Relaxation of the Platypus hackers: criminal law powerless?

04.12.2023
Relaxation of the Platypus hackers: criminal law powerless?
Ask AI TO SUMMARIZE ThIS ARTICLE

On 1 December 2023, the Paris judicial court acquitted the suspects in the Platypus Finance hack. For lawyer Victor Charpiat (Kramer Levin), this decision is questionable for several reasons, not least because it equates 'smart contracts' with conventional contracts.

Your 2 free articles this month are up

The research your peers are already leveraging

The Big Whale gives financial institutions the market intelligence, network, and platform to move with confidence in digital assets. Trusted by 150+ firms.

On 1 December 2023, the Paris judicial court acquitted the two suspects in the hack of the decentralised finance platform Platypus.

First, let's review the background: in February 2023, the Platypus Finance protocol fell victim to a hack. The hacker recovered around $8.5m in stablecoins. (This post describes the technical details.)

The attack targeted the USP stablecoin: via a "flash loan", the hacker was able to deposit collateral, borrow USPs, and then withdraw his collateral using a faulty withdrawal function.

Surprisingly amateurish, the hacker's identity was quickly traced thanks to the work of on-chain investigators such as ZachXBT and the assistance of Binance. He was arrested a few days later by the National Police.

During the trial, the prosecutor requested five years' imprisonment, two of which were firm for, among other things, fraud and money laundering.

But, faced with the defendants' skilful defence, the court did not retain the qualification of fraud, not being able to demonstrate the existence of fraudulent manoeuvres or deception. As fraud was not upheld, money laundering could not be established either. The hacker therefore walks away free as a bird.

According to the information in Le Monde, the court still had the delicacy to inform the hacker that the acquittal was not a "blank check", but simply the consequence of the fact that "the charges do not hold up criminally".

And the judge refers to a possible civil action - as the only option available to the protocol to obtain compensation. "You still have a debt linked to the loan, and Platypus will probably turn against you in civil court..."

This decision is surprising, worrying, and even dangerous - for two reasons.

Inadequate criminal law

First, the judge basically explains that French criminal law, as currently drafted, is powerless. Criminal qualifications are not adapted to hacks or attacks on decentralised finance (DeFi) protocols. Even when fraudulent intent is evident, the judge cannot convict.

We must not forget, of course, that criminal law is interpreted strictly.

The fact remains that such a decision gives the impression that hackers in France are protected by the law. It has already prompted hundreds of ironic reactions on social networks, ranging from comparisons with North Korea (known for sponsoring the Lazarus hacker group) to calls for wannabe cybercriminals to move to France.

Above all, this decision will serve as a further argument for those who explain that DeFi is outlawed, and must therefore be regulated as quickly as possible.

A Smart contract is not a contract

Then, the judge seems to have been convinced by a certain declension of the famous 'Code is Law' principle. How else are we to understand the reference to the loan and the debt owed by the hacker to the protocol?

It would appear that the judge dismissed certain criminal charges (notably theft and fraud) on the grounds that the hacker's interaction with the smart contract formed a "contract". In this case, a loan contract.

The hacker, seen as the borrower of the hacked funds, can therefore be neither a swindler nor a thief. Following this legal logic, we even conclude that the hacked funds belong to him, with the onus on him to repay them. Presupposing the existence of a contractual relationship would therefore rule out any finding of an offence.

This interpretation is dangerous and questionable. Clearly, the judge was misled by the defence, which opportunely played on the semantic amalgam between smart contract and contract. In short, "Code is law". However, a smart contract is not a contract, it is simply a computer program that can, depending on the case, be the support or the instrument of a contractual relationship.

And, assuming that a contract had indeed been formed between the hacker and the protocol, why stop there and not seek to challenge it? Was the contract valid? Wasn't its formation vitiated by a cause of nullity? (At a guess... fraud?)

Here too, the English-language Crypto Twitter made no mistake and ironised on the recognition of the "Code is the law". Be that as it may, even if it is reversed on appeal, this decision is already likely to mislead many players.

To conclude, let's not generalise too quickly about this decision by the Paris judicial court. It is only a first instance decision, and there is nothing to say that it will set a precedent. It is still possible for the prosecution to appeal.

For a lawyer, encouraging a prosecutor to appeal and calling for a stricter penalty is difficult, almost unnatural... But, this time, we must make an exception: in the interests of the crypto ecosystem as a whole, it is crucial that this decision is appealed. It is crucial that a court of appeal confirms the obvious: yes, hacking decentralised finance protocols is prohibited by criminal law.

Format
Op-eds
Victor Charpiat

Victor Charpiat is Head of Legal & Compliance at Spiko, a Paris-based financial services firm that provides daily-paying interest products on cash. He has held this role since January 2025. Spiko was founded in 2023 and has raised $25.8M in total funding.

Prior to joining Spiko, Charpiat spent over six years at the Paris office of Kramer Levin Naftalis & Frankel LLP, where he worked as an associate specializing in fintech, cryptocurrencies, and PSAN (Prestataire de Services sur Actifs Numériques) matters. Between January 2022 and January 2023, he founded Kolat, a financial services company based in the Paris area. Before Kramer Levin, he worked at Sullivan & Cromwell LLP in Paris from April 2017 to October 2018 in the corporate general practice group, having completed a final internship there earlier that year. He also held a legal tech internship at 11.100.34 Avocats Associés in late 2016. He holds law degrees from Sciences Po Paris and Université Paris II-Panthéon Assas.

See all articles ↗
Subscribe to The Drop
The leading weekly briefing on digital assets for financial institutions: independent analysis, reports, benchmarks and exclusive events, delivered to your inbox.
Read by 30,000 professionals
November 12–13, 2026

The Geneva Summit

The Corporate Gateway: where the future of onchain finance is decided. 300 handpicked decision-makers. One shared mandate.
300
Decision-makers
2 days
Intensive program