Enterprise Risk Management (ERM) was built around the foundational concept of institutional risk – the risk of who we deal with. Credit risk, counterparty risk, third-party risk each asks some version of the same question: Is this entity safe to transact with?
That architecture has a structural blind spot: Infrastructure risk – the risk of how the value moves. In a world where financial transactions flowed through a single, observable, largely Western-controlled system, the distinction did not matter much. Know the entity, and the pathway is assumed. This no longer holds.
Financial rails have fragmented into competing, partially incompatible systems, each with different visibility, different enforcement characteristics, and different geopolitical allegiances. The money moving across those rails is itself changing: programmable, sometimes untraceable, sometimes state-surveilled, sometimes governed by code that no regulator has yet found the legal authority to control.
An organization can maintain a clean counterparty relationship while inheriting catastrophic exposure through the pathway that value travels. The Bybit hack proved this at a scale that demands a reckoning.
When the Interface Lies
In February 2025, Bybit’s treasury team initiated a routine internal transfer, moving ether (ETH) from cold storage to a warm wallet via Safe{Wallet}'s multi-signature interface. Three authorized signers reviewed the transaction through the interface and approved it. Within minutes, $1.5 billion was gone.
Astrid Yee-Sobraques
The attackers never touched Bybit’s systems directly. North Korea’s Lazarus Group had compromised a developer workstation at Safe{Wallet}. Malicious JavaScript injected into Safe{Wallet}’s AWS infrastructure silently altered what Bybit’s signers saw on screen, routing their approvals to attacker-controlled wallets while displaying a legitimate transaction. The code activated precisely for Bybit, functioned normally for every other user, and was removed two minutes after the theft was completed.
This was a supply chain injection – a geopolitical operation that entered through operational infrastructure. Within days, Lazarus converted the stolen ETH to bitcoin (BTC) through decentralized exchanges, cross-chain bridges, and cryptocurrency mixers. The reach of the U.S. Office of Foreign Assets Control (OFAC), already jurisdictionally constrained by Bybit’s Dubai domicile, had no technological hold on infrastructure built to operate beyond it.
Which risk vertical owned this incident? Not cyber alone; it was a supply-chain compromise of a third-party interface. Not sanctions alone; the laundering was beyond OFAC’s reach. Not operational risk alone; the failure cascaded across transaction security and regulatory reporting simultaneously. Not geopolitical risk alone – though the Democratic People’s Republic of Korea’s (DPRK) intelligence apparatus designed and executed the attack to fund its weapons programs.
That fragmentation of ownership is a structural flaw in how ERM is designed – built for institutional risk in a world that now demands infrastructure risk governance.
Vector One: The Geopolitical Substrate
Bybit did not have a North Korean counterparty relationship. It had a dependency on Safe{Wallet}, whose developer was socially engineered through a fabricated job interview on LinkedIn. The geopolitical risk entered at the third level of the supply chain.
This is the defining characteristic of the geopolitical vector: Infrastructure fragmentation has created enforcement gaps that can be exploited faster than legal jurisdiction can respond.
Vector Two: Rail Fragmentation and Compliance Architecture Failure
When Western governments disconnected major Russian banks from SWIFT in February 2022, the policy achieved its immediate objective of disrupting Russia’s access to dollar-denominated transactions. It simultaneously demonstrated that alternative infrastructure was already operational and absorbing volume. China’s Cross-Border Interbank Payment System (CIPS) and Russia’s System for Transfer of Financial Messages (SPFS) processed yuan and ruble transactions without flowing through Western banks.
Organizations with Russian counterparties – suppliers, customers, joint ventures – found that their sanctions-screening tools had structural blind spots. When transactions migrated outside the compliance perimeter, screening ceased to apply.
In a fragmented rail environment, total risk visibility is no longer achievable. The compliance perimeter and the financial perimeter are no longer the same boundary.
