By Dr. David Utzke, CEO and CTO at MyKey Technologies

How have hidden admin keys and proprietary code bases become the single greatest threat to digital-asset integrity?

These are a couple of issues related to DLT (Distributed Ledger Technology)-based digital assets cybersecurity, ongoing business concerns of the underlying company, and jurisdictional geopolitical risks of financial instability. 

Beginning with hidden administrator cryptographic keys of digital assets generally refers to the asymmetric cryptographic private keys that determine ownership and grant control over DLT-based digital assets. These keys are kept secret for security purposes, and the security framework sometimes contains special “admin” privileges in the context of transactions involving L2 (Layer-2) contracts or institutional custody. 

Admin control of keys is often focused on centralized exchanges (CEX); however, Distributed Exchanges (DEX) can control keys related to L2 exchange contracts, but the extent of this control varies. Centralized L2s may have admins with keys that can alter contract rules, a situation that gives them significant control over users’ funds. Even on more decentralized L2s, some administrative functions might still exist through systems like multi-signature arrangements for contract upgrades or other functions. 

And for this reason, the reference to a DEX is described as distributed, and not decentralized. The term “decentralized” is often confused with the term “distributed.” While a DEX is operating within a distributed network environment, the term decentralized is rooted in the context of governance and control of an entity (public or private). This is something I addressed in a recent article titled “Crypto’s Great Deception: 75% of ‘Decentralized’ Currency Controlled by Centralized Giants’” and in my newly released book, “The Digital Asset Technology Guidebook.” Too many users rely on the hype of decentralization but lack the knowledge of how to discern that a project is centralized and to what degree, because some DLT frameworks are more highly centralized than others, just as with traditional company structures, but they lack the organizational structure of being able to be considered decentralized.

Decentralization in business is a practice of distributing decision-making authority to lower-level managers and employees. And traditional business is “always” referred to as a centralized organization, and yet the DLT space often has the same organizational structure with titles like CEO, CTO, COO, President, VP, etc., and run under the oversight of a foundation or DAO, which are also variations of centralization describing their structure under the hype term of decentralization.

Unfortunately, the DLT digital asset community has derived an isolated definition of decentralization that is broadcast across the web which follows the theme of: Decentralization in crypto means that control is distributed across a network of computers that is achieved through a network of nodes, where each node holds a copy of a ledger, and consensus among these participants is required to validate transactions and make changes. Anyone that has researched the Bitcoin network recently, which is touted as the most decentralized infrastructure, is currently computed as being 91% centralized under the decision-making by five corporate pools of validators and core developers, which is a centralization risk noted as “selfish mining” going back to 2013 after pool mining on the Bitcoin network began in November 2010 with the launch of Slush Pool as the first mining pool.

However, returning to centralized authority involving hidden admin keys is a current threat. Hidden admin keys are often used in supposedly “decentralized” projects and CEXs utilizing methods such as hardware security modules (HSM), off-network or air-gap storage erroneously referred to as cold storage, multi-sig wallets, multi-party computation erroneously called key sharding, and other services that CEXs and centralized platforms generically call KMS (key management system). And then these frameworks are often augmented with access controls and operational procedures like multi-factor authentication (MFA), audits and monitoring, physical security, and employee education.

But these have led to losses that stem from a Single Point of Failure (SPOF), insider threats, and are attractive targets for cyberattackers. And as a couple of case-and-point instances, it was in May 2025 that a Coinbase exploit exposed three insider threat enablers leading to a loss of $400 million of customer assets, and in February 2025, Bybit lost approximately $1.5 billion in ether from an attack where cybercriminals exploited vulnerabilities in Bybit’s multi-sig “cold storage” transaction process.

Related to the proprietary codebase used by CEXs and L2/L3 projects is a point of significant debate within the DLT sector community, primarily revolving around the trade-offs between transparency and security through public scrutiny versus a company’s ability to control and monetize its technology. The phrase “a company’s ability to control and monetize” alone supports the thesis that these projects are centralized. As such, there are a number of key vulnerabilities in closed-source such as the code being developed by a centralized team from the project, or it is developed by a third-party on behalf of the project’s developers. In either situation, long-term, the closed-source code degrades due to a lack of bug fixes, failure to maintain the code as technology changes, and continuous monitoring; security reviews are not conducted to identify new exploit methods.

How are today’s “decentralized” networks actually operating more like unregulated corporate platforms?

