Caught Between Code and Conscience: An Ethereum Validator Plans to Sue Lido and Stakefish in US Federal Court Over Stolen Funds

In April 2023, veteran crypto users saw their wallets drained of Ether and other digital assets, losses that surpassed $250 million by mid‑2024 and continue to climb. The activity left investigators with little evidence, suggesting a targeted campaign across multiple wallets and platforms. More than two years later, the attackers and their methods remain unknown. 

Aleksey Trofimchuck, a longtime crypto user, had his wallet drained of nearly $2.2 million in ETH (based on today’s value), wiping out his balances and staking rewards from his nine validators. After tracing the movement of his funds, Trofimchuck alleges two major staking providers, Lido and Stakefish, were involved in the transactions and he now plans to sue both providers in a U.S. federal court. 

According to the forthcoming lawsuit, Lido and Stakefish retained around 10 percent in validator service fees and redistributed the rest to their staking clients. Trofimchuck argues they profited from the proceeds of the hack and subsequent transactions. 

Trofimchuck said: “Can you imagine how nefarious it is [that] as a middleman, you take around $1.25 million fee from somebody who was forced to send a transaction with a 100 percent fee to an address they don’t recognize? Then they claim neutrality as a defense! That’s what Lido and Stakefish did, and I am committed to uncovering the truth.”

Ethics vs DeFi neutrality

Both staking platforms cited DeFi neutrality, arguing they could not censor transactions or selectively return rewards. However, critics say this stance contrasts with that of other industry players. U.S.-based Kraken voluntarily assisted in returning approximately $2 million to victims while under regulatory scrutiny, reinforcing legal experts’ view that courts might look past “code is law” when intermediaries profit from tainted funds. 

By contrast, Lido and Stakefish say they are unable to help victims like Trofimchuck: Lido through DAO governance and Stakefish through its non-custodial infrastructure. Stakefish told Trofimchuck it has an “obligation before our stakers,” a stance critics view as turning a blind eye to the source of the funds. 

Salman Ravala, a commercial litigation attorney and adjunct law professor, said the law leaves little room for ambiguity. “Entities must not retain or profit from the stolen assets. Regardless of internal governance or token-holder expectations, anti-money laundering (AML) obligations and the imperative to avoid unjust enrichment are paramount.”

Others caution that the issue is more complex. Igor B. Litvak, Esq., a cybercrime and criminal defense attorney, commented: “In criminal law, it is not enough to declare funds ‘stolen’ and demand their return. Until a court has spoken, entities risk serious liability by acting unilaterally. The safest and legal path is to freeze or flag the assets where possible, notify law enforcement, and act only under court order.” 

Selective accountability

Neutrality can be flexible when a hack victim has moral leverage. ParaSwap DAO, a DeFi DEX aggregator similar to Lido, overrode its own governance laws to return funds to the major exchange Bybit. The decision was framed as a response to North Korea’s hacking group, the Lazarus Group. But when the victim is an individual crypto holder, silence is more common.

Legal tests to DeFi’s neutrality

The lawsuit also challenges DeFi’s recurring defense that protocols cannot be sued because they are not legal entities. In a prior case, a U.S. District Judge rejected Lido’s claim that it does not “exist” in a legally cognizable form, allowing claims to proceed and signaling that DAOs and their backers still face liability. Trofimchuck also points to Stakefish’s past reimbursements to Lido after hardware errors as proof that restitution is possible “when it wants to be.”

DeFi ethics on trial 

Trofimchuck is seeking to recover his $1.6 million, costs, and attorneys’ fees. “Decentralization isn’t a free pass to ignore crime,” Ravala added. Trofimchuck is also urging other victims to file complaints with the FBI and SEC, arguing that collective action may be necessary to force clarity. 

As this lawsuit takes shape, the broader Web3 ecosystem faces a choice: stand by and allow decentralized absolutism, or accept that ethics and the law will always apply when people are involved.