Two brothers arrested for exploiting vulnerabilities in the decentralized finance protocol Platypus that led to the theft of $8.5 million worth of crypto assets were acquitted of all charges in a Paris court last week. The news was initially published by the news outlet Le Monde.
In mid-February, an ethical hacker named Mohammed M. drained the equivalent of $8.5 million from Platypus by taking advantage of a coding error enabling withdrawals from liquidity pools. The 22-year-old discovered the flaw accidentally while analyzing protocol operations.
- Mohammed M. was arrested days after the hack, along with his brother Benamar M.
- Claimed he planned to return 90% of the funds as a “bug bounty” reward
- Presented himself as an ethical hacker wishing to secure endangered assets
Platypus hacker claims to have acted in good faith
Mohammed M. admitted to the unauthorized withdrawals in court but asserted he merely wanted to highlight issues and obtain a bonus for doing so. Crypto exchange Binance and crypto sleuth ZachXBT provided information, allowing authorities to quickly identify the perpetrators.
But in a shocking twist, the judge dismissed all charges against the brothers, stating that French criminal statutes do not directly criminalize hacking decentralized protocols at this time. The decision allows the hackers to walk free with the stolen cryptocurrency.
Platypus has been a recurring victim of hacks. The DeFi protocol lost over $2 million in another flash loan exploit in October. The hack in October was different as it took place as a series of attacks. The attacker initially drained $1.2 million, with a second attack following hours later that stole $575,000. A third attack that followed cost Platypus $450,000.
The case exposes possible gaps in French legislation covering cybercrime and cryptocurrencies that regulators are still working to address through formal rules. It also highlights lingering vulnerabilities in the fast-growing DeFi ecosystem.