Case Story: Lack of Consumer Protection Procedures AI Manipulation and the Threat of Fund Concentration in Crypto Seeking Assistance to Fund a Civil Case to Establish Facts and Protect Vulnerable Consumers from Damage Caused by Automated Systems

post by Petr Andreev (petr-andreev) · 2024-08-08T05:55:09.775Z · LW · GW · 0 comments

Contents

No comments

Good time of the day. And thank you for the wonderful work you do!

I really like the concept of making fewer mistakes. I would appreciate it if you could point out any of my errors. I know I am definitely wrong, and my worldview is completely or largely incorrect. My cognitive abilities are sufficient only to read HPMOR 3 times and less wrong articles mostly in translation. Please point out where I am making mistakes. If any part is incorrectly formatted, please feel free to delete it, but please do not ignore it.
In some countries, there are actual consumer protection procedures at the local level.

This is due to the necessity of protecting their rights, especially from large companies, natural and common monopolists. There are rules that allow for the annulment of any actions of public contracts by monopolists to prevent them from endlessly abusing countless rules and running endlessly within innumerable corridors.

There are even European directives on consumer protection rights and English laws on unfair terms in consumer protection. They are created so that the consumer can always theoretically protect their rights, but in reality, this is very difficult.

However, this does not work at all at the international level of civil law. People have no rights or protection in other jurisdictions. You can google international consumer law and you will find out how to bypass it rather than how to comply with it, let alone find actual procedures.

And this is a big problem in the context of AI scalability.

In 2021, during what was called a bear market in the cryptocurrency market, companies were collapsing like a house of cards one after another. For many reasons, people were withdrawing liquidity as much as they could, even from their own users. 
https://x.com/TomDwan/status/1592026755107520512

I see that the LessWrong community, 80,000 Hours, and Effective Altruism are involved in the regulation of artificial intelligence and automated procedural agents, but there are many wonderful laws in the world that do not work.

Typically, organizations such as states or corporations in everyday life often resemble automatically generative artificial intelligence models, similar to the Vogons from Douglas Adams' "The Hitchhiker's Guide to the Galaxy," who systematically destroy everything in their path.

https://upload.wikimedia.org/wikipedia/en/3/39/Vogon_poetry2.jpg

With one hand, they recite poetry, and with the other, they build highways through the homes of ordinary people who cannot navigate through the corridors of Vogon bureaucracy.
I am one of the advocates of the secular value of legal principles, and that is why I like the implementation of declarative legal verses into real procedures that help end consumers protect and defend their rights.

Not for the protection of humanity’s survival or defense against AI, but simply because the victims of organization could be your parents, young children, or yourself during moments of mental weakness in System 2 when System 1 is exhausted.

Moreover, people shouldn't have to think about everything; services should work as expected. No one can be fully knowledgeable about everything.
Therefore, consumer protection law exists, formed with the presumption that victims have priority for protection, and the other party, the service, monopolist framework must prove its good faith.

But as already noted, the issue is not even in the material part of the law but in the realm of real procedures for implementing laws into actual protection for people, the end consumers.

But let's turn to a specific story about a specific person. That you or any you share to could be interesting

This is a story about consumer protection for senior consumer in crypto

It's an interesting story about an elderly senior, Rollan, from Odessa, Ukraine

who lives under bombardment with his venerable father.

When the war started, he moved his family's funds of BTC to Binance vault (a well-known CEX) because, at that time, there were narratives suggesting such vault is very safe.

He tested one of his algorithms by connecting with a top Binance partner, a top 1 startup from Estonia, and then turned off the algorithm after the test but do not reset keys.

And then it turned out that the partnership between the Exchanges and the API trading platform simply lost these keys, which were as simple as a pair of login and password. These API tokens were just two lines.

All his family funds in Binance were gone, along with thousands of other assets from vaults of other people.

Another user kept money in Binance's own currency, BUSD, and also used the 3Commas API trading platform to automatically convert all incoming transactions into Binance's BUSD stablecoin (at that time, they have now completely discontinued it).

He turned it off as it didn't work, but still a year after lost all his money on the exchange.

And there are hundreds of such people in this situation.

The CEO of Binance blamed the users themselves, saying they were victims of phishing attacks or similar incidents. However, he mentioned that if the victims could prove they didn't steal the money themselves, they could be refunded.

(Victims prouved, moreover CZ himself was reasonable sure: https://x.com/cz_binance/status/1608182790540902407?s=20 But, of course, no money was reimbursed)

He advised them to contact state authorities independently, which they did. People never received any documents about criminal cases being initiated or anything similar.
Because those with marketing power, opinion leaders, and money are the ones who win.

The victims' money was traded through low-liquidity pairs. This allows bypassing KYC and other fake protection methods.

The withdrawal process by ‘in-house’ hackers can be imagined as if you were withdrawing funds by making hundreds of thousands of trades, selling a 'rare' tomato from one your hand to your second hand for $5, then immediately buying it back for $4 with your first hand, and then selling it again to the second hand for $5.

