
Albert Dadon has built across three worlds that rarely overlap: three decades in technology, twenty-six years leading a Melbourne property developer, and an international career as the jazz guitarist Albare . He now runs AEREDIUM , a privacy-preserving Layer 1 he calls "the Trust Layer", settlement infrastructure designed so that neutrality is a property of the construction rather than a promise of the operator. We spoke about why he thinks the industry keeps trying to govern its way to neutrality, what threshold cryptography actually buys an institution, and where his own argument is weakest. \ Ishan Pandey: Hi Albert, it's a pleasure to welcome you to our "Behind the Startup" series. You have built across three rarely overlapping worlds: three decades in technology, a career as a real estate developer, and an international life in music as the jazz guitarist Albare. Please tell us about yourself, and what inspired you to build AEREDIUM ? \ Albert Dadon: I've had the good fortune of three careers that look unrelated and aren't. I've spent three decades in technology, twenty-six years leading UBERTAS Group, a property development company in Melbourne, and a parallel life on stage as the jazz guitarist Albare. The thread connecting them is structure: buildings, compositions, and distributed systems all fail the same way, at the joints, under stress you didn't design for. AEREDIUM came from watching the 2022 SWIFT disconnection with the specific discomfort of someone who builds things. The industry treated it as a political story. I saw an engineering story: a system whose neutrality rested on an assumption its architecture couldn't enforce. Everyone had a vote; one jurisdiction had the switch. \ I started AEREDIUM to build settlement infrastructure where neutrality is a property of the construction, not a promise of the operator, a privacy-preserving Layer 1 for institutional settlement, which we call the Trust Layer. The name is deliberate. The product isn't throughput or tokens; it's the ability to rely on the rails without having to trust whoever happens to be managing them. \ \ \ Ishan Pandey: You hold the full picture across consensus, cryptography, execution, and corporate strategy, and you still work hands-on with the engineering team. How did a path that runs through enterprise technology, property development, and musical composition shape the way you actually design a system, and what does each of those disciplines contribute that a pure cryptography background might miss? \ Albert Dadon: Property development teaches you that capital has a clock and physics doesn't negotiate. You learn to sequence: foundation before facade, no matter what the marketing schedule wants. That observation made AEREDIUM foundation-first, we built the signing infrastructure, the attestation chain, and the consensus engine before we built anything an investor could screenshot. Music contributes something people underestimate: a jazz ensemble is a Byzantine consensus system. Musicians reach agreement in real time, without a conductor, tolerating each other's failures, because the structure, the form, the changes, is strong enough that improvisation can't break it. \ That's exactly the design goal of a good protocol: freedom at the edges, invariants at the core. And enterprise technology teaches the discipline pure cryptography can miss. Cryptography proves what's mathematically true, but institutions buy what's operationally true. A perfect protocol run by an operator who can be subpoenaed is not a neutral system. So I work hands-on with the engineering team, reviewing the actual pull requests, because in this business the architecture lives in the details, the seams and the seams are where I've watched everything fail, in buildings and in code. \ Ishan Pandey: Your central argument is that the 2022 SWIFT disconnection exposed an architectural problem the industry keeps trying to fix with governance, and you draw a sharp line between who has a vote and who can change the rules. Can you unpack why SWIFT's democratic board counted for so little once a Belgian cooperative met EU sanctions law, and why you concluded that credible neutrality is an engineering property rather than a governance one? \ Albert Dadon: SWIFT's board counted for so little because votes govern intent and architecture governs capability. The cooperative's members could vote on anything they liked; the system's rules were changeable by whoever held legal authority over the machines and the people operating them, and those sat in one jurisdiction. When EU sanctions law spoke, the democratic structure wasn't overruled, it was simply irrelevant, because it never had custody of the enforcement mechanism. That's the sharp line I draw: who has a vote versus who can change the rules. \ In every governance-based system those are different people, and the second group is small and geographically concentrated. The conclusion is that credible neutrality can't be voted into existence, it has to be constructed, so that no party, including us, the builders, retains the capability to override it. AEREDIUM does this by pushing enforcement into measured hardware and threshold cryptography. \ \ \ The rules run inside trusted execution environments whose exact code is cryptographically attested. The signing authority that acts on those rules exists only as distributed key shares that never assemble anywhere. And changing operational rules requires threshold-signed authorization that the hardware independently verifies. There is no boardroom, no operator terminal, no jurisdiction where a rule change can be imposed unilaterally, because the system was built without that room in it. Neutrality stops being a policy and becomes a physical property of the deployment. The reporting behind this: SWIFT is incorporated in Belgium and must comply with EU regulation. In 2022 it disconnected seven designated Russian entities