Today’s “decentralized” networks very much operate similarly to corporate platforms due to the concentration of power in the hands of a few key developers and founders or through the creation of centralized control points, such as a foundation (aka advisory board) and corporate entity within the decentralized structure. Some networks, while operating on a distributed network, are governed by a small group of developers or companies, or a few large platforms/investors dominate, creating a centralized influence that limits true autonomy and can lead to similar issues like censorship and control seen in traditional platforms. For example, a few dominant platforms can effectively control the ecosystem, or the developers of the underlying technology maintain significant power over its future direction.

So, the hype of platform decentralization is in reality centralization through developers/founders/foundation/corporate control, venture/large investor control, and concentrated power by a few dominant platforms that become gatekeepers similar to traditional tech companies dominant in monetizing the internet and web infrastructure, which was something that was released as open-source.

The problem, as noted earlier, is L2/L3 platforms redefining the term “decentralization” rather than having an enforced standard of following the textbook definition. If one is to conduct a search on factors that demonstrate decentralization, the following is just a sampling of what will be found in numerous web articles, but none of these relate to decentralized control:

Deploy projects on “blockchains.” NOTE: Blockchain is a term contrived by social media by abstracting the separately used words “chain” and “block” from the Bitcoin Network whitepaper. In the history of computer science, there is no such thing as blockchain technology. The chaining of blocks of data in data science has always been categorized as sequential linear data hash ledgers. It is also notable that most of the more robust networks utilize directed acyclic graph (DAG) ledgers or a hybrid of DAG and a sequential non-linear data hash ledger – BlockDAG is a common hybrid architecture. In the case of Solona, the architecture is a combination of sequential linear data blocks for storing transaction data and sequential non-linear ledger data sequencing for more efficient and faster parallel processing. This is a far superior data architecture to the simple sequential linear data ledger structure that is utilized in the Bitcoin network architecture.

Make the code open-source. On a cybersecurity note, making the codebase open-source provides visibility for cyberattackers to analyze the code for vulnerabilities and devise an attack method. However, open-sourcing code by developers uses the decentralization term when, in fact, this is done to prompt code standardization by allowing others to adopt or adapt their codebase, which allows for interoperability by projects on the same or other networks. This results in expanding the platform’s user base to increase revenue on their project platform and increasing transaction fees. 

Transition to DAO governance. DAOs (Decentralized Autonomous Organizations) are a facade of decentralization by transitioning the centralized direct control from core platform developers/founders to the centralized control by the DAO, which is often controlled by those who control the majority of the DAO’s representative digital asset. A DAO is merely a digital version of traditional publicly traded shareholder companies.

Implement transparent on-chain analytics. Here again, transparency is another term used incorrectly by attempting to redefine and equate it with decentralization. However, transparency is defined as “the quality or state of being transparent,” and decentralization is defined as “the dispersion or distribution of functions and powers; specifically, government.” NOTE: The morphology of “decentralization” is rooted in the context of politics in France and England during the 1800s. This has its origin in the French debate in the late 1820s and appeared in English writings in the early 1830s. Breaking down the morphology of the word, it is formed from the prefix “de” (meaning to remove) and “centralization”. The concept of decentralization gained traction in France during the 1820s as a reaction to the increasing centralization of government power. The word “centralization” came into use in France in 1794 as the post-Revolution French Directory leadership created a new government structure (Robert Leroux, French Liberalism in the 19th Century: An Anthology, Chapter 6: Maurice Block on “Decentralization”, Routledge, 2012, p. 255). Interestingly, in the mid-1800s, Tocqueville would write that the French Revolution began with “a push towards decentralization” but became, “in the end, an extension of centralization.” 

Why has decentralization become a marketing slogan instead of a verifiable architectural standard?

Started as an aspirational concept, “decentralization” is a marketing slogan that is easier to market than to implement as a strict architectural standard. Further, it has been incorrectly defined in the context of DLT platforms, and it is very difficult to verify across different platforms because of the marketing ruse. Marketers use it as a dog whistle to signify benefits like local autonomy, agility, and consumer empowerment, which are attractive to their audience. In reality, there is no single, universally verifiable architectural standard for “decentralization,” and its actual implementation often involves a “hub and zone” model rather than a fully decentralized system.  

For example, the Bitcoin electronic cash payment network was architected to be a decentralized system – i.e., no one controlled it. However, as developers were attracted to contribute and pooling was introduced, centralization has emerged as the primary organizational framework. This has been measured and used by researchers and DLT architects using the Gini Coefficient or Nakamoto Coefficient used by DARPA, which measures the ratio of distribution of a network. The Bitcoin network is now 95% controlled by six corporate validation pools. And to measure the centralization of the bitcoin asset, multiple sources now publish that over 30% of bitcoin is hoarded by centralized corporate institutions, and the U.S. government is on track to hold up to 10% of all bitcoin currently in circulation (I detail the math on that percentage in my book “The Digital Asset Technology Guidebook”). In addition, the top 1% of Bitcoin addresses hold over 90% of the total Bitcoin supply, according to Bitinfocharts, which consists of CEX addresses that hold the 30% noted above related to Bitcoin held by centralized corporations. Bitcoin is not the bastion of decentralization as it is constantly touted on business news and at various conferences by those propping up the narrative for which may be motivated by self-enrichment.

