Coinone, a popular cryptocurrency exchange in Korea, has been ordered by a judge in Seoul to pay 25 million won (~$20 780 USD) to a customer who had his exchange accounts drained in a hack.
According to Chosun IT, this is Korea’s first case of a crypto exchange being held partially liable for customer funds lost to computer hackers.
The plaintiff, “Mr A,” reportedly began trading on Coinone in April 2017, held nine cryptocurrencies in his portfolio, kept 47.7 million won in cash at the exchange and held 27,100 EOS coins there until his account was hacked in late 2018.
“Mr A” may have been the victim of a SIM-swap attack, in which hackers impersonate their victims and trick telecoms into giving total access to victim’s cellphones.
Private data on the phone and the unit’s 2-factor authenticator app can then be used to access all sorts of private accounts, including crypto accounts.
According to Chosun IT (translated):
“A hacker connected to (a) Dutch VPN server IP on December 23, 2018 ….and bought Bitcoin after disposing (Mr A’s) cryptocurrency in his account using A’s account password and the individual Google OTP (authenticator) temporary number.”
Mr A claimed that Coinone was remiss in allowing the hacker to withdraw more than the daily limit established by the exchange:
“The exchange did not limit withdrawal even though the cryptocurrency was sent much more than the daily withdrawal limit (20 million won) according to the coin one policy.”
Mr A also sued Coinone on the grounds it had, “not set minimum safeguards, such as blocking user access IP and other overseas IP access.”
Coinone appears to have argued that Mr A’s personal data was not obtained through any fault on its part and said the outsize withdrawal was made under another set of exchange rules.
The judge agreed that Coinone had an obligation to ensure that large withdrawals were not resulting from a hack, but compensated Mr A only for funds lost that exceeded the daily limit:
“It is a mistake for the exchange to…(exceed) the daily withdrawal limit without…(checking for an) exchange system hack.”
A lawyer working on this case said that, despite an increased prevalence of this type of crime in Korea, there is very little relevant case law on the books that can help courts make determinations in crypto suits:
“It is true that there is a lack of legal basis for the status and responsibility of the exchange even though more and more cases are being suffered due to the security of cryptocurrency exchanges.”