on 12 March under EU Council Regulation 2022/345, adding more (including Sberbank) that June, a network serving 11,000+ institutions across 200+ countries, reconfigured in days by one jurisdiction's law. Dadon's "vote vs. switch" line is, in the literal record, what happened. \ The false binary: total privacy vs. full surveillance Ishan Pandey: What is the biggest misconception institutions and the wider crypto community hold about privacy and neutrality on public infrastructure and how does AEREDIUM's design challenge that assumption rather than restate it? \ Albert Dadon: The deepest misconception, held by institutions and crypto natives alike from opposite directions, is that privacy and accountability are a trade-off you tune with a slider. Institutions hear "privacy" and think regulatory exposure; crypto hears "compliance" and thinks backdoor. Both assume the same broken model: that visibility is a single dial, and someone has their hand on it. The related misconception is that neutrality comes from decentralization theater — that enough validators make a system neutral. Validator count is a liveness property; it says nothing about who can compel the system's behavior. AEREDIUM challenges the frame rather than restating it. \ Confidentiality and accountability aren't opposites. They're different questions, who can see, versus who can verify and architecture can answer them separately. On our rails, transaction contents are confidential by default, while the correctness of every operation is verifiable by anyone through attestation and signed evidence. Disclosure, when it happens, is structured: specific information, to specific authorized parties, under authorization the hardware itself verifies — never a master key, never an operator's discretion. The design goal is that an institution's competitor can verify the system is honest without reading the institution's book, and an authority with genuine legal process can obtain what that process entitles it to, and not one byte more. \ \ Ishan Pandey: You call the choice between total privacy and full surveillance a false binary: the mixer model failed because to law enforcement it looked like a laundering tool, while full transparency is unworkable for any institution whose competitor could read its book. AEREDIUM's answer is structured selective disclosure, with AERKey described as a key nobody holds. Concretely, who can compel disclosure, under what authority, and how do you prevent that disclosure mechanism from becoming the precise point of leverage a sovereign could later seize? \ Albert Dadon: The phrase "a key nobody holds" is literal. AERKey implements threshold ECDSA using the CGGMP24 protocol inside hardware enclaves. The signing key exists only as separate shares inside separate attested machines, distributed across jurisdictions, and it is never assembled, not during generation, not during signing, not ever. Signatures are produced by a cryptographic conversation among the shares. So to your question about leverage: the disclosure mechanism can't become a seizure point, because there is no point. Compel one operator and you get nothing, their share is useless alone and sealed in hardware that only acts on validly authorized requests. \ \ Seize one machine, same result. Coerce us, the company, same result: we built ourselves out of the ability to comply unilaterally, which is precisely the credential institutions should demand. Disclosure happens only when a request satisfies a policy the enclaves independently verify, valid authorization, correct scope, threshold agreement across parties who do not share a jurisdiction and what is disclosed is scoped to that request. Legitimate legal process, properly presented to the threshold, works. A single sovereign leaning on a single company or datacenter does not. We didn't make disclosure impossible; we made unilateral disclosure impossible, and that distinction is the entire architecture. \ CGGMP24 is a peer-reviewed, state-of-the-art threshold ECDSA protocol (Canetti–Gennaro–Goldfeder–Makriyannis–Peled) in which a signing key is split into shares held by separate parties and never reconstructed , even at signing time. Dadon's "a key nobody holds" is an accurate description of what threshold signing does; whether AEREDIUM's specific enclave deployment performs as described is a claim readers should treat as the company's, pending independent audit. \ Every seam is a trust assumption \ Ishan Pandey: Your threat model is that attackers have moved off in-chain logic and onto the seams between systems: bridge verifiers, oracle networks, signer multisigs, and admin keys, with the roughly 290 million dollar KelpDAO exploit as the example, where a single trusted verifier was the weak link. AEREDIUM answers with AERLink calling bank rails in-band with no separate oracle layer, and the Trans Layer for bridgeless cross-chain. Walk us through how an in-band call removes the seam rather than relocating it, and why that is structurally safer than a conventional oracle network. \ Albert Dadon: A bridge or oracle is a second system whose job is to make claims about a first system, and its honesty is a fresh assumption stacked on top of everything else. That's the seam. The KelpDAO exploit is the canonical case: the contracts were fine; a single trusted verifier, one set of keys in the claims-making layer, was the entire security of nine figures. Note what the attacker did: they didn't break the chain, they broke the thing vouching to the chain. Conventional answers add more vouchers, bigger verifier sets, more multisigs which relocates the seam and dilutes it, but a diluted seam is still a seam: a separate key set, separately operated, separately corruptible. An in-band call removes the category. With AERLink, the interaction with external rails executes inside the same attested environment that runs settlement itself, the verification is part of