In my book noted previously, and in speaking engagements, I advocate for instituting a self-regulatory organization (SRO), as with FINRA in the securities trading industry, comprised of independent technology experts in DLT, to set standards for disclosure and provide oversight for half of the regulators.

What risks do investors face when networks branded as decentralized are ultimately controlled by a handful of executives or developers?

Analysis of decentralized branded platforms that are centrally controlled demonstrates that investors risk losing their capital due to a lack of regulatory protection, increased vulnerability to exploits and scams, and the potential for centralized control to make decisions that benefit insiders over the community. Because a small group can hold the reins, they can manipulate the network’s direction. And the most observed outcome, not just a risk, is the sudden collapse due to a centralized decision or a security exploit.

Other observed risks of centralized control in “decentralized” networks include lack of recourse and consumer protection, vulnerability to manipulation, security vulnerabilities, fraud schemes and scams, irreversibility of executed transactions, and, most notably, the regulatory uncertainty.

How does the absence of transparent disclosure standards enable backdoor manipulation of digital-asset ecosystems?

We can probably debate centralization and decentralization with die-hard positions on both sides. The conversation needs to incorporate the necessity of not merely using a term (i.e., decentralization), it requires being incorporated into much-needed mandatory disclosures. In the matter of decentralized, a disclosure needs to look more like a mandatory technical whitepaper, without marketing fluff, and a prospectus similar to what is required for traditional securities, if this is a digital asset connected to RWAs (real-world assets) or digital asset that have a propensity toward increasing capitalization (e.g., BTC, ETH, meme tokens issued under PvP KOL degen casion models) – even if the digital asset is not classified as a security by the SEC or other jurisdictional authority.

The lack of transparency and backdoor manipulation can be seen in some of the following examples:

FTX (2022): This is the most significant and well-documented case. Former CEO Sam Bankman-Fried was convicted and sentenced to 25 years in prison for his role in defrauding customers and investors. He was found to have misappropriated billions of dollars in customer funds, secretly transferring them to the associated trading firm Alameda Research for risky investments and personal use, leading to the exchange’s collapse when a liquidity crisis hit.

QuadrigaCX (2019): The Canadian exchange collapsed after the reported death of its founder, Gerald Cotten. Cotten was the only person who had access to the private keys holding C$250 million (approximately $190 million USD) of user funds. Investigations later revealed that Cotten had been running the exchange fraudulently for some time, commingling user funds and mismanaging assets, and most of the funds were unrecoverable. There has been speculation, though unproven, that he faked his own death.

WEX Exchange (formerly BTC-e) (2018): Following the shutdown of the infamous BTC-e, WEX emerged as its successor. Its operator allegedly disappeared with hundreds of millions of dollars in user funds in 2018, and the exchange went offline.

Haru Invest (2023): While a South Korean court in 2025 acquitted the CEO of fraud charges, ruling his actions were a response to financial pressures, the company abruptly closed user withdrawals in June 2023, resulting in significant losses for users. This illustrates the custodial risk and lack of guaranteed recovery when a centralized entity faces insolvency or mismanagement.

Coinbase (2025): CEX platforms acting as intermediaries (e.g., Coinbase, Kraken, Gemini, BitGo, Bybit, Circle, Tether, and many others), constituting a demolition of the implementation and use of DLT for removing intermediaries, are moving to become publicly traded companies in the traditional equities space. Coinbase is again in the spotlight. A recent shareholder lawsuit against Coinbase accuses executives of backdoor manipulation by selling $4.2 billion in stock while allegedly concealing issues like compliance failures, data breaches, and regulatory problems. The suit suggests these actions were a form of insider trading, where insiders sold at artificially inflated prices based on non-public, negative information about the company. While this lawsuit specifically targets alleged misconduct by Coinbase management, it brings up broader concerns about the transparency and security of centralized digital asset exchanges. Details are that shareholders filed a derivative lawsuit in Delaware, claiming Coinbase executives, including CEO Brian Armstrong and board member Marc Andreessen, sold stock while knowing about internal problems like weak Know Your Customer (KYC) and anti-money laundering (AML) controls, security vulnerabilities, and ongoing regulatory investigations. The allegation is manipulation by withholding this information, allowing the executives to sell their shares at an inflated price, which the plaintiffs claim constitutes illegal insider trading. The broader concern of the lawsuit’s allegations, particularly regarding the concealment of compliance failures and security vulnerabilities, highlights the potential for misconduct and lack of transparency at centralized exchanges. This raises questions about the safety of assets held on such platforms and the potential for manipulation beyond this specific case. This lawsuit follows previous controversies, including a 2023 settlement of $100 million with New York regulators over compliance failures and a 2024 data breach that was disclosed in May.

