgan builds payment infrastructure on this foundation, they inherit all of it. Their carefully designed administrative controls, their composable standards, their regulatory compliance. All of it sits atop infrastructure controlled by parties with no accountability to JPMorgan’s clients or regulators.

    The report identifies privileged administrative functions as a concern: “the existence of such functions may raise concerns about potential misuse.” They propose transparency and observability as solutions. But transparency at the application layer cannot compensate for opacity at the consensus layer. You cannot observe what anonymous validators are coordinating.

    The Scaling Problem

    The paper proposes building on “EVM-based blockchains.” Ethereum mainnet sustains approximately 15-30 TPS in practice. Kinexys Digital Payments already processes over $2 billion daily on private infrastructure. If the authors intend to bring payment token standards to public Ethereum at anything approaching institutional volumes, they will inevitably turn to ‘Layer 2’ so called ‘solutions’. There they will face a mathematical impossibility that the Ethereum fanboys are desperately hoping that nobody is thinking about – sorry chaps, we did and we have. What follows isn’t our opinion, it’s mathematical impossibility.

    Every transaction requires minimum irreducible data: sender address (20 bytes), receiver address (20 bytes), and cryptographic signature (65 bytes). 105 bytes that cannot be compressed away. At 10,000 TPS, a modest throughput for institutional settlement, this requires 12.6 MB per Ethereum block. Ethereum’s practical block capacity is approximately 100,000 bytes. The blob space added by EIP-4844 provides 1.125 MB for ALL Layer 2s combined. The arithmetic doesn’t work.

    Layer 2s don’t solve Ethereum’s scaling problem, they prove it cannot be scaled.

    The Security Problem

    The EVM ecosystem’s security model is fundamentally compromised at the supply chain level. We have covered this before in a long form and short form video – links in the references below. MetaMask, the dominant wallet in the EVM ecosystem, relies on 212,620 NPM packages from anonymous contributors. In September 2025, 18 NPM packages were hijacked, affecting 2 billion weekly downloads, installing crypto-stealing malware. This is not historical. This is the current state of Ethereum wallet security.

    The report proposes transparency and observability for administrative functions. But you cannot observe a supply chain attack until after it has succeeded. You cannot audit 212,620 packages maintained by strangers who can push updates at any time.

    The Real Question They Cannot Ask

    The fundamental question the report cannot ask is: Who controls the infrastructure on which payment tokens operate?

    For private permissioned blockchains like Kinexys Digital Payments (which processes over $2 billion daily), JPMorgan controls it.12 That’s appropriate: they’re accountable to regulators and clients, so they should control it.

    For public blockchains, the answer is: anonymous validators, protocol foundations, and whoever accumulates enough stake to influence consensus. That’s not a foundation for institutional finance. That’s a foundation for regulatory arbitrage.

    The Finality QuestionThe Finality Question

    The authors raise finality as a concern: “The decentralized nature of public blockchains and the consensus mechanisms used to achieve decentralization allow for blocks to be proposed by different parties, sometimes leading to situations where some blocks are discarded… Consequently, finality in this context is probabilistic rather than deterministic.”13

    Let me be precise here, because this matters for institutional settlement.

    All finality is probabilistic. T+2 equity settlement can be reversed. Wire transfers can be clawed back. Even physical cash can be counterfeit. The question isn’t whether finality is probabilistic—it’s what the probability depends on, and how quickly it converges to near-certainty.

    Ethereum’s finality depends on trusting validators not to collude. With 60% of stake controlled by four entities, that’s a governance question: will these parties coordinate a reorg? Will they comply with a social consensus to roll back transactions?

    This is not theoretical either. In 2016, the Ethereum community did exactly this: the DAO hack resulted in a hard fork (EIP-779) that reversed approximately $60 million in transactions that had achieved “finality” under the protocol’s consensus rules.14 The transactions were final. Until the community decided they weren’t.

    The probability of Ethereum finality holding is high. But it’s a probability about human behaviour and governance decisions, not mathematics. And we have direct evidence that Ethereum’s community will reverse “final” transactions when sufficiently motivated.

    Proof-of-work finality depends on computational reality. Each block requires actual work that cannot be faked. The probability of reversal decreases exponentially with each confirmation, not because validators choose to behave, but because reversing would require outcomputing the network’s cumulative work from that point forward. After sufficient confirmations, reversal becomes computationally infeasible regardless of any party’s intentions or governance decisions.

