blocksec

If accurate, 87% of victims have done nothing to recover their assets. This not good! Folks, take a break from Twitter, spend a day researching how to go about this in your jurisdiction, put together a complaint document complete with screenshots, evidence, and all necessary details - and submit everything to the proper authorities. This is the way. This is what you can do to help yourselves. This is how situations like this get resolved. Please, for your own good, keep your eye on the ball.

globianceの被害者の方に質問です。 今までに、資産凍結に対する正式な苦情申し立てをしたことがありますか？ 弁護士さんへの相談などは除きます。

@nXPEB1FZ5aRfI1B 1) On chain analysis is complete. So not sure what you’re asking for… 2) Legal action can only be initiated by victims. XinFin isn’t a victim. It’s up to you to initiate. 3) Atul never once said he doesn’t intend to help.

このコメントを見るにやはり助けるつもりはなさそうやね チェーンで追えるなら少し調査したりグロビを訴えるだけで非難は逸れるのになぜそれすらやらないのだ？ 何もせず中央集権pjに構築させておいて関係ないと個人的で言い続けても何の意味もない すべてのレイヤー2と一切無関係と公式から発信しなよ

All the platforms building on XDC are third party and do not get any support from XDC core team beyond technical support. Our job is only making sure we push the protocol and standards forward and keep improving them. We do not support/endorse any platform offering yields or promising returns. We do not give any investment advise. Community needs to assess and engage at their own risks, failing to do so can mean losing all funds. Everything is onchain and transparent to the level of every transaction hash and movement on the chain. I as founder only work on improving the protocol.

1) Globiance is obliged to return user funds in full, regardless of what Atul does to help. “Pausing” efforts to return user funds was disingenuous of them from the start. Nothing Atul does negates their legal obligations. 2) Contrary to their public announcements, to this day I’ve seen no credible (on chain) evidence that Globiance has returned any user funds. 3) In addition, by discouraging users who’ve (supposedly) received their funds from sharing TX hashes and by refusing to share TX hashes themselves so the community can independently verify their public claims, they are being doubly disingenuous. Globiance could easily share the public address of the wallet they’re using to return user funds - their refusal to do so (on manifestly absurd grounds), combined with the lack of users credibly claiming to have received their funds back, suggests that they have not returned any user funds. TL;DR Globiance continues to play games. Until they share the wallet address they’re using to return funds to users, I’d trust nothing they say. P.S. For our part, work on the legal structure is ongoing - this is a massive, tricky undertaking and, as I’ve said, it will take time to get everything in place. Nothing is over until the fat lady sings, but we’re doing our best.

@oeeeeup Biting the hand that feeds just means attacking the people trying to help you. Maybe got lost in translation.

私のリプ欄で「飼い主の餌をやる手を噛む」と言ったことに対し、特に私に向けた言葉ではないとし、 「具体的には、私を脅したあの男のことです。しかし、より一般的には、Belleのように、全力で人を助けようとしている人たちに対して八つ当たりや攻撃をしてきた人たちのことを指しています。」 誰に対してだろうが、被害者が「飼われて」いて、自分たちが「餌を与えている」というその構図そのものが問題だと私は思うんだが。

@chiiiisensei No, of course not. I meant what I said. Based on your question about the safety of XDC staked in nodes, you don’t seem to know what crypto is - i.e, what a validator node is or what Globiance did with their validator nodes.

When you say “what crypto is,” are you suggesting that scamming is acceptable just because it’s crypto? I can’t agree with that at all. I once served as Head of APAC and Head of Institutional Liquidity at the XDC Network. A&R hired me as a trade-finance expert, not a crypto expert. So I'm not fully aware of the crypto industry, but the idea that “fraud is part of the industry” is unacceptable to me, especially as someone who was asked by both A&R and SBI to promote XDC to institutional and retail investors. No. I know how competent and principled A&R are. Even now, they’ve gone above and beyond—setting up a rescue fund and doing everything possible to protect the ecosystem. I respect that deeply, and I appreciate you supporting them. Which is why it’s disappointing to see so little support around them. It also raises a real question: what are the SBI XDC representatives doing? Investor communication in APAC—especially Japan—should be their job. Even if the issue started with Globiance, Japanese users holding XDC through SBI VCT naturally have concerns.

