Not your keys, not KuCoin's: Red flags ignored

Published at: Sept. 26, 2020

Back in April of 2020, Cointelegraph took a close look at the KuCoin cryptocurrency exchange. Investigating the apparent lock of the primary domain name, which was a result of a legal case under the jurisdiction of the High Court of Singapore, we concluded that:

In the absence of clarity from any of the individuals mentioned in this article, or from the company itself, users of the KuCoin cryptocurrency exchange will likely want answers on whether they are sending their money to Singapore, the Seychelles, China — or anywhere else in the world.

Now $150 million is missing from KuCoin in what has been described by the exchange as a "security incident", and while the directors of the exchange refused to answer our questions five months ago (and implied that our accurately-sourced reporting was untrue), perhaps their customers will hold them to account this time.

Lack of clarity

In March 2020 KuCoin was facing the possibility of a class action lawsuit focused on potentially "false and/or misleading statements to account holders". In another suit, Chase Williams v. KuCoin, filed in the Southern District of New York, the exchange was alleged to have engaged in an unlicensed securities offering. In addition to KuCoin, the latter suit named three individuals connected with KuCoin: Michael Gan, Johnny Lyu, and Eric Don.

A few days before these legal woes began to surface, KuCoin announced a corporate restructuring which included reassigning the company's trademark from one Seychelles-registered entity to another, and appointing a new director whose affiliation with the exchange had previously been unclear.

If the opacity of the ownership is concerning, there's another perennial question that raises flags in virulent shades of crimson. Where is KuCoin, anyway? Chase Williams suggests that it began as a Seychelles business with headquarters in Hong Kong, before moving to Singapore, and that the three named directors in its suit are believed to reside there. But like many cryptocurrency exchanges, the actual location of its office (if it has one) and staff is unclear.

Missing funds, knowledge gaps

There's an old maxim in cryptocurrency. Or at least, as old as the industry itself. "Not your keys, not your coins." It simply means that when your funds are held by a third party, you don't control them.

Despite countless warnings about the perils of leaving funds on exchanges, crypto traders continue to trust that the security of exchanges (and the integrity of their staff) is sufficient to prevent the loss of their tokens. Despite countless warnings, they are wrong.

Whether it be a hack, a social engineering attack, or a plain old-fashioned exit scam, the allure of free money is too hard for criminals to resist. The bank robber Willie Sutton concisely (if apocryphally) explained "I rob banks, because that's where the money is." And exchanges will continue to represent an attractive target so long as crypto holders continue to leave their money lying around in hot wallets. 

Insurance fund

Johnny Lyu of KuCoin has insisted that customers should "Please rest assured that if any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund." And as the misappropriated funds begin to move to other exchanges, evidence is beginning to appear that all may not be lost. Paolo Ardoino of Bitfinex noted via a tweet that his exchange has frozen $13 million in USDT for instance, and this type of inter-exchange collaboration may help to deter thieves in the future.

Of course, I'm hoping that KuCoin has the resources in its insurance fund to cover losses of this magnitude. Johnny Lyu seems to think so: "Yes, it’s enough. Starting from early 2018, we have established the insurance fund to deal with unexpected security issues such as this." Perhaps the exchange will publish a wallet address to prove that such a fund exists, and that it will pay out against all valid claims. Then again, the principals couldn't be clear with us on such basics as their location, their corporate structure, the legal status of their domain name — so maybe this level of transparency would be a stretch.

But there's a simple fix that almost anyone can perform, a fix that ensures your funds cannot be stolen in an exchange hack. It's a fix so easy, so obvious, that the owners of around $150 million of cryptocurrency are right now kicking themselves for not performing it.

Don't keep your crypto on an exchange if you aren't using the service.

Not your keys, not your coins.

Tags
Related Posts
Pioneering hardware wallet brings enhanced staking to cold storage
Twelve months ago, the total value of cryptocurrency locked in staking programs was barely more than $1 billion. Today, there is $58 billion locked in decentralized finance, or DeFi. The adoption of DeFi has been a sea change that’s helped push the crypto industry into the mainstream, but it’s hardly the only one. Mainstream institutions including MicroStrategy and Tesla have poured billions of dollars into Bitcoin — and some have been buying the dip — while nonfungible tokens have evolved from CryptoKitties and CypherPunks to an artistic medium pulling in millions in bids for a new generation of digital artists …
Technology / June 8, 2021
Hacked crypto exchange KuCoin resumes crypto deposits and withdrawals
The KuCoin cryptocurrency exchange is partly restoring deposits and withdrawals following a major hack. As KuCoin officially announced on Oct. 7, the platform has completed the wallet security upgrade for major cryptos like Bitcoin (BTC), Ether (ETH), and Tether (USDT). Following the upgrade, KuCoin has resumed the deposit and withdrawal service of BTC, ETH, and ERC-20-based USDT. According to the announcement, USDT running on other blockchains like EOS, Tron, and Omni is not yet available for withdrawals. KuCoin stated: “KuCoin is gradually restoring the deposit and withdrawal services of all tokens, and the full service of USDT will also resume …
Bitcoin / Oct. 7, 2020
Binance Singapore withdraws crypto license application
Crypto exchange Binance has withdrawn its license application for pursuing digital payment token (DPT) services in Singapore. Starting today, Binance.sg has stopped onboarding new users and will not allow Singaporeans to deposit cryptocurrencies or fiat on the exchange. By Feb 13, 2022, Binance plans to “wind down” all services that relate to dealing with cryptocurrency tokens. However, the exchange announced to take no responsibility for the users’ assets after the self-determined deadline: “With immediate effect, users must start to make plans to withdraw their crypto and fiat from Binance.sg. Accounts of registered users who have not passed KYC will be …
Adoption / Dec. 13, 2021
Super Bowl 2022: Here’s the scoreboard of crypto ads
Super Bowl commercials have always been an intrinsic part of the annual National Football League (NFL) championship and for business, a fair sign of making it in the real world. This year, however, marked a new milestone for the crypto community as FTX, eToro, Crypto.com and Coinbase debuted crypto ads in Super Bowl 2022. With rising demand in crypto — recently fueled by nonfungible tokens (NFT), meme tokens and the Metaverse — Super Bowl crypto ads stole the limelight from traditional businesses on social media platforms like Twitter. Let’s gauge into the advertisements and echo the feelings expressed by the …
Adoption / Feb. 14, 2022
Crypto recruitment execs reveal the safest jobs amid layoff season
Despite a wave of heavy crypto layoffs to start the new year, employees in technical and engineering roles, as well as senior management, will likely continue to see “strong demand” for their skills, recruitment professionals believe. It’s been a tough first few weeks of 2023 for crypto businesses and their staff. Within just two weeks, the market has already seen more than 1,600 crypto-related job cuts as a result of continued market volatility and uncertainty. However, not all departments have seen the same level of cuts. SAFU: Senior-level tech and engineering Rob Paone, founder and CEO of crypto recruitment firm …
Blockchain / Jan. 18, 2023