In a groundbreaking legal decision that has captured the attention of the Malaysian public and the global cryptocurrency community, a Malaysian court has ruled against Luno Malaysia Sdn Bhd, a prominent crypto firm. The case, which involved unauthorized transactions leading to significant financial losses for a user, has set a precedent for the accountability of digital currency platforms in safeguarding user assets.
The Case Unpacked
The plaintiff, Yew See Tak, found that his Luno account had been compromised, resulting in the unauthorized purchase of Bitcoin worth over RM700,000. This incident not only highlighted potential security lapses but also raised questions about the legal responsibilities of cryptocurrency service providers. Yew claimed. that Luno failed to safeguard the cryptocurrencies in his Luno account, further claiming that this caused a loss of his cryptocurrencies
Legal Concepts Demystified
The court's ruling hinged on the concept of negligence—a term that, in everyday language, means Luno didn't take enough care to prevent harm to their customer. By finding Luno liable, the court declared that the company must face the consequences of this oversight, which included compensating the plaintiff for his losses. The compensation, legally termed as 'damages,' serves to make amends for the financial injury suffered by the plaintiff due to the unauthorized transactions.
According to lawyer Ong Yu Jian, Sessions Court judge Sazlina Safie, through a decision delivered online 31 October 2023, ruled in favour of Yew and held Luno to be negligent.
The Sessions Court has granted Luno an interim stay of 14 days, pending Luno’s filing of an appeal at the High Court against the Sessions Court’s decision.
Broader Implications for the Industry
This legal outcome is a stark reminder to all in the cryptocurrency industry of the critical importance of robust security protocols. It underscores the expectation that service providers must not only implement stringent security measures but also maintain them to protect against evolving cyber threats.
Ong said: “This decision sends a clear message that cryptocurrency platforms can be made liable if their customers’ accounts get scammed or hacked."
“It is a very encouraging development in cryptocurrency law. If not wrong, this is the first decision of this kind in Malaysia against a cryptocurrency platform which is recognised by Securities Commission Malaysia. Hopefully, this leads to cryptocurrency platforms being much safer to use in the eyes of the public,”
What is this case about?
In his lawsuit filed through a writ of summons at the Sessions Court in Petaling Jaya on August 25, 2021 against Luno Malaysia Sdn Bhd, Yew sought for several court orders, including a court declaration that he was not involved in the transactions on March 6, 2021 in his Luno account.
He had also sought court orders for compensation in the form of special damages of RM597,920.05, general damages to be assessed, aggravated damages and exemplary damages.
Based on his statement of claim, Yew said he is a registered customer and holder of a Luno account. The Luno account has a Luno wallet where money can be kept online and can be used to buy, store, sell, send, and receive cryptocurrencies.
According to Yew, he had on March 6, 2021 discovered that RM566,570.70 in his Luno account was used in three transactions to buy 2.730096 Bitcoins (BTCs), describing these as illegal transactions that were carried out in a short span of time.
Yew said these newly-purchased 2.730096 BTCs and an existing 0.15106083 BTCs in his account were then transferred to an unknown account via further illegal transactions. Yew said he had never transferred any funds to this unknown account before this.
Yew said he had lodged a police report over the illegal transactions to enable the police to investigate, adding that he also suspected that it was possible those illegal transactions would be linked to unlawful purposes such as money laundering.
Yew said the illegal transactions were suspicious when based on the short timeframe which they happened and when cross-checked against the history of activities in his Luno account, and as the unlawful transactions involved all or nearly all of the funds in his account.
Yew claimed that Luno was negligent due to various alleged reasons, such as the alleged failure to stop the illegal transactions despite the exceeding of the daily transaction limit; failure to verify with him if he had authorised those transactions; failure to freeze the account despite suspicious activities and to investigate and take immediate steps to mitigate his losses; and failure to detect the possibility of money laundering and failure to report the transactions to authorities including the SC.
Yew said he had made a report to Luno’s customer service on March 7, 2021 but claimed that the latter took the view that there was nothing suspicious in the Luno account.