consensus, not testimony delivered to consensus. \ There's no independent attester whose compromise forges a message, because there is no independent attester. Forging the claim requires breaking the measured enclave code and the threshold signature simultaneously, which is the same security bar as forging the chain itself. Our cross-chain settlement follows the same principle: the receiving side verifies attested evidence of the source event directly, rather than trusting a committee that watched it. The structural rule is simple: every seam is a trust assumption, and trust assumptions are where the money is lost. We spent our engineering budget deleting them rather than decorating them. \ The reporting behind this: on 18 April 2026, attackers drained ~$290M (116,500 rsETH) from KelpDAO's LayerZero-powered bridge by exploiting a single 1-of-1 verifier configuration — the smart contracts executed exactly as written. Security firms attributed it to North Korea's Lazarus Group; it followed the ~$285M Drift Protocol attack on 1 April, and an estimated $13B was pulled from DeFi within 48 hours. It is the cleanest recent illustration of Dadon's point: the failure was at the seam, not in the code. \ \ The post-SWIFT settlement race \ Ishan Pandey: The vacuum SWIFT left is being chased from many directions at once: China's CIPS, cross-border stablecoin corridors, CBDC settlement, and institutional networks such as Canton and Fnality. As an EVM-compatible Layer 1 quoting 250,000 transactions per second, what is the real wedge that moves a conservative institution from a pilot to live settlement value, and what is the defensible core that a well-funded competitor cannot simply copy from your documentation? \ Albert Dadon: Let me be honest about the 250,000 transactions per second first: it's a measured number, and it matters only as an objection remover. No conservative institution moves settlement because of a benchmark. What moves an institution from pilot to live value is surviving its risk committee, and pilots die in risk committees for one reason: the institution cannot independently verify what the infrastructure did. Our wedge is evidence. Every operation on AEREDIUM produces attested, offline-verifiable proof, signed acknowledgments from measured hardware, attestation chains a bank's own auditors can check without trusting us and operational rule changes are themselves threshold-authorized and attested. That maps directly onto how institutions already think: audit trails, segregation of duties, no single point of override. We're converting "trust the vendor" into "verify the mathematics," which is the only conversion that survives committee. On defensibility: a well-funded competitor can read our documentation, and I hold four patents covering the core mechanisms, but neither is the real moat. The moat is that this class of system is proven at the seams, and seams only harden through operational scar tissue, years of key generation ceremonies, failure drills, and edge cases across live clusters that no document captures. You can copy an architecture diagram in an afternoon. You cannot copy having already made the mistakes. The reporting behind this: the "many directions" are real and already sizable. The Canton Network, a privacy-preserving institutional L1 with selective disclosure at the transaction level, reports $6T+ in tokenized real-world assets and 600+ participating institutions (including DTCC, JPMorgan, Goldman Sachs and Visa) as of early 2026; China's CIPS counted well over a thousand direct and indirect participants; Fnality runs a bank-consortium settlement system. AEREDIUM's own figures, 250,000 TPS, four patents, testnet status, are the company's; we present them as stated, not verified. \ \ \ Pacing capital when you can't fake readiness \ Ishan Pandey: Finally, deep institution al infrastructure is unusual in that it cannot fake readiness: the cryptography either holds or it does not. What has that constraint taught you about pacing capital and resisting the temptation to over-claim that so much of the market indulges, and what is the honest risk that the institutions who most need neutral rails are the slowest to adopt them? \ Albert Dadon: Infrastructure like this is refreshingly tyrannical: the key generation completes or it doesn't, the attestation verifies or it doesn't, the benchmark is a number your hardware produced or it's fiction. That constraint has enforced a discipline I'd frankly recommend to the whole market: we publish what we've measured, we say "testnet" when we mean testnet and we are on testnet today and we sequence capital against milestones the technology can actually certify, not milestones a deck can assert. Property development trained me for this; you cannot market a building into structural integrity, and the certifier doesn't read your brochure. The honest risk is exactly the one you name, and I won't dress it up: the institutions that most need neutral rails are constitutionally the slowest to adopt them. \ Their procurement cycles are measured in years, their risk committees are paid to say no, and the very conservatism that makes them need credible neutrality makes them last to buy it. Our answer is to pace for that reality rather than pretend it away, patient capital structure, revenue that doesn't depend on the slowest adopter moving first, and infrastructure that is simply ready when they arrive. Because they will arrive. The uncomfortable truth about this market is that adoption of neutral infrastructure tends to follow the crisis that proves its necessity, and 2022 taught us those crises are no longer hypothetical. I'd rather be early and measured than punctual and improvised. \ Don't forget to like and share the story! :::tip Vested Interest Disclosure: HackerNoon has reviewed the report for quality, but the claims herein belong to the author. #DYOR. ::: \
View original source — Hacker Noon ↗