What practical steps can digital-asset projects take today to demonstrate genuine decentralization?

The disclosure matter that started in the last question is not a matter of calling something centralized or decentralized – these works need to be retired in the DLT-based digital asset sector due to their L-T misuse and hype. 

There is a need for mandatory disclosure that includes the names and monikers (commonly used in social media and trading platforms) of developer/founder/VC/foundation/corporate entity (DAO or traditional corp) holdings of project assets (not simply saying decentralized – prove it); what position titles are held by people running the platform; whether users have voting rights on what changes occur on the project’s platform (i.e., are changes for the benefit of the platform operators or users); data ledger method (not simply saying blockchain as noted in a previous question); the exact process for transaction validation and censorship; what are other projects that developers and management been involved with and how many have survived L-T, shutdown, what enforcement actions by law enforcement jurisdictions were served, how many/kind of exploits did previous projects suffer; and the list goes on. These are the types of disclosures that users need to have. As I analogize in my book, it is a similar controversy that the U.S. went through in the 90s, and is still facing today, on what is in our food supply. And the lesson learned from the food industry, disclosures will change over time.

This is another area where an SRO of independent technology and digital asset experts is a beneficial and necessary component to augment SEC and CFTC enforcement. 

This certainly raised jurisdictional issues; however, jurisdictions are already placing restrictions on global developers in the DLT sector for allowing or not allowing people from certain jurisdictions from being able to participate. This space has still not reached the utopic dream of being free from government oversight. And I will note that government interference came with the introduction of centralized exchange platforms, where the government first invited itself to the game.

About Dr. David Utzke:

Dr. David Utzke is the CEO and CTO at MyKey Technologies, who is a Financial and Digital Asset Economist, Distributed Ledger Architectural Engineer, AI Engineer, educator, researcher, and author with experience in cybersecurity, Cybercrimes investigation, data security, heuristic and forensic analytics, cryptography, economic game theory, Extended Reality design, and quantum computing.

Dr. Utzke holds a doctorate in Financial Economics and Data Security, MBA in Forensic Accounting and International Finance, MSc in Blockchain Engineering and Digital Currency Coding with postdoctoral work in Digital Asset Economics and Smart City Design with Technology Integration at MIT, and post-doctoral work in XR design at the University of Michigan’s XR Dept with a focus on technology ethical use, accessibility, social implications, privacy, and user security.

Dr. Utzke has received professional certifications as a Certified Fraud Examiner (CFE), Certified Forensic Interviewer (CFI), Certified Digital Forensic Examiner (CDFE), and completed training at the Army NCO Academy and Federal Law Enforcement Training Center (FLTEC) in Advanced Economic Crimes, as well as certifications in Blockchain Design, Blockchain Architecture, and L2 Contract Development.

Accomplishments include being a highly decorated member of the U.S. military as well as receiving numerous prestigious awards from the U.S. Department of Justice and IRS for the application of unique investigative and analytic methods supporting high-profile investigations and his pioneering work in developing tools and providing support in DLT, Digital Assets, AI, and XR in criminal and civil investigations.

LinkedIn URL – https://www.linkedin.com/in/drdavidutzke/

About MyKey Technologies:

MyKey Technologies is a pioneering research and design firm focused on secure PQC/QRC digital infrastructure technology and building secure, next-generation infrastructure for digital assets and sensitive data, with a foundation in privacy, compliance, and innovative architecture. MyKey research designs solutions that help organizations protect, manage, and move digital information with confidence—whether it’s private keys, financial data, intellectual property, or identity credentials.

The company currently offers three core products: Iso-CAR, a secure storage system for digital assets and critical data that removes exposure to public networks; TunnelX, a private transaction layer designed to enable the compliant movement of locked or restricted digital assets between parties without public broadcast; and iZKP-AIV – an AI-based identity verifier integrated as an interactive zero-knowledge proof verifier to let users confirm their identities securely without revealing personal credentials over APIs or vulnerable networks.

These technologies are designed to provide a modular platform for institutions, enterprises, and governments looking to operate securely and privately in the digital environment—offering new tools for storage, movement, and authentication that don’t rely on traditional cloud systems, third-party intermediaries, or classical cryptography.