Once China’s biggest crypto exchange and a top-10 exchange by trading volume, Huobi boasts tens of millions of users. However, little is known about how Huobi provides a haven for hackers through a loose regulatory approach and failing to collaborate with authorities despite claiming otherwise.
The story dates over a year ago when an anonymous hacker stole appr. $117,000 from a Canadian native and deposited the stolen funds to Huobi. More than 16 months later, Huobi refused to cooperate with the Canadian Police and failed to abide by its User Terms by hiding under lax regulations in Seychelles, ultimately leaving the victim frustrated.
So Close, and Yet So Far
On February 25, 2022, Mr. Benson, a 51-year-old Canadian native who lives in Ontario, woke up to one of the most distressing experiences for a cryptocurrency investor. A hacker had swept his Metamask cryptocurrency wallet with the approximately $117,000 balance on it gone. The stolen funds included years of life savings which were a part of his retirement plans.
Following several hours of shock and deep despair, Benson got a glimmer of hope. He recalled that he had read news reports about hackers leaving blockchain trails. He quickly jumped on Etherscan (Ethereum’s block explorer) and FTMScan (Fantom Chain block explorer) to track transactions from his wallet to the hackers.
Voila! The hacker had left a trail. After converting the stolen funds, the hacker’s original address made two transfers to a second wallet. The second wallet deposited the stolen funds in USDC to a wallet tagged by Etherscan as belonging to the Huobi exchange. Coinfomania independently verified blockchain transactions and confirmed the hacker’s associated wallet deposited the funds to Huobi.
Thrilled by the discovery and full knowledge that Huobi had a know-your-customer and anti-money laundering (KYC/AML) process, a reinvigorated Benson could finally hope. The recovery process should ultimately be as simple as confirming to Huobi that the hacker stole the funds from his wallet. However, that was not to be the case. What seemed so near has moved so far that even after 16 months, there has been no significant headway toward recovering the stolen funds.
Regulatory cooperation fails
According to media documents obtained and verified by Coinfomania, Benson reached out to Huobi within 24 hours after the hack, requesting that the exchange review the illicit transaction. Huobi replied with a message requesting evidence that Benson owned the hacked Metamask wallet.
Against essential security practice, Benson was compelled to reinstall the hacked wallet address. He provided image screenshots and a video that shows, among other things he owned the hacked wallet address. However, Huobi failed to act on the provided evidence and requested that Benson establish communication with the police so that Huobi may investigate the hack.
(Huobi’s response admitting willingness to cooperate with the police)
Following the request on March 17, Benson reached out to Constable Colin Brabender of the Strathroy Caradoc Police Service (SCPS) located in Strathroy, Ontario, Canada. Colin Brabender filed an official complaint, including a written letter to contact Huobi to investigate the theft and return the stolen funds.
However, Huobi failed to cooperate with the police officer. Afterward, Detective Ben Wright of the SCPS also contacted Huobi, but the exchange failed to corporate. Huobi notably cited an inability to provide the requested data about the identity of the individual that had deposited the funds. Attempts to get Huobi to return to freeze the funds and return them to the victim without divulging the hacker’s identity also ultimately failed.
Instead, Huobi responded to the police officers by requesting that the request be made through the “relevant international regulatory cooperation bodies in Seychelles for [Huobi] to provide the information.”
The Canadian Police followed up on Huobi’s request with an order for the exchange to freeze the funds, while Benson seeks remediation through Seychelles’ authorities. Admittedly, Huobi had failed to “cooperate” with the Canadian Police as it had initially said it would, thereby skirting its “User Agreement.”
Huobi User agreement notes that the exchange has the right to suspend its services and freeze digital assets held in a user account if it found that the users had engaged “in illegal or illegitimate activities, such as money laundering and bribery.”
Per the exchange, “it maintains full custody of the Digital Assets, funds, and User information/data which Huobi may turn over to governmental authorities in the event of an Account’s suspension or closure arising from fraud investigations, investigations of violation of law or violation of this Agreement.”
Meanwhile, the request to reach out to authorities in Seychelles would uncover that Huobi is neither regulated nor licensed in the country.
Was Huobi Ever Regulated In Seychelles?
Huobi has been cleaning up its regulatory loophole, obtaining a license in up to seven countries, according to its website. However, this has not always been the case.
For several years, Huobi reiterated throughout its User Agreement that its relationship with customers is “governed by and construed in accordance with the laws of Seychelles.” This statement is also still available on Huobi’s Legal Statement. In a perfect world, this would mean that customers could reach out to Seychelles’ authorities to resolve any conflict of interest.
Also, Huobi’s outright request to Benson that the company is contacted by “relevant international regulatory cooperation bodies in Seychelles” gives off the idea that the company is registered or legally bound to a regulatory body in the jurisdiction.
However, that is not the case, as Benson eventually learned after over six months of correspondence with the Seychelles Financial Services Agency (FSA). Mr. Benson reached out to the financial markets regulator upon Huobi’s request on April 22, 2022, sending a 27-page complaint that detailed his ordeal with the funds allegedly laundered on the platform.
On May 4th, the FSA acknowledged the complaint and requested evidence from that Benson had “exhausted all possible options to try and resolve the matter” directly with Huobi before lodging a complaint with the FSA. Mr. Benson submitted the requested information, which evidently includes the direct order from Huobi that a request is made through regulatory cooperation bodies in Seychelles. It also included evidence that Huobi had blocked Mr. Benson’s email address, meaning he had exhausted all possible options.