    For institutional settlement, what matters is:

    QuestionEthereum PoSProof-of-Work
    Can coordinated parties reverse finality?Yes — Demonstrated in 2016No — Would require outcomputing the network.
    What does probability depend on?Trust in validator behavior.Mathematics (cumulative work)
    Has finality ever been reversed?Yes (DAO fork)No (Bitcoin, 15+ years)
    Time to high confidenceMinutes (2 epochs)Minutes (confidence)

    The question isn’t probabilistic versus deterministic.
    The question is: does your settlement depend on trusting parties to behave, or on mathematics that parties cannot circumvent?

    What Would Actually Work

    The report correctly identifies what payment tokens need: safety, integrity, interoperability, and usability. It correctly identifies the limitations of current standards. It correctly calls for “our standards” rather than competing proprietary specifications.

    But “our standards” require neutral ground: infrastructure that no party controls, where convergence can occur without requiring trust in competitors.

    This requires a governance-free resource layer. Not a private chain (which is an island). Not a ‘public chain’ with anonymous governance (which is someone else’s kingdom). A resource layer with:

    • Proof-of-work consensus, so participants don’t need to be known or trusted
    • No administrative keys, so no party can censor or reorder transactions
    • Finality that depends on mathematics, not governance, meaning probability converging to near-certainty through computational work, not trust in validator behaviour
    • Connection points for sovereign infrastructure, so institutions control their own governance while settling through neutral ground

    Such infrastructure exists. It has been operational since October 2024.

    Liechtenstein is building national blockchain infrastructure with it. The Liechtenstein Trust Integrity Network (LTIN) is majority-owned by state Telecom Liechtenstein, regulated under the Liechtenstein Blockchain Act with EU MiCAR compliance. Bank Frick, Bitcoin Suisse, and Zilliqa are founding participants alongside QPQ. This is not a pilot. This is a European sovereign deploying the architecture for production financial infrastructure.

    The architecture the MIT DCI/Kinexys paper describes – composable standards, modular functionality, regulatory compliance – works better on neutral ground than on Ethereum. Institutions can maintain sovereign governance over their own infrastructure while settling through a resource layer controlled by no one, where finality depends on mathematics rather than trusting anonymous validators not to collude.

    The Invitation

    The authors conclude by hoping their work “can serve as a starting point for further dialogue and collaboration with the ecosystem.”

    We accept. This article is the shorter version of my exploration of the points they are raising.

    The problems they have identified are real. The solutions they have proposed are thoughtful. But, the foundation they have chosen – EVM-based blockchains with anonymous validators, captured consensus, governance-reversible finality, and mathematically impossible scaling – guarantees they cannot fully succeed.

    The blockchain and tooling designed for exactly what you’re describing exists. A European sovereign has already validated it. We built it. We’d welcome the opportunity to show you.

    Reference Links

    MIT Digital Currency Initiative and Kinexys by J.P. Morgan, “Designing Payment Tokens for Safety, Integrity, Interoperability and Usability,”https://www.jpmorgan.com/kinexys/documents/designing-payment-tokens-for-safety-integrity-interoperability-usability.pdf

    2 Billion Wallets Hacked: Why Your Crypto Isn’t Safe (And Never Was) [Long form] https://rumble.com/v6yqsls-2-billion-wallets-hacked-why-your-crypto-isnt-safe-and-never-was.html

    2 Billion Wallets Hacked: Why Your Crypto Isn’t Safe (And Never Was) [Short form] https://youtu.be/P_Z-QwFNm9M

    A subsequent post will be published in relation to this shortly.

  • Of RIPA and the Blockchain OverlordsOf RIPA and the Blockchain Overlords

    Of RIPA and the Blockchain OverlordsOf RIPA and the Blockchain Overlords

    On 18 Jan, Ethereum founder Vitalik Buterin posted on X that despite “super decentralization,” 49% Byzantine tolerance, etc., a protocol ultimately fails all three tests:On 18 Jan, Ethereum founder Vitalik Buterin posted on X that despite “super decentralization,” 49% Byzantine tolerance, etc., a protocol ultimately fails all three tests:

    It’s not trustless because you have to trust a small class of high priests who tell you what properties the protocol has

    It doesn’t pass the walkaway test because if existing client teams go away, it’s extremely hard for new teams to get up to the same level of quality

    It’s not self-sovereign because if even the most technical people can’t inspect and understand the thing, it’s not fully yours

    These were some of the (many) pain points that led to the conception of Gajumaru. Gajumaru’s resource layer, Groot, is planned to have its core protocol and reference implementation completed in the first half of 2027, and at that point public mining begins.

