El briefing de hoy, por qué te interesa.

Vercel — the hosting platform running most retail Web3 frontends (wallets, DEXs, bridges, NFT marketplaces) — confirmed on April 19-20 a security incident where an employee was compromised via Context.ai (third-party AI tool), giving attackers access to their Google Workspace account and from there to Vercel environment variables. Crypto developers are rushing to rotate API keys. The same day, LayerZero formally attributed the Kelp DAO exploit ($292M) to Lazarus Group (North Korea), citing the exploited "single-point setup" pattern. The combo is devastating: in 48 hours the Web3 stack that nearly all US retail crypto depends on gets compromised — one via sophisticated supply-chain phishing, the other by a sovereign state actor. The macro context explains the timing: DeFi TVL lost $13B in 48h post-Kelp, cross-chain cascade effect confirmed, and the response from US regulators (CLARITY Act in markup) is forced to accept that "composable self-custody" isn't compatible with regulated institutional capital. Kraken closing its IPO filing last week benefits; the rest of retail Web3 is left in existential questioning.

- Your exposure: If you operate a wallet, DEX, bridge or NFT marketplace hosted on Vercel (most of you), rotate API keys TODAY and audit exposed environment variables. If you're a DeFi protocol with cross-chain integrations (Pendle, EtherFi, Renzo, Restake, Symbiotic), audit your counterparty list — Lazarus will repeat the single-point setup pattern. - Wins/Loses: Wins: (a) regulated centralized exchanges (Kraken, Coinbase, Gemini) — scared capital migrates toward infrastructure with SOC2+KYC audit; (b) self-hosted infrastructure vendors (AWS direct, Cloudflare Workers, Railway) as Vercel alternatives; (c) isolated DeFi protocols (Aave v3 isolated, Morpho Blue) that never depended on the composable cross-chain stack. Vercel loses (brand damage at scale), Context.ai loses (vendor shutdown likely), and any protocol with indirect Kelp exposure. - Watch: Whether a second cross-chain DeFi protocol reports an exploit within 14 days (Lazarus typically repeats the pattern within 2-3 weeks). Whether any G7 regulator opens formal investigation into Vercel/Context.ai as critical infrastructure provider for crypto before May 15.

[CoinDesk (Apr 20)](https://www.coindesk.com/tech/2026/04/20/hack-at-vercel-sends-crypto-developers-scrambling-to-lock-down-api-keys) · [Vercel Security Bulletin (Apr 20)](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)

Philippe Laulanie, director general of Cartes Bancaires, revealed on April 19 in the Financial Times that the French network has 30 bank candidates from other EU countries lined up to join — turning CB into an alternative retail rail to Visa and Mastercard. "CB has become very attractive again," Laulanie said, citing geopolitical reasons. The timing isn't random: April 19 also saw the Euro Weekly News report documenting the intra-EU tension over the digital euro with a 2028 launch target — Sweden defending physical cash as a resilience safeguard while Spain pushes for an accelerated digital-only rollout. The two moves converge on the same thesis: Europe is not only building rails without the US (CB Payments in retail) but internally debating the timing of the digital euro as sovereign response. The subtext: the Vercel breach and the Lazarus attribution the same day (TOP 1) validate the urgency ex post — the American stack Europe has depended on shows both operational AND geopolitical vulnerability simultaneously.

- Your exposure: If you're an issuer bank in the eurozone, the 30 CB candidates aren't abstraction — your direct competitor is deciding whether to join or stay outside the first pan-European non-US retail rail. If you're a merchant with EU cross-border volume, CB interop reduces interchange by 40-60 bps vs Visa/MC. If you're a PSP, the CB competitor network redefines your commercial offering in 18 months. - Wins/Loses: The CB + EPI/Wero + SG-FORGE + ABN AMRO axis wins — integrated European retail rail + stablecoin + wallet. Visa/Mastercard loses its last regional retail network without local alternative. Franco-Spanish banks win as first-movers (SG, BNP, BBVA, Santander); DACH banks lose if they wait (blocked by JPM-deposit lobby pressure). - Watch: Whether 10+ of the 30 CB candidates formalize adhesion before June 15 (the critical-mass milestone). Whether the June digital euro vote confirms 2028 as a hard deadline (vs "aspirational target").

[PYMNTS (Apr 20)](https://www.pymnts.com/news/international/global-payments/2026/frances-cb-payments-network-aims-to-take-on-visa-mastercard-in-eu) · [Euro Weekly News (Apr 19)](https://euroweeklynews.com/2026/04/19/digital-euro-by-2028-why-sweden-is-defending-cash-while-spain-pushes-for-digital-only/)