確かSBIもXDCのノードを持っていた気がするのですが、私のSBIVCTに預けてあるXDCは大丈夫と言う理解で良いのでしょうかね。大丈夫じゃないとは言わせませんけれど。

Thank you again @11ppm11 - very helpful. Now I understand your view. We agree about this: “I understand the technical and industry-standard definition of KYC. I recognize that KYC is not a background check but is primarily intended for identity verification, and I also understand the principle that, in a public blockchain, participants should not be pre-screened or excluded in advance.” We don’t agree about wha follows from this. I’d point out that once you grant this premise, it follows that nobody could “reasonably infer” that there was a screening process in place because 1) that’s not what KYC means and 2) a screening process and a public blockchain are mutually exclusive. So, it follows, anyone who invested in XDC on the assumption that there was a screening process in place simply because there was a KYC process was mistaken on two counts: 1) they didn’t know what KYC means and 2) they didn’t know what a public blockchain is. In short, they didn’t know what they were investing in. Anyone who did so therefore made an unreasonable inference based on shoddy research. In addition, even if AML was enforced by XDC (and not just KYC), that wouldn’t have prevented Oliver from spinning up nodes anyway, because he was not sanctioned when he did so - and he still isn’t, so far as I know. For this reason, I’d also point out that even if someone unreasonably inferred that KYC meant AML screening, no one could reasonably infer that a more robust AML screening process would’ve prevented the Globiance fiasco. Investors have a responsibility to know what they’re investing in. KYC has a clear, limited meaning. No public blockchain can incorporate a screening process. And even if there were by some miracle a screening process on a public blockchain like XDC, this wouldn’t have prevented Oliver from doing what he did. It’s unreasonable, I think, to hold XDC responsible for the three above mentioned unreasonable inferences made by some investors. That said, to be clear, this isn’t their fault. Globiance made clear and specific assurances to them - Globiance even assured users their funds were insured and absolutely safe - and now Globiance is going to have to face the music. Oliver was legally prohibited from doing what he did. I know (from my DMs) that many victims who are less vocal on here have retained lawyers and filed official complaints. I was glad to see that some of the relevant authorities have been notified and the ball is rolling. The legal process takes time, but it is inevitable. I’d urge everyone to focus on filing complaints, ideally with the help of a lawyer.

First of all, thank you for your thoughtful and detailed response. I appreciate you taking the time to clearly explain your perspective. As a starting point, I understand the technical and industry-standard definition of KYC. I recognize that KYC is not a background check but is primarily intended for identity verification, and I also understand the principle that, in a public blockchain, participants should not be pre-screened or excluded in advance. However, the issue I am raising is not what KYC is in a technical sense. My concern lies in how KYC has been positioned externally and in what context it has been emphasized—that is, what kind of message was communicated as a business entity, and what expectations were formed as a result. This is not a technical issue, but a matter of governance and management, and it is an area that management should be particularly attentive to. Within XinFin, KYC has not been discussed in isolation, but rather in conjunction with terms such as “regulatory readiness,” “financial institution readiness,” and “institutional readiness.” In this context, it seems quite natural that ordinary participants and investors would infer that some form of prior review or operational oversight was in place. This is because, in such regulatory and financial contexts, KYC is commonly understood not merely as identity verification, but as part of broader frameworks aimed at preventing money laundering, fraud, and other illicit activities—specifically, frameworks such as Customer Due Diligence (CDD) and AML/CFT, as recommended by the FATF (Financial Action Task Force). These frameworks typically assume not only identity verification, but also sanctions and watchlist screening, risk-based assessment, and ongoing monitoring. Despite this, the view that “the absence of background checks should have been taken as a given and understood as such” relies heavily on a developer- or technology-centric perspective. It remains unclear to what extent this assumption was clearly and consistently communicated to participants, including non-technical ones. That is a key point. Accordingly, if one starts from the premise that KYC was limited strictly to identity verification, it is reasonable to question whether it was appropriate to actively describe the system as “regulatory-ready” or “financial-institution-ready.” Alternatively, there could have been an option to clearly articulate that premise and, at an early stage, delegate KYC and verification processes to an independent third-party vendor. Had that been done, the alignment between the claims of regulatory or financial-institution readiness and the actual scope of verification would have been clearer. It would also have clarified what was being checked, what was not, and where responsibility lay, likely reducing much of the confusion around expectations and governance. My intention here is not to assign blame, nor to challenge the principles of public blockchains. I am simply and calmly re-examining how XinFin positioned itself as a business entity, what messages it conveyed to the public, and whether the expectations formed as a result were consistent with the explanations and accountability that followed. That is, in my view, the core issue.