Luno said it had on March 10, 2021 told Yew that there was no indication that his Luno wallet had been compromised and that a Bitcoin transaction cannot be reversed once carried out due to the nature of blockchain technology.
In its defence, Luno said it does not have access to Yew’s Luno wallet and that Yew has full access and exclusive control of his Luno account, adding that no other third party has access to authorise those transactions.
Luno argued that it is Yew’s obligation to keep his own gadget and password secure, and that it is not Luno’s obligation to do so.
Among other things, Luno said it only owes a duty of care to ensure all transactions under Yew’s Luno account are duly authorised, and claimed that each of the transactions — which Yew said were illegal — were authorised by Yew according to Luno’s security features.
Citing the standard terms of use Yew had to accept in order to register his Luno account, Luno said these state that the company does not owe any duty of care for any losses or transactions made that resulted in losses by Yew.
Luno also said the account which received the BTCs from Yew’s account were not flagged by independent third party blockchain monitoring service provider Chainalysis Inc as being linked to illegal activities, explaining that Luno does not suspend or block transactions if not flagged as such and if they were duly authorised.
Luno also said there was no daily transaction limit as claimed by Yew during those alleged illegal transactions, also saying it did not detect suspicious activities on the latter’s Luno account.
In reply, Yew in another court document insisted that Luno is the custodian and trustee of his money and BTC, claiming that Luno still owed the duty of care and fiduciary duty to block all suspicious and fraudulent transactions and seek his clarification before allowing any transactions.
Yew said the option of authorising a transaction carries the risk of unauthorised access by those who have any device that can receive the SMS prompt through the customer’s registered number, and claimed he did not receive or have any knowledge about any SMS requesting for authorisation from Luno for those alleged illegal transactions.
Denying that he had authorised the alleged illegal transactions, Yew claimed to have only discovered the transactions after feeling suspicious when his access to one of his online accounts was blocked with the message “SMS exceeding daily limit” and only after checking his accounts — including the Luno account.
Yew said his Luno account was not accessed via his usual gadget iPhone (which he had been using to trade at all times) but via an unknown gadget not owned by him, and claimed Luno had failed to be alert towards the unknown gadget accessing his Luno account and clearing out his Luno wallet.
Among other things, Yew insisted that there was a daily transaction limit which the alleged illegal transactions had exceeded, and that authorisation of transactions would not cancel out such daily transaction limits.
Crypto Responsibilities Under the Microscope
The ruling brings to light the need for crypto service providers to adhere to a high standard of care. This includes employing secure authentication methods, conducting regular security audits, responding swiftly to any security breaches, and educating users on safeguarding their accounts.
Concrete Steps for Enhanced Security
Service providers are urged to take immediate action to bolster their security posture. This involves implementing multi-factor authentication, performing regular penetration testing to uncover vulnerabilities, and establishing real-time monitoring systems to detect and act upon suspicious activities promptly.
Engaging with the Audience
As readers digest the details of this case, they are encouraged to reflect on their security practices. For crypto service providers, this is a call to action to review and upgrade security measures. For users, it's a reminder to stay vigilant and proactive in managing their digital assets.
Final Thoughts
The legal case against Luno Malaysia Sdn Bhd is a watershed moment for the cryptocurrency industry. It serves as a cautionary tale and a guide, emphasizing the importance of stringent security measures and the legal responsibilities of service providers to protect their users. As the industry continues to grow, this case will likely be referenced as a pivotal point in shaping future cybersecurity practices and legal standards.
Reference
[1] Free Malaysia Today. Retrieved from https://www.freemalaysiatoday.com/category/nation/2023/10/31/court-awards-man-rm700000-for-money-stolen-from-crypto-wallet-provider/
[2] News Straits Times (2023). In major ruling, Malaysian man wins RM697,000 from crypto firm Luno over unauthorised Bitcoin buys. Retrieved from https://www.malaymail.com/news/malaysia/2023/11/01/in-major-ruling-malaysian-man-wins-rm697000-from-crypto-firm-luno-over-unauthorised-bitcoin-buys/99525