Hong Kong regulator goes transparent after two Web3 hacks hit hard

Hong Kong regulator goes transparent after two Web3 hacks hit hard
An exchange is accused of $100M+ fraud and a decentralized network lost $200M

GM,

September was a tough month for Hong Kong’s Web3 community. 

Hong Kong has emerged as a real beacon for Web3 over the past year with groundbreaking regulation, adoption among traditional industries and a growing community. But two unsavory incidents—a fraud case and a hack—which have seen thousands of retail investors lose as much as $300 million has put an unsavory mark on the industry and dented confidence.

Let’s dive into what’s happened and what is next…

Best,

Jon and Gary


What’s going on?

Hong Kong has positioned itself as a hub for Web3 and digital assets with a series of strong announcements and new regulations over the past year including virtual asset licenses and real world tokenization. However, the shine has threatened to come off these ambitions with not one but two significant incidents causing retail investors to lose hundreds of millions of US dollars.

JPEX, a crypto exchange that was popular in Hong Kong, is the target of authorities who allege it has defrauded retail investor users of around HK$1.3 billion, or US$166 million.

In parallel, a Hong Kong-based decentralized network called Mixin said it lost US$200 million to a hack—if the figures are correct, that is the largest crypto attack this year. The issue is shrouded in uncertainty though, as Mixin claims its cloud service provider is to blame.

Will these incidents set Hong Kong’s Web3 ambitions back?


SO WHAT?

The blatant fraud

The collapse of JPEX, which is actually based in Dubai, isn’t a huge shock to those who follow Web3 in Hong Kong.

The company used misleading statements about licensing and endorsements from celebrities and influencers to lure users with promises of huge gains despite the broader crypto market seeing prices tank over the past year. 

Things began to unravel when Hong Kong's Securities and Futures Commission (SFC) issued a statement about the company on 12 September after it had imposed restrictions on withdrawals. SFC warned that JPEX had falsely claimed to be licensed overseas, and it was neither licensed nor had it applied for a license in Hong Kong. Indeed, JPEX has been listed on SFC's ‘Alert List’ since July 2022—the list is maintained to help root out potential scams.

Already, 28 people have been arrested to date, including social media influencers and JPEX staff. While more than 2,500 customers have filed police reports to date. But the lead operators and owners of JPEX are still seemingly unidentified and on the run.

It’s tempting to draw comparisons with fallen US exchange FTX—the name and the logo lend themselves to doing so—but all the evidence here points to a blatant fraud in the case of JPEX. The story of FTX, as we are finding out through the court hearing, has a lot more depth.

The huge but confusing hack

JPEX may be a classic fraud operation, but Mixin is a more typical crypto incident: a huge hack that comes with plenty of questions.

Mixin said its cloud service provider is to blame for its huge loss. But it also claims its exchange and decentralized network is supported by 35 nodes. That’s confusing because decentralized exchanges are made secure by bringing a large number of nodes online, ensuring now single entity has dominant control—which would enable them to write and rewrite transactions.

A cloud service provider should, in theory, be unable to exert control in such a network which has left many people asking questions.

Google-owned security firm Mandiant and blockchain security specialist SlowMist are on the case and investigating but Mixin said its losses are “not as significant as estimated.” It did not elaborate further nor did it give details on its plans to reimburse users to some degree.

Since Mixin wasn’t licensed, it wasn’t under any additional requirements to ensure against hacks. 

The response: greater transparency and reflection

Given the retail investor losses, the SFC came under pressure. The regulator took the right approach with JPEX though it has been blamed for not being loud enough. It rang a red alert by placing the company on its watch list, but the list isn’t known to most in Hong Kong while it didn’t prevent JPEX from running advertising, including prominent billboards, which attracted users.

Still, learning from that, the SFC has gone ultra-transparent. Beyond sharing a list of approved licensed virtual asset trading platforms (VATP), it issues a list of applicants that seek approval and those with applications under review. It previously gave a grace period to those seeking to bring their businesses in line with VATP standards, a lack of transparency some abused.

But there may be further changes it could make around custody.

Currently there’s only traditional financial custody licenses as opposed to specific offerings for virtual asset platforms. It could make sense to change that.

Regulation around storage may also need re-evaluation. Currently, Hong Kong has taken a hard line on cold storage of assets in a view to protecting user deposits. 98% of client assets must be held in cold storage and at most 2% in hot or other storages. That extreme ratio means platforms can’t pull assets out quickly, and that impacts the user experience and puts pressure on platforms.

The regulator was backed by a statement from a collective of high-profile Hong Kong Web3 leaders—including our own SO WHAT co-author Gary Liu—who lauded it for taking “the correct approach” to encouraging Web3 while also suggesting incremental steps that the Hong Kong government and regulators should adopt.

“Hong Kong has boldly stepped into regulatory leadership over the course of the past year, and as Asia’s most credible financial center and a global cultural hub, we believe that Hong Kong can become a strong foundation for a global digital economy,” wrote the authors, who include Animoca Brands Executive Chairman and co-founder Yat Siu, Matrixport COO Cynthia Wu and others.

We should pay close attention to government and regulator proclamations during HK Fintech Week at the end of this month. The government announced a new VASP licensing regime last year, and its public positions during this year’s event will show if, and how, JPEX and Mixin have impacted Hong Kong’s Web3 future.


News bytes

Now is the time to invest: That’s the ideal behind Hong Kong-based fund CMCC Global which just launched a $100M fund that’s backed by plenty of big names from Web3

Friend.tech—the popular Web3 social media platform we profiled last month—added a number new log-in options after users lost over $1M in assets from SIM swapping attacks focused gaining access via their phone numbers

Coinbase, Ripple, Blockchain.com and Revolut are among 14 companies to be awarded a full payments license to operate in Singapore by the city-state's central bank

Catch up with Sam Bankman-Fried's first week in court—there’s five more to go but week one was explosive!


That’s all for this week!

Share your feedback, questions or requests via email to: sowhat@terminal3.io