Relaxation of the Platypus hackers: criminal law powerless?

On 1 December 2023, the Paris judicial court acquitted the two suspects in the hack of the decentralised finance platform Platypus.

First, let's review the background: in February 2023, the Platypus Finance protocol fell victim to a hack. The hacker recovered around $8.5m in stablecoins. (This post describes the technical details.)

The attack targeted the USP stablecoin: via a "flash loan", the hacker was able to deposit collateral, borrow USPs, and then withdraw his collateral using a faulty withdrawal function.

Surprisingly amateurish, the hacker's identity was quickly traced thanks to the work of on-chain investigators such as ZachXBT and the assistance of Binance. He was arrested a few days later by the National Police.

During the trial, the prosecutor requested five years' imprisonment, two of which were firm for, among other things, fraud and money laundering.

But, faced with the defendants' skilful defence, the court did not retain the qualification of fraud, not being able to demonstrate the existence of fraudulent manoeuvres or deception. As fraud was not upheld, money laundering could not be established either. The hacker therefore walks away free as a bird.

According to the information in Le Monde, the court still had the delicacy to inform the hacker that the acquittal was not a "blank check", but simply the consequence of the fact that "the charges do not hold up criminally".

And the judge refers to a possible civil action - as the only option available to the protocol to obtain compensation. "You still have a debt linked to the loan, and Platypus will probably turn against you in civil court..."

This decision is surprising, worrying, and even dangerous - for two reasons.

Inadequate criminal law

First, the judge basically explains that French criminal law, as currently drafted, is powerless. Criminal qualifications are not adapted to hacks or attacks on decentralised finance (DeFi) protocols. Even when fraudulent intent is evident, the judge cannot convict.

We must not forget, of course, that criminal law is interpreted strictly.

The fact remains that such a decision gives the impression that hackers in France are protected by the law. It has already prompted hundreds of ironic reactions on social networks, ranging from comparisons with North Korea (known for sponsoring the Lazarus hacker group) to calls for wannabe cybercriminals to move to France.

Above all, this decision will serve as a further argument for those who explain that DeFi is outlawed, and must therefore be regulated as quickly as possible.

A Smart contract is not a contract

Then, the judge seems to have been convinced by a certain declension of the famous 'Code is Law' principle. How else are we to understand the reference to the loan and the debt owed by the hacker to the protocol?

It would appear that the judge dismissed certain criminal charges (notably theft and fraud) on the grounds that the hacker's interaction with the smart contract formed a "contract". In this case, a loan contract.

The hacker, seen as the borrower of the hacked funds, can therefore be neither a swindler nor a thief. Following this legal logic, we even conclude that the hacked funds belong to him, with the onus on him to repay them. Presupposing the existence of a contractual relationship would therefore rule out any finding of an offence.

This interpretation is dangerous and questionable. Clearly, the judge was misled by the defence, which opportunely played on the semantic amalgam between smart contract and contract. In short, "Code is law". However, a smart contract is not a contract, it is simply a computer program that can, depending on the case, be the support or the instrument of a contractual relationship.

And, assuming that a contract had indeed been formed between the hacker and the protocol, why stop there and not seek to challenge it? Was the contract valid? Wasn't its formation vitiated by a cause of nullity? (At a guess... fraud?)

Here too, the English-language Crypto Twitter made no mistake and ironised on the recognition of the "Code is the law". Be that as it may, even if it is reversed on appeal, this decision is already likely to mislead many players.

To conclude, let's not generalise too quickly about this decision by the Paris judicial court. It is only a first instance decision, and there is nothing to say that it will set a precedent. It is still possible for the prosecution to appeal.

For a lawyer, encouraging a prosecutor to appeal and calling for a stricter penalty is difficult, almost unnatural... But, this time, we must make an exception: in the interests of the crypto ecosystem as a whole, it is crucial that this decision is appealed. It is crucial that a court of appeal confirms the obvious: yes, hacking decentralised finance protocols is prohibited by criminal law.