By AEREDIUM Foundation
US Patent Application 63/977,868
The digital asset industry has a security problem that most people in it have quietly accepted. Every time a stablecoin is minted, a tokenized bond is settled, or a treasury payment is authorized, a single private key somewhere has to sign the transaction. That key might live in a hardware vault, on a server, or with a custodian. Wherever it lives, it represents a single point of failure — one key, one catastrophic risk.
AERKey was built to make that problem disappear. And to prove, permanently and mathematically, that it has disappeared.
The Problem With How Institutions Sign Today
In traditional finance, no single person can move significant assets unilaterally. Dual controls, board approvals, and segregation of duties are embedded in every serious institution's operating model. Yet in digital assets, the same institutions are routinely authorizing transactions through a single cryptographic key. Whoever controls that key controls the assets.
Hardware Security Modules offer strong protection against external attackers. But they do not protect against a compromised insider. A single administrator with access to the signing system can authorize any transaction, at any time, without detection until it is too late. For an institution managing hundreds of millions in stablecoins or tokenized assets, this is not a theoretical risk. It is an operating exposure sitting on the balance sheet every day.
Why Multi-Signature Is Not the Answer
Multi-signature arrangements — where multiple parties must each approve a transaction using their own individual key — are widely used and often presented as a gold standard for institutional security. The concept sounds reassuring. The reality has a fundamental weakness that is rarely discussed openly.
The keys still exist.
In a conventional multi-signature wallet, each approving party holds a complete, standalone private key. To compromise the wallet, an attacker does not need to compromise every participant simultaneously. They only need to reach the threshold number — in a three-of-five arrangement, just three. And each of those keys is an independent target that can be compromised separately, over time, without triggering any alarm.
More fundamentally, a private key on an elliptic curve is a number. Numbers can be duplicated without leaving any trace that a copy was made. An insider who extracts a key leaves no forensic footprint. The key continues to appear legitimate. The multi-signature policy may require three approvals, but if three keys have been silently copied at different times and by different means, an attacker can produce all three approvals at a moment of their choosing.
There is a deeper architectural problem as well. Multi-signature rules are enforced by software or smart contract logic — not by mathematics. The policy says three keys must sign, but the policy is only as strong as the system that checks it. A compromised platform, a rogue administrator with elevated access, or a sophisticated attack on the signing interface can bypass the policy entirely — because the keys themselves still exist and the mathematics does not prevent any one of them from signing unilaterally if it falls into the wrong hands.
Multi-signature adds useful friction. It does not eliminate the underlying risk. It is procedural security dressed as cryptographic security.
The Evidence Is Not Theoretical
The past eighteen months have provided a devastating real-world demonstration of what happens when institutions rely on key-based and multi-signature custody infrastructure.
In July 2024, WazirX, India's largest cryptocurrency exchange, lost $235 million through its multi-signature custody arrangement. Attackers — subsequently linked to North Korea's Lazarus Group — exploited discrepancies between what the custody platform's interface showed authorized signatories and what they were actually signing. The keys existed. The signatories were real. The approvals were genuine. And the funds were gone. Custody provider and exchange blamed each other publicly while Indian authorities criticized the custody firm for failing to provide critical logs during the investigation.
One month earlier, Japan's DMM Bitcoin lost $305 million — the largest crypto theft of 2024 — through compromised private key infrastructure. The exchange subsequently shut down entirely and transferred its customer assets to a competitor.
In October 2024, Radiant Capital, a blockchain lending platform, lost $50 million when attackers implanted malware on the computers of team members, tricking their hardware wallets into signing malicious transactions. Three private keys were compromised. Three was the threshold. The funds were drained across multiple blockchain networks simultaneously.
Then in February 2025, Bybit suffered the largest digital asset theft ever recorded — $1.5 billion in a single attack. The forensic review concluded that the credentials of a developer at Bybit's custody provider were compromised, allowing attackers to deceive Bybit's own signatories into approving a malicious transaction. Again the custody provider and the exchange blamed each other. Again the funds were gone.
