Not your keys, not KuCoin’s: Red flags ignored

A dizzying lack of transparency as the crypto exchange is hacked and $150m in customer funds goes missing


Back in April of 2020, Cointelegraph took a close look at the KuCoin cryptocurrency exchange. Investigating the apparent lock of the primary domain name, which was a result of a legal case under the jurisdiction of the High Court of Singapore, we concluded that:

In the absence of clarity from any of the individuals mentioned in this article, or from the company itself, users of the KuCoin cryptocurrency exchange will likely want answers on whether they are sending their money to Singapore, the Seychelles, China — or anywhere else in the world.

Now $150 million is missing from KuCoin in what has been described by the exchange as a “security incident”, and while the directors of the exchange refused to answer our questions five months ago (and implied that our accurately-sourced reporting was untrue), perhaps their customers will hold them to account this time.

Lack of clarity

A few days before these legal woes began to surface, KuCoin announced a corporate restructuring which included reassigning the company’s trademark from one Seychelles-registered entity to another, and appointing a new director whose affiliation with the exchange had previously been unclear.

If the opacity of the ownership is concerning, there’s another perennial question that raises flags in virulent shades of crimson. Where is KuCoin, anyway? Chase Williams suggests that it began as a Seychelles business with headquarters in Hong Kong, before moving to Singapore, and that the three named directors in its suit are believed to reside there. But like many cryptocurrency exchanges, the actual location of its office (if it has one) and staff is unclear.

Missing funds, knowledge gaps

Despite countless warnings about the perils of leaving funds on exchanges, crypto traders continue to trust that the security of exchanges (and the integrity of their staff) is sufficient to prevent the loss of their tokens. Despite countless warnings, they are wrong.

Whether it be a hack, a social engineering attack, or a plain old-fashioned exit scam, the allure of free money is too hard for criminals to resist. The bank robber Willie Sutton concisely (if apocryphally) explained “I rob banks, because that’s where the money is.” And exchanges will continue to represent an attractive target so long as crypto holders continue to leave their money lying around in hot wallets.

Insurance fund

Of course, I’m hoping that KuCoin has the resources in its insurance fund to cover losses of this magnitude. Johnny Lyu seems to think so: “Yes, it’s enough. Starting from early 2018, we have established the insurance fund to deal with unexpected security issues such as this.” Perhaps the exchange will publish a wallet address to prove that such a fund exists, and that it will pay out against all valid claims. Then again, the principals couldn’t be clear with us on such basics as their location, their corporate structure, the legal status of their domain name — so maybe this level of transparency would be a stretch.

But there’s a simple fix that almost anyone can perform, a fix that ensures your funds cannot be stolen in an exchange hack. It’s a fix so easy, so obvious, that the owners of around $150 million of cryptocurrency are right now kicking themselves for not performing it.

Don’t keep your crypto on an exchange if you aren’t using the service.

Not your keys, not your coins.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store