Some time ago, Bybit exchange experienced the largest cryptocurrency theft incident involving a significant amount, where North Korean hackers stole approximately $1.4 billion in cryptocurrency from Bybit's cold wallet. According to information disclosed by Bybit CEO @benbybit on X, the North Korean hacker organization exchanged most of the stolen ETH for BTC through THORChain, with about 16% of the involved funds transferred to ExCH, and another 8% exchanged through OKX Web3 proxy contracts.
Bybit hacker's theft and mixing link (source: LazarusBounty)
Subsequently, Bloomberg reported that EU cryptocurrency regulatory agencies are reviewing the issue of hackers using OKX wallet services to exchange and mix stolen coins. Today, OKX announced through an official statement that after consulting with regulatory agencies, it has proactively decided to temporarily suspend DEX aggregator services.
So why did the decentralized self-custody OKX Web3 wallet proactively suspend its DEX aggregation service? What regulations regarding cryptocurrency asset services might be violated by wallet services in the cryptocurrency industry?
1. Does OKX DEX service fall under the regulatory scope of MiCA?
The regulatory body reviewing OKX is the European Securities and Markets Authority (ESMA), and the legal provisions regarding cryptocurrency regulation in the EU are primarily based on the Markets in Crypto Assets regulation bill (MiCA), which will come into full effect at the end of 2024.
Brief summary of the MiCA legislation
The legislation clarifies the regulatory scope of cryptocurrency assets, dividing regulated cryptocurrency assets into three categories: asset-referenced tokens (ART), electronic money tokens (EMT), and other cryptocurrency asset tokens outside of ART and EMT as specified by the MiCA legislation, providing detailed regulatory rules.
Specific regulatory requirements have been proposed for different cryptocurrency asset service providers such as exchanges and institutions. In addition, it covers aspects such as preventing insider trading, protecting user rules, and cooperation between regulatory agencies in different countries for investigation and punishment. For an in-depth analysis of the MiCA legislation, you can refer to previous articles analyzing the EU (Crypto Asset Market Regulation Bill) MiCA.
Legal basis for OKX DEX to fall under the regulatory scope of MiCA
1. OKX DEX provides cryptocurrency asset services that require licensing as stipulated by the MiCA legislation.
The MiCA legislation stipulates that if cross-border cryptocurrency asset services are provided to the EU jurisdiction area, it is necessary to obtain MiCA authorization as a licensed cryptocurrency asset service provider (CASP).
The definition here of cryptocurrency asset services includes using cryptocurrency assets to exchange for other cryptocurrency assets as well as executing trading orders for clients involving cryptocurrency assets.
OKX DEX essentially does not provide liquidity for token exchanges directly but belongs to liquidity aggregation. In simple terms, if a user wants to exchange 1 Bitcoin (BTC) in their OKX Web3 wallet for an equivalent value of Ethereum (ETH), OKX DEX will calculate the optimal exchange path through algorithms to help the user achieve the exchange between cryptocurrency assets.
Although the OKX DEX method does not use its own funds to help customers conduct token exchanges and does not belong to using cryptocurrency assets to exchange for other cryptocurrency assets, it is very likely to be recognized by regulatory agencies as executing purchase or sale orders for cryptocurrency assets on behalf of clients. If this occurs within the EU jurisdiction area, it will require applying for a MiCA CASP license.
2. OKX DEX does not belong to a fully decentralized protocol and cannot evade MiCA regulation.
The MiCA legislation stipulates that if cryptocurrency asset services are provided entirely in a decentralized manner without any intermediaries, they are not subject to this regulation.
Although the OKX Web3 wallet is a decentralized self-custody wallet, the wallet service page is integrated with the OKX exchange. According to Bloomberg's report, the usage agreement of the OKX Web3 wallet clearly states that the Singapore entity of OKX serves as the operator.
Thus, the DEX aggregation service provided by OKX Web3 wallet is difficult to classify as a fully decentralized protocol, making it unable to evade the regulatory oversight of the MiCA legislation.
2. Why did OKX DEX urgently suspend services?
Once OKX DEX is determined to fall under the regulatory scope of MiCA, the aggregation proxy service of the current OKX Web3 wallet is being exploited by North Korean hackers for mixing and laundering coins. According to Article 64, point 7 of the MiCA legislation, if cryptocurrency asset service providers fail to establish effective systems to detect, prevent money laundering, and combat terrorism financing, the competent authority will revoke their MiCA license.
OKX officially announced in January this year that it obtained a MiCA license with Malta as the host country. If OKX DEX violates anti-money laundering regulations, it could affect its newly approved MiCA license.
Additionally, the MiCA legislation stipulates that before revoking the authorization of cryptocurrency asset service providers, the competent authority can consult the institutions responsible for supervising compliance with anti-money laundering and anti-terrorism financing rules.
Therefore, this morning OKX CEO Star emphasized on X that the OKX Web3 wallet has launched features including banning specific IPs and real-time black address detection and prevention systems to combat related money laundering crimes. The purpose of this is also to make anti-money laundering regulatory agencies aware that the OKX Web3 wallet has equipped its cryptocurrency asset services with the necessary on-chain anti-money laundering detection and prevention systems, thereby avoiding or mitigating potential regulatory penalties.
Summary and outlook
On-chain wallets serve as the traffic entry point from the real world to Web3, embodying the cryptocurrency industry's yearning for a decentralized world. Leading decentralized exchanges are striving to develop on-chain businesses, and OKX is far ahead in the product experience of on-chain wallets, but it is currently facing compliance issues.
Careful observers may notice that after Binance underwent regulatory compliance adjustments, the wallet function is included within the centralized exchange. If you want to use the Binance wallet, you must register a Binance account, unlike the OKX wallet, which can be used directly without being tied to an OKX exchange account.
As countries and regions around the world improve their regulation of the cryptocurrency industry, it is inevitable that where there are people, there will be regulatory situations. Therefore, future on-chain wallet services must be equipped with corresponding on-chain anti-money laundering systems to detect, prevent, and combat on-chain crimes, thereby providing cryptocurrency asset services to users within a regulatory compliance framework.