Beginning in April 2023, a cohort of veteran crypto users saw their wallets drained of Ether and other digital assets—a toll that surpassed $250 million by mid‑2024 and continues to climb. This mysterious hack left investigators very little evidence to work with, as it appeared to be a sophisticated, targeted attack affecting multiple wallets and platforms, far beyond a basic phishing scheme. More than two years later, little is known about the attackers or their methods.
Aleksey Trofimchuck is one of those longtime crypto users who had his wallet drained in an amount close to $2.2 million in ETH (based on today’s value), wiping out the balances and staking rewards from his nine validators. His investigation points to two of the industry’s largest staking providers, Lido and Stakefish, which were used in the scheme and which staking providers he believes not only pocketed a significant sum from the stolen ETH in transaction fees (stemming from a so-called “gas war”), but also redistributed the remainder to their staking clients. Now he intends to take Lido and Stakefish to Court.
Sponsored
According to the forthcoming lawsuit, Lido and Stakefish retained around 10 percent in validator service fees and redistributed the rest to their staking clients. He claims they are essentially profiting from the proceeds of the hack and subsequent transactions. Trofimchuck alleges this may amount to conversion, unjust enrichment, violation of various business and trade practices, and potentially, anti-money laundering violations.
“Can you imagine how nefarious it is [that] as a middleman, you take around $1.25 million fee from somebody who was forced to send a transaction with a 100 percent fee to an address they don’t recognize? Then they claim neutrality as a defense!” said Trofimchuck. “That’s what Lido and Stakefish did, and I am committed to uncovering the truth.”
Ethics vs DeFi neutrality
In attempts to recoup his losses, both staking platforms pointed to the principle of neutrality in DeFi and were unable to censor transactions or selectively return rewards. However, critics point out that this stance contrasts with that of other industry players. Notably, U.S.-based Kraken was in a similar bind and returned funds to users without dispute.
Legal experts posit that while DeFi protocols often hide behind the “code is law” claim, courts may view these types of incidents through varying lenses. In another instance, Kraken, facing its own scrutiny from the SEC, elected to prioritize compliance and ethics when it voluntarily helped police return around $2 million to victims—no questions asked. Kraken likely had little choice, as it couldn’t afford to appear complicit in aiding hackers, but either way, it sets a precedent for returning user funds or those that may have come into its hands through the nefarious conduct of others.
By contrast, both Lido and Stakefish present themselves as neutral, autonomous staking providers unable to help victims like Trofimchuck any further: Lido through DAO governance and Stakefish through its non-custodial infrastructure. This allows them to attempt to play the neutrality and autonomy cards. Stakefish’s refusal to return the stolen funds, for example, was an irresponsible look in the other direction. They told Trofimchuk that it has “obligations before our stakers.”
Salman Ravala, a commercial litigation attorney and adjunct law professor, stated: “In adjudicating the tension between stakeholder obligations and compliance with anti-crime tenets, the law is crystalline: entities must not retain or profit from stolen assets. Regardless of internal governance or token-holder expectations, AML obligations and the imperative to avoid unjust enrichment are paramount. A return of the proceeds, sans profit, is the legally and ethically required path. This aligns with emerging DeFi governance precedents, such as the ParaSwap DAO’s deliberations, and surpasses the ecumenical stance adopted by Stakefish and Lido. Compliance and restitution must prevail over preservation of profit.”
With a different legal interpretation, Igor B. Litvak, Esq., a New York-based cybercrime and criminal defense attorney, commented: “In criminal law, it is not enough to declare funds ‘stolen’ and demand their return. The presumption of innocence applies, and the burden is on the government or claimant to prove—through proper judicial processes—that assets are indeed criminal proceeds. Until a court has spoken, entities risk serious liability by acting unilaterally. Non-custodial or DAO-governed platforms present added complexity… AML rules require suspicious activity reports and cooperation with authorities, but they do not deputize platforms to serve as judge and jury.”
Litvak would go on to add that “the greater danger lies in moving too quickly: returning assets without a clear legal mandate could expose an operator to breach of fiduciary duty or even accusations of misappropriation; retaining assets known to be criminally tainted, on the other hand, risks money laundering exposure. The safest and legally sound path is to freeze or flag the assets where possible, notify law enforcement, and act only under court order.”
The loosely-regulated environment in which these organizations operate highlights some uncomfortable questions that the industry will need to face. For example, should a company’s compliance with its legal obligations take precedent over protecting its clients from having their assets exploited?
Selective accountability
Precedent suggests that neutrality can be flexible when a hack victim has moral leverage. ParaSwap DAO, a DeFi DEX aggregator structured similarly to Lido, chose to override its own governance laws and return funds to the major exchange Bybit. The decision was framed as a reply to North Korea’s notorious hacking organization, Lazarus Group, which critics claim is providing a convenient ethical shield.
However, when the victim is an individual crypto holder, silence is more often the response, regardless of the amount of hacked funds. “Why does justice only work for the powerful players?” Trofimchuck asked.
Legal tests to DeFi’s neutrality
The forthcoming lawsuit will attempt to shatter the “we’re just code” defense that DeFi protocols routinely lean on. Lido already deployed this tactic in Samuels vs Lido, insisting it couldn’t be sued because it is not a legal entity and it cannot technically “exist.” A United States District Judge rejected that argument, denying Lido’s Motion to Dismiss the lawsuit.
The Court went on to rule that LidoDAO operates as a general partnership, where its members and investment backers can be separately liable, and that promoting Lido’s token essentially makes them statutory sellers under existing securities laws. This solidifies Trofimchuk’s position that DAOs and their investors cannot hide behind decentralization to avoid liability.
Trofimchuck pointed out that Stakefish, as a founding member of Lido, has in the past reimbursed Lido when hardware errors occurred, implying this is “proof that returning funds is possible when they want it to be.”
DeFi ethics on trial
Trofimchuck is committed to zealously seeking to recover his $1.6 million, costs, and attorneys’ fees, and his lawsuit will surely test whether DeFi’s commitment to neutrality is sustainable when stolen profits are at play.
“Decentralization isn’t a free pass to ignore crime,” Ravala added. “If Kraken can do the right thing, we will pursue Stakefish and Lido to abide by the same principles, for Mr. Trofimchuk and others harmed by such conduct.”
In a message to others impacted by this and similar hacks, Trofimchuk says, “If I filed complaints with the FBI and SEC, then you should too. A collective effort by victims is what may eventually be needed to test the groundwork being setup by Trofimchuck.
As this lawsuit takes shape, the broader Web3 ecosystem faces the tough choice of standing by decentralized absolutism or deciding that ethics and the law matter when real people are involved.