    The switch to uncontrolled public mining for Groot carries profound significance, as this is the point at which the protocol for Groot will become essentially set in stone and unchangeable.

    From that point on, Groot will enter a sort of “hands-off” mode where governance, as we now know from the Bitcoin experience, will be practically impossible. Instead of straining against this inevitable trend, this is part of the Gajumaru plan to provide a base resource that is fully trustless and resistant to institutional capture. This is Gajumaru’s way of protecting the monetary supply from subversion.

    Innovation does not stop, however, as Associate Chains (ACs) within the Gajumaru system, all of which share Groot’s currency and base protocol, are free to pursue innovation, and are only prohibited from influencing the supply of Gajus.

    Keeping the resource layer bare, simple, and solid, minimizes complications and risks of protocol breaks associated with complexity. This also means that different development teams can add, customize, and tweak features as much as they want all without ever messing with the core layer. There will be no forks or protocol updates to Groot itself, so “backwards compatibility” and protocol bloat are a problem that will not affect Groot.  (While forks are feasible in theory, they are practically impossible due to insurmountable coordination challenges and conflicts of interest. This trend is impossible to combat in a PoW setting, and is therefore leveraged as an anti-governance feature.)

    Once, the hands-off point starts, Groot will be fully uncontrolled–it cannot be influenced, not even by those who made it–no “high priests” to lord over what it does or doesn’t do. All it does is mint, move, record. Nothing more.

    Additionally, this answers the “walkaway test” in Vitalik’s second point: even if the creators of Gajumaru disappeared, it wouldn’t matter. There is no development team needed to continue work on Groot–there is nothing more to do with it beyond the freeze. Implementation efficiency, competing implementations, ports to new hardware, sure, but all implementations of Groot simply become peers in the network.

    Finally, unlike Ethereum, there will be no “older versions” for developers to worry about–there will only be one version of the protocol that Groot follows, starting from the hands-off point. The rate of change from that point will be exactly zero–since additions to features are done on an entirely separate part of the architecture. Independent development teams can make all the changes they want on their own associate chain without affecting the resource layer for everyone else.

    For those interested in a deeper dive, Gajumaru follows the RIPA architecture: Resource, Infrastructure, Platform, Application. You can find more resources about the Gajumaru here.

    Below, you will also find a layman’s explanation of RIPA.

  • The Place for Trust in a Trustless System

    The Place for Trust in a Trustless System

    In an industry plagued by scams and fraud, demanding the complete removal of trust is simply unreasonable.

    Bitcoin’s original promise was simple: a system so transparent and mathematically enforced that you no longer had to trust anyone. Algorithmic consensus, as seen in proof-of-work mechanisms, replaces human intermediaries with verifiable mathematics. This allows cross-jurisdictional trades without relying on fragile human promises.

    No central bank, no custodian, no middleman. Just code and machines. We called it “trustless.”

    Yet fifteen years later, most people who use crypto still end up trusting someone: a stablecoin in the Cayman Islands, an exchange they’ve never met, a layer-2 sequencer that can pause withdrawals whenever it feels like it. Even worse, most of the time, they simply trust a single corporation not knowing the people and companies behind it–nor their motivations and potential conflicts of interest.

    The “trustless” dream discreetly morphed into new hierarchies of trust, often more opaque than the banks they were meant to replace.

    Most do not care, and it’s easy to see why. Trustlessness is a concept hard to accept for the regular person. Even in real-world peer-to-peer trades (this simply means direct, human-to-human transactions), someone holding a wad of cash looking to trade goods with another would prefer to do so with someone they trust.

    Between total strangers, we tend to look for familiar associations as a sign of trustworthiness–referrals and testimonials from people we know that can be perceived as some form of “transferable trust.”

    The paradox is real: humans want the certainty of rules, but also the liberty to transact without permission. We want both finality and censorship resistance, both privacy and regulatory compliance, speed and decentralization.

    In the context of financial systems, we want freedom. But we also want to know whose house to burn should we get robbed blind.

    As we regularly point out, a blockchain’s resource layer must be trustless–this is non-negotiable. But it doesn’t follow that everything in this system has to be. We cannot paint human interactions black and white and demand an instant shift against their natural instincts as if they are nothing more than the machines we build.

    As humans, we require trust. And to trust, we require a face to attach that trust onto.

    Gajumaru takes a path that works with, rather than against, human nature. Instead of denying the need for trust, it asks a more honest question:

    Where does trust actually belong, and how do we make it visible, auditable, and most importantly, optional?