I appreciate you taking the time to explain the design perspective when you are able. Separately from that explanation, and from a governance standpoint, I wanted to clarify one point. Regardless of how sound the design intent may be, the key issue is whether that intent — particularly regarding the role and limits of KYC — was communicated clearly and consistently to investors and other external stakeholders. When a term like “KYC-enabled” is used as a trust signal, it is important that its meaning, scope, and limitations are not only understood within the development team, but also correctly recognized by the broader community. If that understanding remained largely internal while external participants reasonably inferred broader assurances, that situation itself becomes a governance and disclosure issue. In that sense, the question is not the validity of the design, but whether the explanation surrounding KYC was sufficient given its role in shaping investor expectations.

This is very clarifying, thank you @11ppm11 So, let me just zero in on what I think is the key assumption you’re making, which is this: “Given that it has been discussed in contexts such as “KYC-enabled,” “regulatory compliance,” and “financial institution readiness,” I believe it was reasonable for ordinary investors and participants to expect that at least high-risk actors were not being accepted without review or limitation, and that some level of prior screening and governance was functioning.” This assumption is mistaken for a number of reasons. 1) Above all, KYC is not a background check. It’s simply identify confirmation. That’s all. This is what’s causing confusion here. When you KYC at Binance, for example, they don’t run background checks on you. They simply confirm you are who you say you are. Same here. KYC is in no way an endorsement of someone’s trustworthiness or lawfulness - it’s confirmation of identity, nothing more, nothing less. 2) Even assuming for the sake of argument that XDC did run privacy violating and highly intrusive background checks on all node holders (more on the absurdity of that in a moment…), that a) wouldn’t have prevented someone like Oliver from operating nodes. What had he done that would have prohibited him from running a node? He’s just a bald German guy. Why can’t bald German guys who’ve committed no financial crimes spin up nodes? And even if b) it magically prevented anyone with a remotely checkered past from running a node, it wouldn’t prevent people with squeaky clean histories from making mistakes or doing something criminal, as happens all the time. 3) Anyway, XDC doesn’t run background checks before approving validators, and that’s because no public blockchain on earth can/should run background checks before approving validators. Among other things, who would get to decide who can/can’t run a node? Allowing anyone to decide that would defeat the whole purpose of a public blockchain and render it valueless. It’d be a permissioned, private network in that case without any value because it’d be the plaything of the centralized authority, whoever that is. 4) Now you’re quite right that XDC’s KYC is relevant to “regulatory compliance” and “financial institution readiness,” but not because KYC excludes “high risk” individuals (however that’s defined). It’s relevant because it allows regulatory bodies to quickly identify node holders in the event of criminal conduct. They’re not anonymous. That’s all. TL;DR: So, in sum, KYC has an industry standard, clear, and specific meaning. It doesn’t mean what you said above. Nor could it, in the context of a public blockchain. Someone could rob a bank and then spin up a node tomorrow - and that’s how it should and must be.

