Crypto ‘hacker’ who exploited bug to mint $17M could still keep it
A California federal judge has ruled South Korean crypto project ICON (ICX) may have acted improperly when it instructed Kraken and Binance to freeze 14 million tokens minted by a crypto ‘hacker.’
Mark Shin stumbled across the ability to create the new ICX tokens in August 2020 after he discovered a bug in ICON’s Revision 9 software proposal.
ICON is a blockchain-powered network that supports smart contracts and staking and was historically considered South Korea’s answer to Ethereum.
Specifically, Shin’s loophole allowed him to create 25,000 new ICX every time he attempted to transfer staked digital assets.
And so he did, Shin:
- minted 14 million ICX by the end of the day ($8 million at the time, $16.8 million today),
- moved the majority of his new stash to major crypto exchanges Binance and Kraken,
- lost access to his accounts (which also housed crypto unrelated to the ICX bug).
In a lawsuit filed in October 2020, Shin alleged ICON contacted the exchanges to frame him as a malicious attacker and demand they freeze his accounts.
ICON gave the exchanges the public key tied to his ICX transactions, said Shin. This made it possible for both exchanges to identify him.
Shin countered that he had never hacked any part of ICON’s system, he simply used the code as it had been programmed.
ICON hit back. The firm said it was up to Shin to prove it controls the actions of Binance and Kraken.
Despite that, Judge William H. Orrick ruled on Monday that Shin could still have a property claim to the ICX tokens he minted.
“At this stage, Shin has plausibly alleged that ICON’s communication with the exchange platforms proximately caused his alleged injury [the freezing of his accounts],” said Orrick.
The judge then denied ICON’s motion to dismiss the case.
Crypto ‘hacker’ could make legal history
Judge Orrick also ignored a number of ICON’s other claims.
ICON said Shin cannot be the tokens’ rightful owner because he didn’t invest “substantial time and money in the 14 million tokens generated.”
However, the time he did or didn’t spend minting the ICX in question can’t be legally resolved on a motion to dismiss, said the court (meaning ICON struck out).
ICON also attempted to attack Shin’s earlier comments, specifically that minting the tokens was like walking into a casino, placing a quarter in a video poker machine, pressing a series of buttons, and winning a jackpot every time.
[Read more: Crypto thief gets 8 years for stealing $13M in DASH from friend]
The firm posited Shin didn’t know why he was receiving 25,000 ICX every time he “placed a quarter in the machine,” which means he shouldn’t get rightful ownership of the crypto.
Judge Orrick however disagreed, saying that ICON failed to provide any legal precedent that matches this specific blockchain case.
Shin’s attorney Kyle Roche told Law360: “It’s a seminal case for establishing property rights on the blockchain.”
“Essentially, if the blockchain says you have certain tokens, and you didn’t take those tokens from another individual, the rules of blockchains are that that property belongs to you,” said Roche, before adding that other stipulations must be added to the user agreement.