As crypto pushes further into the mainstream, a hard question follows: when money is stolen, who is responsible for what happens next? After a wave of wallet drains that has cost hundreds of millions of dollars, longtime crypto user Aleksey Trofimchuck says his wallet was emptied of nearly $2.2 million in ETH. He now plans to sue Lido and Stakefish in the U.S. federal court, arguing the staking providers profited from fees tied to stolen funds while refusing to assist, citing protocol neutrality. In this interview, Trofimchuck shares his perspective on accountability in DeFi and what this lawsuit could mean for Web3 as the regulatory landscape continues to take shape.
Could you start by sharing a bit about yourself and explaining to us the reasons you’re suing Lido and Stakefish, two well-known staking protocols?
My name is Aleksey, and I’m a crypto OG, as I’ve been actively investing in digital assets, running Bitcoin and Ethereum mining farms, and supporting the ecosystem’s growth over the last 12 years. Over that time, I’ve accumulated a substantial amount of digital assets and served as an Ethereum validator, where I’ve been dedicated to the protocol’s performance and security.
In April 2023, I suffered a loss of approximately $2.2 million (600 ETH) in a highly sophisticated hack targeting an array of wallets that had been active for at least several years. The victims were not newcomers, but seasoned users adept at taking the necessary security practices, highlighting the advanced nature of the attack.
The exact mechanism of how this exploit went down is still unclear. MetaMask developers said it wasn’t a classic phishing attack and that the hacker, or team of hackers, likely got their hands on the private keys.
Unfortunately, hacks occur frequently in this space, but the real challenge begins once the funds are stolen. What happens next exposes a deeper identity crisis within the DeFi space. Does maximum decentralization mean that DEXs and dApps can’t return assets tied to illicit activity?
While DeFi protocols can stand behind slogans like “The code is law,” they’re ultimately saying that smart contracts run the show, and once they are deployed on-chain, they become immutable. But we all know that smart contracts are constantly updated. Therefore, they can be revised to ensure better performance or include safeguards that ensure stolen funds will be returned to the original wallet.
In my case, the hackers funneled the stolen funds through Lido and Stakefish, two major staking protocols that each took heavy cuts from my stolen crypto. In total, they took around $1.65 million in fees just for processing these transactions. Stakefish took 288 ETH and Lido 82 ETH in gas fees. This effectively facilitated the laundering of stolen assets through their protocols. From my perspective, this isn’t about decentralization or respecting the integrity of blockchain’s immutability; it’s an exploitation, and it may account for money laundering, unjust enrichment, and negligence.
Did you reach out to either Lido or Stakefish asking for an explanation?
Of course, I reached out to each on a few occasions, including within the first 15 minutes of the incident. Unfortunately, their responses did not seem to align with AML/CFT obligations, ethics, or broader financial crime controls. In short, both staking providers claimed to be powerless to act based on DeFi’s principle of neutrality. Many protocols use this concept as a shield, relying on the fact that they are non-custodial and that “code is law,” which conveniently enables them and their communities to profit off these types of incidents.
As a result, I filed complaints with the SEC, the FBI (via the Internet Crime Complaint Center, IC3), and California’s Department of Financial Protection and Innovation (DFPI). However, these filings were intended to increase pressure more than anything else, as large enforcement agencies are busy and tend to demand numerous complaints before formally launching an investigation. Therefore, I encourage others to come forward by formally submitting their complaints, along with evidence, to these agencies to add more pressure.
What is the precedent for recovering hacked funds from any crypto service provider, either centralized or decentralized? Stakefish is a centralized non-custodial staking provider, but Lido is a DeFi protocol, so what is the precedent for staking platforms when it comes to returning profits from gas fees?
First, I think it’s worth highlighting that miners/validators have sporadically refunded abnormal fees on a non-guaranteed, ex gratia basis. In 2023, the Bitcoin mining pool F2Pool returned around 20 BTC after Paxos accidentally paid a huge fee. In the pre-merge Ethereum era, pools froze and debated multi-million dollar fees, but notable mining pool Ethermine, ultimately, said it would abandon this practice, showing how inconsistent these policies are.