First, I would like to make one point absolutely clear: I have never claimed that the existence of KYC means that funds are “guaranteed forever,” nor that the return of funds or permanent ownership is guaranteed. In this regard, I feel that my position may have been misunderstood. What I am questioning is not whether KYC itself constitutes a guarantee of funds, but rather what kind of reasonable expectations and trust were formed as a result of introducing KYC and emphasizing it externally. Given that it has been discussed in contexts such as “KYC-enabled,” “regulatory compliance,” and “financial institution readiness,” I believe it was reasonable for ordinary investors and participants to expect that at least high-risk actors were not being accepted without review or limitation, and that some level of prior screening and governance was functioning. Accordingly, my point is not that funds should have been guaranteed, but whether, once KYC and governance were presented as core features, the actual practices, operations, and the handling of accountability when problems arose were consistent with the expectations that had been formed. If there was a gap, then this should be understood not as a technical design issue, but as a matter of governance and accountability. On that basis, I believe that the question of whether compensation should be provided is not for investors or users to decide, but falls within the domain of XinFin’s own management judgment. The appropriateness and scope of any compensation should be determined by the party that promoted KYC and governance, based on its own assessment of responsibility and risk, rather than being assumed as automatic or, conversely, dismissed outright by external parties. In that context, the fact that Atul prepared a rescue fund itself suggests that this issue could not be addressed purely as a matter of individual responsibility, and that XinFin recognized it as a matter requiring consideration from a governance perspective. Conversely, if one truly believes that XinFin bears no responsibility at all, I personally think it might have been more appropriate, from a long-term perspective, not to establish a rescue fund. If there were absolutely no responsibility, then creating a compensatory framework could itself risk sending misleading signals or setting problematic precedents for the future. With that in mind, how do you view this issue? Do your views align with Atul’s, or do they differ?

So 1a) What in your opinion is the nature of the “broader assurances” “reasonably inferred” by anyone in this case? 1b) What would they be exactly? And 2) how would anyone reasonably infer that the existence of KYC for nodes guarantees their funds would indeed be theirs forever, even after they transferred them to a wallet they don’t control?

@11ppm11 I’ve seen this. It doesn’t answer my questions, which are very specific. If you start with them, we can certainly discuss.

@oeeeeup Specifically the guy who threatened me, but more generally those who’ve lashed out at the people doing everything in their power to help, like @B3lle888

@blocksec_xdc Thank you for the valuable advice that “nobody should invest in crypto without taking the trouble to understand the basics,” and for all the “education” up to now. Lastly, could you answer this for me? Who was “talk about biting the hand that feeds” directed at?

この発言は、私人としてのものなのか、それとも XDC／レスキューファンドを代表する公的な立場でのものなのか。 責任の所在を明らかにしないまま進むプロジェクトからは、相変わらず @XDCNetwork のガバナンスの脆弱さがうかがえる。 #globiance @atulkhekade @riteshkakkad @AndreCasterman

What I said above is simply the truth, as anyone deeply immersed in the space knows. It’s not a matter of opinion. Nor is it a “position” about which there can be reasonable disagreement, just as it’s not a “position” that the sun will rise tomorrow - it’s a fact. Nobody should invest in crypto without taking the trouble to understand the basics.

@blocksec_xdc @XDCNetwork @atulkhekade @riteshkakkad @AndreCasterman @O_O_L__ So, just to be clear, what you’re saying here isn’t an official position of the team, correct? And the last sentence — “Talk about biting the hand that feeds” — who was that directed at?

@oeeeeup @XDCNetwork @atulkhekade @riteshkakkad @AndreCasterman @O_O_L__ I’m here speaking in my personal capacity. I’m just trying to do my part to help. And certainly wasn’t aiming that sentence at you.

