Hacked DAO Faces Lawsuit as Users Try To Recoup Stolen Funds

Law firm claims all parties involved in a DAO’s governance are liable for the protocol’s alleged “negligence and illegality”

by Ben Strack /
article-image

Source: Shutterstock

share

key takeaways

  • An estimated $55 million of crypto was stolen after a bZx developer had his wallet’s private keys taken in a November phishing attack
  • The 14 plaintiffs’ combined losses from the hack total $1.6 million

The victims of a hack of DeFi platform bZx are vying for the return of their funds in a rare attempt to hold a DAO liable in court.

The lawsuit, filed in the Southern District of California Monday, names 14 plaintiffs who claim to have lost funds ranging from $800 to $450,000. Together, the complaint indicates, the plaintiffs lost roughly $1.6 million from the November hack, during which an estimated $55 million of crypto was stolen. 

Plaintiffs allege the theft was possible only because the protocol had not yet implemented security measures that its operators knew were reasonably necessary to protect funds.

A spokesperson for bZx did not immediately return a request for comment. 

Newsletter

Subscribe to Blockworks Daily

Law firm Gerstein Harrow LLP, whose attorneys have developed a crypto consumer protection practice, represents the plaintiffs. Its first case, which alleges that a DeFi (decentralized finance) operator called PoolTogether is operating an illegal lottery in New York, also deals with the issue of who can be held liable for the violations of DAOs.

DAOs (decentralized autonomous organizations) are member-owned communities without centralized leadership. The term DAO went mainstream last year when a group of crypto natives — dubbed ConstitutionDAO — raised $49 million in an unsuccessful bid to buy a copy of the US Constitution. Hedge fund billionaire Ken Griffin won the auction. 

“Those who form DAOs apparently believe that they can use the word ‘decentralized’ to evade corporate and individual responsibility,” Gerstein Harrow LLP Partner Jason Harrow said in a statement. “The opposite is true: without the protection of a corporation or limited liability company, everyone involved in a DAO’s governance is liable for the protocol’s negligence and illegality.”

Defendants include bZx protocol co-founders Kyle Kistner and Tom Bean, bZx investors Hashed International and AGE Crypto, and bZeroX, which created the protocol and controlled it until August 2021, according to the complaint. It also names bZx DAO, Ookie DAO and LeverageBox, a company that operated the Fulcrum trading platform, as defendants.  

The complaint argues that because the bZx protocol purports to be a DAO that lacks any legal formalities or recognition, it can be considered a “general partnership.”

“That means each of the partners is jointly and severally liable to the plaintiffs and must make good on the full amount of its debts,” the document states.

Compensation plan ‘inadequate,’ plaintiffs argue

A bZx developer had his personal wallet’s private keys taken in the phishing attack, which granted the hacker access to the private keys to the Binance Smart Chain and Polygon deployment of bZx protocol, according to a November blog post.

The DeFi protocol said at the time the attack was likely executed by Lazarus Group, which is known to be a state-sponsored hacking organization with links to North Korea. The hacker converted a large amount of stolen assets into ether and transmitted the funds through Tornado Cash, according to bZx.

In addition to stating on its website in December that it was preparing to launch the bZx deployments on Binance Smart Chain and Polygon with enhanced security measures, the bZx DAO shared details of its compensation plan for victims.

​​The bZx DAO committed to fully compensating those who lost BZRX in the attack with that asset, amounting to about $20 million of BZRX. It agreed to pay back victims who lost money via other tokens over time by buying back debt tokens each month using 30% of protocol revenue and fees.

But the complaint calls the plan “woefully inadequate,” adding “at the current buyback rate, full repayment will take thousands of years.”

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

learn more

recent research

Research Report Templates (11).png

Research

Putting a Premium on Stability

Under current market conditions, stablecoins are paying compelling risk premiums multiples higher than the risk-free rate. Elevated premiums present a highly positive context for continued growth in the aggregate stablecoin supply and new inflows coming into the market to capture this elevated carry. Onchain money markets stand as primary beneficiaries of these market conditions and a forward outlook of a growing stablecoin supply. Similarly, Pendle’s PTs across a number of assets can provide attractive instruments to hedge variance and lock in a compelling fixed yield.

by Luke Leasure

/

news

article-image

Forward Guidance NewsletterPolicy

Senate Banking Committee cancels confirmation vote for SEC’s Caroline Crenshaw

In the meantime, Trump will name either Commissioner Hester Peirce or Mark Uyeda as acting chair

by Casey Wagner /
article-image

Forward Guidance NewsletterPolicy

Trump-crypto CEO meeting about appointments, BTC reserve 

Trump’s latest industry rendezvous featured a conversation with Crypto.com CEO Kris Marszalek

by Ben Strack /
article-image

0xResearch NewsletterDeFi

Double-dipping with sBTC on Stacks

Unlike other BTC-pegged solutions, sBTC stays liquid — you don’t need to stake or lock it up to earn rewards

by Macauley Peterson /
article-image

0xResearch NewsletterDeFi

Scroll announces OpenVM, a new zkVM

Scroll will eventually transit to a Type-1 zkEVM and Stage-1 rollup

by Donovan Choy /
article-image

Empire NewsletterMarkets

A bullish December rally could still be in the books

Although bitcoin hitting $120k by year’s end is looking unlikely

by Katherine Ross /
article-image

DeFiEmpire Newsletter

Hyperliquid could have the most valuable airdrop ever

About 270 million HYPE has been claimed, valued around $7.6 billion

by David Canellis /