In total, crypto hacks drained approximately $1.5 billion from the industry in 2024, with two private key breaches — DMM Bitcoin and WazirX — accounting for roughly 36% of all losses. The first quarter of 2025, led by Bybit, had already exceeded the entire 2024 total within three months. The crypto industry experienced $2.17 billion in theft during the first half of 2025 alone, marking the worst period on record for digital asset crime.
The pattern across every one of these incidents is identical: keys existed, keys were compromised, funds were lost. The multi-signature arrangements did not fail because the concept was implemented poorly. They failed because the concept itself does not eliminate the underlying problem. As long as individual keys exist, they can be found, copied, or coerced.
Why MPC-CMP — The Approach Used by Leading Custody Platforms — Has Important Limitations
The leading institutional custody platforms have recognized the weakness of traditional key custody and moved to a more sophisticated approach known as MPC-CMP, a multi-party computation protocol where the signing key is split into shares held across different parties. This is a genuine improvement over single-key custody, and it represents the current state of the art for most institutional platforms.
However, MPC-CMP has a characteristic that is worth understanding carefully. The protocol requires the key shares to be brought together — in a coordinated computation — at the moment of signing. While the full private key is not assembled in one place, the signing session requires all participating shares to be active and communicating simultaneously. This means that a sufficiently sophisticated attacker who can compromise the signing session at the protocol level — rather than stealing any single key — may still be able to manipulate what gets signed, as the Bybit and WazirX incidents illustrated.
There is also a structural dependency that institutions often do not examine closely enough: when an institution signs with these platforms, one of the key shares is held by the platform provider itself. The institution and the platform must co-sign every transaction. This is presented as a security feature, and in some respects it is. But it also means the institution has handed a permanent and irrevocable degree of control over its assets to a private company operating in a foreign jurisdiction. That company's infrastructure, its staff, its own internal controls, and its relationship with its own cloud providers all sit in the authorization chain for every transaction the institution ever makes.
Most institutions have not fully considered what that means — for their fiduciary obligations, for their regulatory posture, or for their exposure if that company suffers its own incident.
A Different Approach: Eliminating the Key Entirely
AERKey solves this problem at a fundamentally different level. Instead of protecting individual key shares that must be brought together to sign, AERKey ensures that no complete signing key — and no signing-equivalent state — ever exists anywhere. Not at creation. Not during signing. Not ever.
Using a threshold signature protocol — the same class of standard used by the world's largest custody providers, but implemented with critical architectural differences — AERKey distributes the signing capability across multiple independent secure environments in different geographic regions and, as the platform expands, across entirely different cloud providers. A valid signature can only be produced when a threshold number of these environments participate simultaneously in a coordinated computation. There is no key to steal, copy, or coerce. This is not a policy rule. It is a mathematical guarantee.
Each signing environment operates inside a Trusted Execution Environment — a hardware-isolated computing enclave whose memory and contents are inaccessible even to the cloud provider hosting it. Before every signing operation, each enclave produces a cryptographic attestation proving exactly what software is running inside it. If anything has been tampered with, the proof fails and the signing operation is automatically aborted. No human detection required.
AEREDIUM Foundation holds a patent application covering key innovations in this architecture, including a proprietary sequencing mechanism that ensures every signing operation is uniquely ordered, time-bound, and non-replayable across the network of enclaves. This is not a feature we elaborate on in detail — protecting our intellectual property is as important as protecting our clients' assets. What matters for an institution is the practical outcome: even in a scenario where one environment is fully compromised, it cannot be manipulated into producing an unauthorized signature. The guarantee holds at the hardware level, not the software level.
What This Means in Practice
For a bank, fund manager, or stablecoin issuer, integrating AERKey is straightforward. AERKey produces standard cryptographic signatures compatible with Ethereum and all major blockchains. A single authorized address is registered in the institution's smart contract. From that point forward, any transaction requiring AERKey authorization submits a hash to the API and receives a signature back within milliseconds — produced by consensus across geographically distributed, hardware-attested environments, but indistinguishable in format from any other signature the blockchain has ever processed. No proprietary infrastructure required on the institution's side.
