A dizzying lack of transparency as the crypto exchange is hacked and $150m in customer funds goes missing
Back in April of 2020, Cointelegraph took a close look at the KuCoin cryptocurrency exchange. Investigating the apparent lock of the primary domain name, which was a result of a legal case under the jurisdiction of the High Court of Singapore, we concluded that:
In the absence of clarity from any of the individuals mentioned in this article, or from the company itself, users of the KuCoin cryptocurrency exchange will likely want answers on whether they are sending their money to Singapore, the Seychelles, China — or anywhere else in the world.
Now $150 million is missing from KuCoin in what has been described by the exchange as a “security incident”, and while the directors of the exchange refused to answer our questions five months ago (and implied that our accurately-sourced reporting was untrue), perhaps their customers will hold them to account this time.
Lack of clarity
In March 2020 KuCoin was facing the possibility of a class action lawsuit focused on potentially “false and/or misleading statements to account holders”. In another suit, Chase Williams v. KuCoin, filed in the Southern District of New York, the exchange was alleged to have engaged in an unlicensed securities offering. In addition to KuCoin, the latter suit named three individuals connected with KuCoin: Michael Gan, Johnny Lyu, and Eric Don.
A few days before these legal woes began to surface, KuCoin announced a corporate restructuring which included reassigning the company’s trademark from one Seychelles-registered entity to another, and appointing a new director whose affiliation with the exchange had previously been unclear.
If the opacity of the ownership is concerning, there’s another perennial question that raises flags in virulent shades of crimson. Where is KuCoin, anyway? Chase Williams suggests that it began as a Seychelles business with headquarters in Hong Kong, before moving to Singapore, and that the three named directors in its suit are believed to reside there. But like many cryptocurrency exchanges, the actual location of its office (if it has one) and staff is unclear.
Missing funds, knowledge gaps
There’s an old maxim in cryptocurrency. Or at least, as old as the industry itself. “Not your keys, not your coins.” It simply means that when your funds are held by a third party, you don’t control them.
Despite countless warnings about the perils of leaving funds on exchanges, crypto traders continue to trust that the security of exchanges (and the integrity of their staff) is sufficient to prevent the loss of their tokens. Despite countless warnings, they are wrong.
Whether it be a hack, a social engineering attack, or a plain old-fashioned exit scam, the allure of free money is too hard for criminals to resist. The bank robber Willie Sutton concisely (if apocryphally) explained “I rob banks, because that’s where the money is.” And exchanges will continue to represent an attractive target so long as crypto holders continue to leave their money lying around in hot wallets.
Johnny Lyu of KuCoin has insisted that customers should “Please rest assured that if any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund.” And as the misappropriated funds begin to move to other exchanges, evidence is beginning to appear that all may not be lost. Paolo Ardoino of Bitfinex noted via a tweet that his exchange has frozen $13 million in USDT for instance, and this type of inter-exchange collaboration may help to deter thieves in the future.
Of course, I’m hoping that KuCoin has the resources in its insurance fund to cover losses of this magnitude. Johnny Lyu seems to think so: “Yes, it’s enough. Starting from early 2018, we have established the insurance fund to deal with unexpected security issues such as this.” Perhaps the exchange will publish a wallet address to prove that such a fund exists, and that it will pay out against all valid claims. Then again, the principals couldn’t be clear with us on such basics as their location, their corporate structure, the legal status of their domain name — so maybe this level of transparency would be a stretch.
But there’s a simple fix that almost anyone can perform, a fix that ensures your funds cannot be stolen in an exchange hack. It’s a fix so easy, so obvious, that the owners of around $150 million of cryptocurrency are right now kicking themselves for not performing it.
Don’t keep your crypto on an exchange if you aren’t using the service.
Not your keys, not your coins.