T.J. Connolly is a Principal Engineer at Fireblocks and a cybersecurity specialist with a focus on digital asset infrastructure, crypto wallet operations, and multi-party computation (MPC). Residing in Washington, D.C., he has built a career on a foundation of application security, reverse engineering, and penetration testing. ^[1]

Education

Connolly graduated from Bryant University in 2011 with a Bachelor of Science degree, having pursued a dual concentration in Computer Science and Business Administration. ^[2]

Career

Connolly began his career in 2008 as a part-time Help Desk Technician at Bryant University, providing technical support to students while completing his studies. In 2010, he joined Fidelity Investments as a Technical Intern in the Unix High Availability Engineering team, where he installed, configured, and tested clustering software across Red Hat Linux, Solaris, and AIX systems.

In 2011, Connolly joined Booz Allen Hamilton as a Senior Consultant, supporting Department of Defense and commercial clients. His responsibilities included penetration testing of applications and network infrastructure, conducting secure code reviews, developing automation scripts for system hardening, and performing intrusion analysis and network forensics. He moved to Veracode in 2012 as a Senior Application Security Consultant, where he conducted black-, grey-, and white-box penetration testing across a range of software environments and contributed to developing the company’s penetration testing practice.

From 2014 to 2016, Connolly worked at Independent Security Evaluators as a Principal Security Consultant. In this role, he performed security assessments of enterprise technologies, focusing on cryptographic vulnerabilities in digital rights management systems, using reverse engineering, debugging, proof-of-concept exploit development, and code review. He then joined FireEye in 2016 as a Consulting Systems Engineer, where he supported cybersecurity initiatives and assisted organizations with threat detection and incident response.

In 2020, Connolly became Director of Sales Engineering at AffirmLogic, serving as the company’s first sales engineering hire. He supported efforts to commercialize automated reverse-engineering technology before the company ceased operations due to funding and product challenges. In 2021, he joined Contrast Security as a solutions architect, focusing on security technologies for application protection. Since December 2021, Connolly has served as a Principal Engineer at Fireblocks, where he continues to work in digital asset infrastructure and security. ^[5]​

Interviews

Attack Vectors

In August 2022, Connolly spoke with Chase Devens of Messari about multi-party computation (MPC) ahead of a panel at Mainnet 2022. Connolly discussed his background in cybersecurity, application security, and penetration testing, and described his transition into blockchain and decentralized finance, noting his interest in the sector grew during “DeFi summer.” He explained MPC as a method for multiple parties to jointly compute functions while keeping inputs private, reducing reliance on centralized trust, and highlighted practical use cases such as auctions, electronic voting, and privacy-preserving computations. Connolly compared MPC to multi-signature technology, emphasizing MPC’s advantages for secure key management, and discussed Fireblocks’ role in advancing the technology, including open-sourcing their MPC CMP algorithm. He also explored future applications in governance and decentralized applications, while noting that MPC is not a complete solution and requires ongoing improvements to address emerging vulnerabilities. ^[4]

Presentations

Crypto Wallet Operations

In March 2025, Connolly presented at ETHDenver on red-teaming practices for crypto wallet operations, focusing on lessons from recent security incidents involving Bit and Radiant Capital. He outlined the evolving threat landscape, noting that human error remains a primary vulnerability and that attacks often involve phishing and social engineering, including activity linked to nation-state actors. Connolly explained that wallet operations face distinct risks compared to traditional systems and emphasized the need for multi-party approval processes for sensitive transactions. He described red teaming as a method for simulating real attack scenarios to identify operational weaknesses beyond standard compliance checks. The presentation included case studies of recent breaches, highlighting failures in separating transaction approval and signing workflows. Connolly proposed mitigation measures, including diversifying signing systems, addressing signing fatigue, strengthening the cryptographic link between approval and execution, and improving detection and response capabilities. He concluded by outlining a structured red-teaming framework to help organizations prioritize risks, enforce operational controls, and maintain a proactive security posture. ^[6]

Security Assumptions

In March 2024, Connolly delivered a presentation at ETHDenver focused on non-custodial wallet providers and the varying security models behind the term “non-custodial.” He outlined key considerations for Web3 businesses and decentralized applications when selecting wallet solutions, including whether to support user-owned wallets, custodial options, or embedded non-custodial wallets. Connolly reviewed the current wallet landscape, discussing hardware wallets, browser extensions, widgets, and white-label SDKs, and noted the growing demand for more user-friendly embedded solutions. He examined trust assumptions that businesses inherit when integrating third-party wallets, such as potential backdoors or transaction manipulation, and highlighted real-world security failures involving compromised cryptographic libraries, fake wallet listings, and weak key management practices. The presentation also covered different wallet architectures, emphasizing multi-party computation as an alternative to single-key models while cautioning that MPC requires careful implementation to avoid new risks. Connolly concluded by stressing the importance of ongoing security evaluation, collaboration with security specialists, and maintaining a user-centered approach to trust and protection. ^[7]