    The answer lies in deliberate separation.

    A blockchain’s resource layer has to be trustless, but the human elements of the system require trust. And that needs no changing. Instead, we let humans be humans–we work with it.

    The need for regulation, trust, and accountability

    Groot, the center of Gajumaru, requires no permission to use: no one can stop you from holding or moving Gajus, Gajumaru’s native currency. No one can freeze your account. No one can inflate the supply at will. This layer is intentionally trustless; its only job is to be a neutral, non-debasable bearer asset. You do not trust it; you verify it.

    But around this center orbit Associate Chains (ACs): regulated, private, or community-run side-chains that inherit the Mint’s security but choose their own rules. The people behind these ACs are named, and there are faces, complete identities, legal liabilities attached to those names.

    A national CBDC chain, a KYC-compliant remittance rail, a corporate treasury chain, or a fully anonymous mixer can all exist as Associate Chains. Here, trust is explicit and chosen. You trust the operator because they are licensed, insured, or bound to a jurisdiction you recognise. Or you don’t, and you simply stay on the Mint.

    Between these realms sits a clean, bridgeless interface. The Gaju moves in and out of Associate Chains atomically, without having to depend on third-party middlemen without wrapped tokens or custodians. The Mint remains unaware of what happens inside an Associate Chain; the Associate Chain cannot rewrite the Mint. Trust never has to cross the boundary uninvited.

    This creates something new: Trust Markets.

    Where the Mint offers algorithmic trust: “the rules are the rules, enforced by code”;
    Associate Chains can offer institutional trust: “we follow these regulations, we are audited by these firms, we are insured up to this amount.”

    Users and businesses pick the flavour they need for each use-case. A coffee purchase stays on a fast state channel with instant finality and no identity. A cross-border payroll moves through a regulated Associate Chain that reports to tax authorities. Both use the same underlying money, but trust is layered exactly where it adds value and no further.

    Proof-of-Work itself becomes an act of trust placement. When banks, payment companies, and large merchants run nodes and mine (even at a small loss), they are not chasing block rewards; they are buying insurance against the chain being attacked or censored. Defensive mining turns “trust no one” into “enough of us trust the system to protect it.”

    So trust has not disappeared. It has been relocated onto a truly trustless money at the core, and in transparent, accountable institutions at the edge where real-world friction demands it.

    The result is a system that does not pretend humans have evolved beyond trust, but instead gives them the first honest marketplace for it: trust when you want it, verifiable minimisation when you don’t.

    That, perhaps, is the only sustainable definition of trustless: not the absence of trust, but the freedom to place it exactly where, and only where, it is needed.

    Trust Markets: Where Trust Becomes a Commodity

    In Gajumaru, trust isn’t eliminated; it’s marketized. Users pay for convenience from “trusted actors”—entities verifiable through on-chain adherence or regulatory compliance. The Platform layer (the P in RIPA) provides tools like APIs for building these, while Applications deliver user experiences.

    Consider the GajuMarket (coming soon), a peer-to-peer platform where trades happen via smart contracts on-chain. It supports “crypto-as-cash”: fast (1-3 second confirmations), low-cost transactions with optional anonymity. Login requires only proving account ownership via signature—no personal data unless negotiated. For higher trust, selective identification uses the naming system to certify capabilities, like age verification.

    Well-regulated spaces foster efficiency through clear rules and enforcement. Traditional blockchains resist regulation, isolating them from mainstream finance. Gajumaru flips this script with Associate Chains (ACs) in the Infrastructure layer—sidechains connected seamlessly to the Mint. ACs let operators choose consensus, governance, and KYC rules, aligning with local regulations while transacting Gajus globally. Imagine a national bank running an AC as a CBDC (central bank digital currency) mint, treating the Gaju as foreign currency: regulated where needed, trustless underneath.

    In the context of public institutions, we recognize that trust in governments varies wildly—ranging from high trust scores in places like Norway, to low trust levels in others. Gajumaru’s model supports both. In high-trust societies, it bolsters transparency; in low-trust ones, it serves to facilitate corruption resistance.

    This is where the Mint thrives, acting as an uncontrolled resource layer, serving as the negotiable space between jurisdictions. It’s not anti-regulation; it’s pre-regulation—a shared foundation enabling “trust markets” to emerge

    Come build with us.

    QPQ is set to deploy Associate Chains in 2026. For those interested in building on Gajumaru, you may start with the documentation. You may also reach out to info@qpq.swiss.