＊🇯🇵は英語の後に続きます If you consider certain statements to be threats, then I ask that you address them directly to the individuals who made those remarks going forward. As for your final sentence, I cannot simply overlook it. The implication that we are something“biting the hand that feeds us” gives us serious cause for concern. In addition, you have yet to respond to the questions we have raised. I ask once again whether your statements, including the reference to “feeding,” are being made in a personal capacity or in an official capacity representing XDC and/or the rescue fund. This may be repetitive, and we would like to express our appreciation for your efforts. ーーーーーーーーーーーーーー もし特定の発言を脅迫と受け取られているのであれば、今後はその発言を行った当人に対して直接対応していただくようお願いします。 また、最後の一文については、私としては看過できません。私たちが「エサを与えられながらその手を噛む何か」であるかのような表現には、強い懸念を抱いています。 さらに、私たちがこれまで提示してきた質問については、いまだご回答をいただいていません。 改めてお伺いしますが、「feeding（給餌している）」という表現を含むこれらの発言は、私人としてのものなのでしょうか。それとも、XDC および／またはレスキューファンドを代表する公的な立場での発言でしょうか。 繰り返しになりますが、あなたのご尽力に感謝いたします。

The KYC worked as designed, and many of the comments on this subject here are based on serious misunderstandings. KYC doesn’t by itself prevent fraud or criminal negligence. It ensures that those who commit fraud or criminal negligence can be easily identified by the authorities. Performing KYC before spinning up a node isn’t the same thing as submitting to a background check. Nor is it a prophecy, as if performing KYC ensures the node owner won’t ever misappropriate funds or engage in bad/stupid behavior. KYC exists so that victims can take their claims to the proper authorities in the event of wrongdoing. As for Bitrue, it will will only respond to court orders. Exchanges don’t freeze assets in response to Twitter complaints.

画像は、@BitrueOfficial が現在保有している、そして過去に解任されたマスターノードの数を示しています。先日まで68あったマスターノードは、改めて確認したところ49にまで減少しています。それでも、トータルマスターノード数244に対して約20％を占めています。 Bitrueといえば、@globiance からXDCをはじめとする多額の顧客資金が送金されたことが、@blocksec_xdc の調査で明らかになっている暗号通貨取引所です。しかし、blocksecによる調査以前から、globianceの不審な資金の動きや顧客資金が凍結されている事実を察知し、#AML に基づく適切なコンプライアンス上の対応を取っていたかは非常に疑わしく、その後のXやサポートメールによる被害者の報告への対応についても、取引所として適切なコンプライアンスが機能しているか疑問を抱かざるを得ません。 たとえKYCやKYBの審査を通過しても、その有効性が持続しなければ意味はありません。特に、XDCやXDC系トークンとの関わりが深い取引所であるBitrueにおいては、globiance問題に起因する二次的リスクを回避するため、コンプライアンスやガバナンスを含めた適切なKYCの運用が求められます。 @XDCNetwork @atulkhekade @riteshkakkad

@oeeeeup @XDCNetwork @atulkhekade @riteshkakkad @AndreCasterman Apologies for any condescension - but the toxicity is a bit much, what with @O_O_L__ and others here now going so far as to threaten me. So I’m signing off completely until we have more updates to share. Talk about biting the hand that feeds…

I feel a hint of condescension in some of the wording, but I’ll choose not to dwell on it. As these “views” are already well known to us through your prior exchanges with others, there is no need to repeat them further. That said, we would like to ask again whether these statements are made in a personal capacity or in an official capacity representing XDC and/or the rescue fund. We would also appreciate clarification as to what you specifically mean by “conspiracy theories.” Finally, we would like to reiterate that we are seeking an official statement and to express our appreciation for the efforts currently being made.

@mitarashi01414 Facts.

XDC上の一事業者であるグロビアンスの問題と XDCネットワーク本体は切り分けて考えるべきだと思います。 最近SNSでは、やり場のない怒りが 「グロビの問題 → XDC本体の責任」へと 論点がずれているように感じます。 しかし実際には、XDCネットワーク上では 2/3

Nobody’s lying here - the screenshotted statement is largely true. We’re aware, as you posted elsewhere, that V2 data might not be made available. We’ve been told we should be able to get access to V3 data. That’s something, at least. Right now, we’re still processing everything through legal. But as I said before, that’s going to take some time.

#Globiance said the following on TG: Why is communication with Globiance not going well? Who is lying? Globiance victims want a clear statement from @XDCNetwork @atulkhekade 🙏