Vector Three: Programmable Money and the Governance Void
In August 2022, OFAC sanctioned Tornado Cash, a cryptocurrency mixer that had processed over $7 billion in transactions, including funds stolen by Lazarus Group. It was the first time OFAC had targeted an on-chain decentralized protocol rather than a legal entity.
Traditional sanctions are designed to target a legal person whose assets can be frozen, whose operators can be prosecuted. Tornado Cash is code. Autonomous, immutable code that executes on a decentralized network with no owner, no operator, and no mechanism by which a court order can alter its function. This is the governance void, a category of financial infrastructure where risk exists at scale, but the instruments designed to govern it do not apply.
In March 2025, following a federal appellate court ruling that immutable smart contracts cannot be classified as “property” under existing sanctions law, OFAC delisted Tornado Cash entirely.
The governance void extends well beyond Tornado Cash. Central bank digital currencies (CBDCs) introduce programmable restrictions: China’s digital yuan can be programmed to expire, be geographically restricted, or categories of merchants can be blocked, with every transaction visible to the issuing government in real time. Stablecoins carry de-pegging and concentration exposure that treasury frameworks do not capture. Privacy coins render anti-money laudering (AML) compliance structurally inapplicable by design.
Multi-Rail Exposure Framework
Mapping the pathway, not just the counterparty, requires a new analytical lens. A Multi-Rail Exposure Framework provides that lens across three dimensions:
-- Rail Visibility assesses whether an organization can monitor transactions in real time, whether sanctions screening applies, and whether AML frameworks have jurisdictional coverage. SWIFT-based transactions score high; CIPS or SPFS score low. Stablecoin transactions on public blockchains score moderate – observable but outside traditional screening. Privacy coin transactions score zero.
-- Rail Programmability assesses the behavioral characteristics of the payment instrument. Does the money have embedded restrictions? Can it be frozen, redirected, or made to expire by a third party (including a government)? CBDC score high on programmability and surveillance exposure. Immutable smart contracts occupy the governance void: visible on-chain, but ungovernable through existing legal instruments.
-- Geopolitical Embedding assesses the degree to which the rail’s operation is controlled by, or susceptible to, state-level actors – both the governing authority of the payment instrument and the infrastructure dependencies in the transaction pathway. A vendor paid through CIPS carries a different geopolitical embedding profile than a vendor paid through SWIFT, even when the underlying commercial relationship appears identical.
What Boards and CROs Must Ask
Three questions operationalize the transition from institutional risk governance to Infrastructure risk governance:
Which payment rails do critical counterparties and dependencies operate on? The first step is mapping. Which vendors, suppliers, and counterparties transact on non-SWIFT infrastructure? Which use stablecoins, CBDCs, or digital assets for any portion of treasury operations?
Where does the compliance perimeter end, and what lies beyond it? Boards need an explicit map of where compliance coverage applies and where the governance void begins.
Have organizations quantified integrated exposure for a payment rail disruption or exploitation scenario?
Parting Thoughts
The rails through which value moves are now geopolitically determined in ways they were not a decade ago. That makes geopolitical events an increasingly frequent origination point for cascades that propagate across cyber, operational, compliance, and liquidity domains simultaneously.
The infrastructure has changed. Risk frameworks have not yet followed.
Astrid Yee-Sobraques, FRM, CISSP is a senior risk executive in Enterprise Risk Management, Operational Resilience and Cybersecurity. Over 25 years at GE Capital, AIG, Citibank, and PwC, she specializes in “risk connectivity” – integrating people, processes, and data to strengthen how organizations anticipate, manage, and respond to cascading financial, operational, and compliance risks. Her current work examines how geopolitical, cyber, and financial disruptions converge into systemic risk cascades – and how governance frameworks must evolve to meet them. Astrid serves on GARP’s New York Chapter Advisory Committee. She can be reached at Astrid@therisksherpa.com.
Topics: Enterprise, Geopolitical, Cybersecurity