The throughput is institutional grade. AERKey delivers over six thousand signatures per minute per signing group, with response times under ten milliseconds. Groups scale horizontally without limit. For high-frequency settlement operations, block production, or batch transaction authorization, the system operates at the speed the market demands.
An Audit Trail That No One Can Alter
Authorization is only half of institutional governance. The other half is proof — the ability to demonstrate, to regulators, counterparties, and auditors, exactly who authorized what, and when.
This is where AERKey goes beyond anything currently available in the market.
Every signing operation is captured in real time by a recording system engineered to add under twenty-five nanoseconds of overhead to the signing path — a fraction so small as to be operationally irrelevant. The signing operation itself is never delayed. Records flow asynchronously through a crash-safe persistence layer that guarantees no authorization record is ever lost, even in the event of an abrupt system failure. From there, each record is processed into a cryptographic chain where every entry is mathematically linked to every entry before it. The chain cannot be modified, reordered, or selectively deleted without breaking every link that follows — making any tampering immediately and mathematically detectable by anyone with access to the chain, including parties entirely outside AEREDIUM's infrastructure.
Every record carries a timestamp produced not by a server clock but by the hardware security module inside the signing enclave itself. This hardware-attested timestamp is cryptographically bound to the record and cannot be falsified retrospectively.
Every five minutes, a cryptographic summary of the entire audit chain is published to the AEREDIUM blockchain. Once anchored, it is permanently immutable. A regulator, external auditor, or institutional counterparty can take any segment of the audit history, independently recompute the cryptographic chain, and compare the result against the on-chain anchor — without involving AEREDIUM, without trusting AEREDIUM's infrastructure, and without relying on AEREDIUM's word. The proof is mathematical and public.
This level of auditability does not exist in any multi-signature wallet, HSM-based custody system, or MPC-based custody platform available today. It was designed from first principles to satisfy the requirements of institutional compliance and regulatory examination.
A Platform Built to Scale With Institutional Adoption
AERKey is not a point solution. It is a commercially structured access platform. Institutions subscribe to a plan that defines their signing throughput, the number of independent credentials they can issue to different desks, systems, or counterparties, and their audit retention period. Each credential is scoped to specific permissions and can be created, rotated, and revoked by the institution itself without any involvement from AEREDIUM. The model is self-service, auditable, and designed to scale naturally as an institution expands its use of AERKey across more of its operations.
The multi-cloud roadmap extends the sovereignty guarantee further. As AERKey expands across multiple independent cloud providers, no single provider will hold enough of the signing capability to produce a signature under any circumstance — including legal compulsion in a single jurisdiction. Coercing the system would require simultaneous action across independent providers operating under different legal frameworks. That is not a practical attack surface for any adversary, including state-sponsored ones.
The Moment Has Arrived
The evidence is now abundant and the cost is quantifiable. More than three billion dollars was stolen from institutional and exchange-grade digital asset infrastructure in the eighteen months between July 2024 and the end of the first quarter of 2025. Every single major incident traced back to the same root cause: keys existed, and keys were compromised.
Stablecoin legislation is advancing in the United States, the European Union, the United Kingdom, and Australia. Institutional capital is entering digital assets at a pace that was not imaginable three years ago. The regulatory and fiduciary expectations that govern traditional finance are following that capital in. The institutions that establish cryptographically verifiable authorization infrastructure now will define the standard for those that come after them.
The question for every institution managing digital assets is no longer whether this level of security is achievable. The evidence of what happens without it is now measured in billions of dollars and destroyed institutions. The question is how much longer they can afford to wait.
AEREDIUM Foundation — The Trust Layer
Institutional Infrastructure for the Stablecoin Economy
We build the infrastructure, not the narrative. Our technology is in active development — our website and products will be made available in due course.
US Patent Application 63/977,868
𝕏 @Aeredium 🌐 aeredium.io