Fun fact, ping 0 works because 0 is the IP decimal notation of 0.0.0.0. One of my favorite age-old WAF bypass since it doesn't match octet notation regexes that are often in place.
It looks like you still have this kind of capability. You might need to adjust settings and supply KYC info as requirements change. From the Fraud Guard docs, "You can mark known phone numbers using the Safe List feature so they are never blocked."
Moving from cold to hot wallets in an environment with regulatory requirements, redundancy, multiple partial keyholders, and offsite storage could easily take days to weeks and require scheduling access to the physical vault holding the cold storage. You're conflating hot and warm storage - warm can replenish hot but cold requires physical access to somewhere ideally unrelated to where day-to-day operations run.
As a member of the Security community, it's disappointing to hear that this is the perception on the table, because our community can and should do much better than that. In my experience and goals, the best Info/AppSec/SecEng teams put people before processes, build guardrails instead of walls, and demonstrate first hand what they want to see engineering teams doing. If you're open to it, I'd like to offer perspective on why some of the perceptively dumb things that sec teams do, do.
Those automated tools are better than ever. Manual code reviews are very important, but automated tools at this point can stand in for "over the fence" pre-production code reviews, as long as periodic reviews occur. In particularly sensitive contexts, especially finance, code is always signed off on by security before release when it can have impact on anything important. It's all about risk management.
Additionally, the cloud and SaaS is nothing like it was a decade ago. Security is now more focused on compliance due to the nature of building software today. You used to maybe provision a handful of nodes on EC2, use an autoscaling group if you were super fancy, and probably integrate into a handful of third party APIs. Every business is different, but that was the core of running a workload. Now, I can delegate specific responsibilities to third parties and reduce both people and operating costs. But with that comes massive risk since you just transferred an internal business function to a third party you have no control over. The most common approach to that risk is through process: vendor reviews, compliance and cloud posture security management.
And then there's DevOps who ends up being ad-hoc security way too often with no relevant background (or interest).
All that to say, good, compassionate security teams do exist.