The problem is that there really isn’t a consistent precedent. Centralized exchanges like Binance, Kraken, and Coinbase have returned funds on a few occasions. However, these big players don’t have to consult a DAO, which makes the process more straightforward in comparison to DeFi protocols.
DeFi platforms will almost always play the “code is law” card as the decentralized ethos that demands all blockchain transactions are censorship-resistant. While this is a heavily debated topic within crypto circles, Stakefish, as you mentioned, isn’t DeFi and runs non-custodial validators just like Stakefish. Technically and structurally, there is no difference between Kraken and Stakefish when stolen ETH was paid to them in the form of gas fees. Kraken’s service is non-custodial at the protocol level, just like Stakefish’s. The practical difference is governance, regulatory posture, and willingness to reimburse victims.
As far as precedent for these validator platforms, whether decentralized or not, there is almost no precedent—except for ParaSwap DAO—for returning profits earned from transaction fees on stolen funds. The question the industry should be asking is whether we can defend this position from an ethical standpoint.
What does your potential lawsuit say about the future of crypto and DeFi?
Well, I’m not sure what it says about the future, but it does paint a picture of an industry that has reached a fork in the road. One direction is to continue on the same path, which provides a niche, alternative financial ecosystem. This path is ultimately risky, raises questions about its long-term viability, and is therefore not for everyone.
The second path is one of compromise. This path doesn’t necessarily argue for DeFi to come under full regulatory control, but rather to embed basic ethics into its operations. By creating mechanisms to provide DeFi users with basic protections—similar to those in the traditional finance space—DeFi can show its willingness to go after bad actors, which will, in time, make it more accessible.
Recent court action involving Lido DAO matters, regardless of the outcome, because it clarifies how on-chain governance interfaces with off-chain law. This isn’t about abandoning DeFi principles; it’s about harmonizing credible neutrality with the legal frameworks that inevitably apply when protocols touch real people, assets, and jurisdictions.
DeFi’s ideals aren’t on trial—its implementation is. Courts won’t force DeFi to betray its principles; they’ll clarify boundaries—what must be documented, how disputes are handled—so neutrality remains credible without becoming a refuge from accountability.
Cases like ParaSwapDAO, which decided to recover around 44 ETH, point toward a changing tide. ParaSwap’s decision reflects layered neutrality: the contracts remained neutral, but the DAO, acting as a steward, exercised targeted discretion once evidence, feasibility, and community mandate aligned.
That doesn’t mean every case will, or should, result in reimbursement, but rather the direction is clear: “We are DeFi” isn’t a blanket defense, and DAOs are experimenting with case-by-case recovery norms consistent with AML expectations.
How do you see this issue impacting the broader Web3 ecosystem as the regulatory landscape changes?
It’s hard to say exactly how it impacts Web3. As an ecosystem, Web3 is constantly evolving, and personally, I’ll need to get a better grasp of where regulations are going in the U.S. In Europe, the MiCA legislation will, in the near future, include DeFi, and we can only speculate what this may look like. However, because DeFi will likely come under a clear legal framework—eventually—it’s important that the issue of embedding ethics into DeFi gains attention sooner rather than later.
Web3 has matured and attracted institutional investors and enterprises. However, a volatile and lawless DeFi, where users are scammed with the help of leading platforms that profit, will have repercussions that echo across the sector. Non-crypto users didn’t care that FTX was a CEX and not a DEX; the blowback impacted the entire crypto ecosystem. If DeFi continues to facilitate and assist fraud, it will impact the centralized infrastructure providers, the Binances and Coinbases of the world, and the responsible decentralized protocols.
Who else is aligned with you in your lawsuit? Layers, or other veteran crypto users who lost funds?
I have some legal counsel that is guiding me through this process, and I’ve been in touch with others affected by this hack. We’re hoping that more will come forward and join. If we can accumulate more complaints, we could pursue a class action lawsuit, which would put significant pressure on Lido and Stakefish to find a solution.