Unfortunately, the submission automatically extended the waiting period for a resolution to five months. Per the FSA guideline, the regulator would require three months to investigate the incident. Mr. Benson, though, was willing to wait as long as he could still hope to recover his stolen funds.
The FSA failed to reach out to Mr. Benson at the end of the period. Another week elapsed before the FSA responded without any clear information regarding any investigation into Huobi. Meanwhile, an FSA Supervision Officer, Elizabeth Chow, who had spoken with Mr. Benson on his first attempt to reach out to the regulatory body, noted that he was the fifth person to reach out to the agency with a complaint about Huobi.
On August 25, following three weeks of incessant emails, Elizabeth Chow agreed to meet with Mr. Benson over a recorded Zoom call also obtained by Coinfomania. During the call, Ms. Chow promised that the FSA would write a letter to Huobi the next day and reply to Mr. Benson within five days regarding the matter. Notably, she failed short of providing a reply for close to two weeks.
Ms. Chow’s first and only reply to Mr. Benson on the matter came on Sept 9th after Mr. Benson had threatened to fly down to Seychelles to pursue a resolution of the matter. In the email, Ms. Chow only mentioned that “the FSA is reviewing the complaint” and would provide a response once it had “established its position on the matter.”
After several emails and no reply over the next few weeks, Mr. Benson reached out to the FSA again in early October. On October 10, Mr. Benson called the FSA office to speak with Ms. Elizabeth Chow but was connected instead with Ms. Hazel Lafortune, who, according to the FSA website, is the Director for Fiduciary Supervision. Ms. Elizabeth Chow was reportedly away on vacation.
On the call, Ms. Hazel said about Huobi’s regulatory status, “Here at the FSA, currently, We do not regulate them [Huobi]. Unfortunately, we are legally not the regulator for these types of activity [virtual asset providers], which Huobi is part of. Our hands are really tied because they’re under no regulatory purview of ours.”
The FSA, according to Ms. Hazel, is working on a framework to regulate cryptocurrency-related businesses. In the meantime, the industry is a sort of “wild west.” She continued, “We’re not able to have them [Huobi] return any funds to any clients. Huobi has not gone through our licensing requirements as no such framework exists.”
Despite confirming that the FSA could not help Benson recover the stolen funds, Ms. Hazel sought to provide some assurance by saying, “We are on the case and exploring some options. However, there is nothing we can do regarding the stolen funds. We can’t help you in that regard.”
Meanwhile, she noted that Appleby Global Services, a separate entity that offers services to Huobi, is licensed by the FSA. According to information on its website, Appleby offers offshore legal advice and services to companies setting up businesses in loosely regulated regions like Seychelles, Cayman Islands, Mauritius, Bermuda, and Jersey. The firm declined an email request sent by Coinfomania while researching this story requesting further insight into its affiliation with Huobi.
Unanswered Questions
Huobi may have moved its operations away from Seychelles, but a closer review of events may have uncovered that the crypto exchange concealed its actual regulatory status for several years. On March 8, 2021, the Financial Services Agency published a public notice warning that it does not regulate or license Huobi or any of its affiliates.
However, that notice has since been unpublished and is only available on Web Archive. The agency did not provide further information on whether or not the FSA regulated or licensed Huobi. Deleting a public warning raises questions about whether the FSA liaised with Huobi to mislead the public about the company’s regulatory standing.
A now-deleted warning notice by the FSA about Huobi Limited (Source: WebArchive)
The FSA evidently did not reveal to Benson following his initial request back in March 2022 that it didn’t regulate Huobi. Instead, the agency gave a notion that it would investigate the matter and even write a letter to Huobi, an entity that the FSA later claimed not to have jurisdiction over.
Huobi’s instruction to the alleged victim, asking to be contacted through the “relevant international regulatory cooperation bodies in Seychelles,” generally appears misleading. The company isn’t regulated or licensed by the country’s top financial watchdog, as revealed by an FSA representative.
The loose KYC requirements on Huobi may also have appealed to bad actors and turned the exchange into a hub for money laundering, especially for stolen funds. Unlike rival exchanges like Binance, that now implement mandatory KYC, Huobi still permits users to withdraw up to 0.06 BTC (appr. $1,100) without completing an ID verification.
If customers returned to February 2021, the platform still allowed up to 1 BTC withdrawal for unverified accounts. Bad actors can evidently deposit funds and gradually withdraw from accounts; there are no limits to the number of accounts a user can create.
Victim Eyes Class Action Lawsuit
Mr. Benson’s life has been severely impacted since losing money to laundering facilitated through Huobi’s platform. The victim is even more frustrated with being stonewalled and played around by Huobi and the FSA for the past 16 months and over 70 emails.
He believes he is not the only victim of such injustice and has set up huobiclassaction.com, a website that seeks responses from users who share a similar experience with Huobi. Further investigation reveals he is not the first to lose funds laundered through Huobi.
In January, Bitcoin.com reported about a French national who lost money to a Chinese fraudster. The unnamed victim, represented by lawyer Jonathan Levy, had tracked down the hacker’s account to Huobi with the aid of blockchain research firm CipherTrace.
Mr. Benson hopes to get justice for himself and such victims by pursuing a lawsuit against Huobi. The objective is to recover their funds through the appropriate legal system and prevent other investors from facing similar losses.