And that 40k+ times in few hours.

Now you know how trading through low-liquidity pairs works.

These funds were trade from consumer wallets ignoring all interior wallets in automatic way ignoring any defence.

The attackers knew the protection system.

One of the victims even used fast connect, a system that allows users not to have the keys to their wallets themselves but to give the keys from Binance directly to the API trading platform.

This means the attackers obtained these keys not through hacking the users' interfaces but through internal systems of Binance/3Commas, through internal databases that were unprotected.

People in twitter said someone put this data in open variant on reddit.

Apparently, many people had access from 3Commas and their relative, but I don't know for sure;

there is no data, no forensic analysis was conducted, no logs or APIs were provided.

Possibly, they had conflicts with social white-hat hackers prior and during attack.

For example, the CEO of 3Commas promised a $100k reward in the middle of the attack for anyone who could hack them but, of course, did not pay. (https://x.com/ichimikichiki/status/1601243129969258496)

During the attack, some third parties noted that the CEOs of 3Commas and Binance (CZ) discussed the issue but did not reset the keys.

The 3Commas CEO assured everything was fine, while Binance's CEO stated they would compensate if the victims did not steal their funds.

He mentioned being certain that 3Commas was to blame, but then there was silence. No cooperation with victims, they didn't even ask anything from victims. Also block any lawyer work. Why? Because they can

It was a bear market at the time, and it appears that at least one 3Commas employee, or many others, had access to people's keys, which were connected to different CEXs.

Consequently, the funds of the venerable consumer, along with hundreds of others, were traded off on low liquidity pairs for the profit of Binance, 3Commas, and at least some unknown classified entities linked to money laundering in Kyrgyzstan.

One of the main victims. Rollan, with his ethnic family, tried to contact his distant financial relatives. They connected him with high compliance USA officers investigating the case with Binance.

Working with Inca Digital, an open-source intelligence company, they traced the addresses, discovering the trails leading to Kyrgyzstan (one victim even found a new ID of the 3Commas CEO from Kyrgyzstan). Also they found a lot about CZ structure https://inca.digital/intelligence/binance-entities-report/

Open-source intelligence company gave a short report from Inca Digital confirming the assets were stolen.

https://www.linkedin.com/posts/petr-andreev-841953198_crypto-and-ai-threat-summary-activity-7165511031920836608-K2nF?utm_source=share&utm_medium=member_desktop

The report also highlighted the guilt of Binance/3Commas in wash trading (creating false graphs).

A case was initiated in the USA against CZ but not from people. We are not sure about do any of these materials were added to this case https://www.justice.gov/opa/speech/attorney-general-merrick-b-garland-delivers-remarks-announcing-binance-and-ceo-guilty.

We don’t see anything about wash trading. Also some information could be found only on web.archive of https://inca.digital/ site.

The Estonian (Place of 3Commas) criminal police and prosecutor refused to open a criminal case, so people couldn't even get legal recognition of their loss. In Estonia there are some investors of 3Commas (partner of Binance) and they have strong law defence.

Police didnt’t open criminal case neither on Binance, neither on 3Commas, neither on hacker, neither on victims.

No forensics, logs, api logs and other actions.

To raise a civil case in the UK with lawyer that also get (maybe even bigger) inca digital report, victims need about 0.5 million pounds,

and in Estonia, about 40k for each victim (some victims lost similar amounts to Rollan, whole victims lost about 20-25 millions).

I understand that world work with direct connections.

And without concentration of any of 80 000 hours, lesswrong or other high level community member it will be impossible to have any help. I predict that my post with high probability will be deleated, rejected or other way will be useless. Because I have enough experience that AI safety in organisations, grants are usually fake and this big problem. At least for stupid asperger passive aggressive people like me. The EU did not respond, and for grants, a charity organization with numbers is needed.

To move case forward it need money and media support. I saw this grant: https://futureoflife.org/grant-program/mitigate-ai-driven-power-concentration/
But I don’t have a charity organization with numbers.

Attempts to contact NYT resulted in them publishing different material supporting Binance. I understand that "after" does not mean "because of." In any case, I am only writing what I see.

Of course, low-liquidity stealing from CEXes, stocks, and banks (by Forex) is just another breach of the wall

that allows bad AI to access any amount of liquidity from this sector.

It’s not about extinction itself.

Just about concentration of a lot of money in hands of bad AI-users

But still, helping real people defend their rights from bad AI and frontier technologies is very important to prevent these tools from being exploited by autonomous AI.

We should not give them the advantage of using such loopholes.

It's clear that all vulnerable people, children, and other consumers should be very cautious about using new technologies due to the numerous ways frameworks can steal money from various vault breaches.

I do not know what to do next with this case. Any ideas are welcome. I am sure it is impossible to find half a million pounds to open a civil case in the UK, but maybe it’s possible to find direct help to pay for the state fee in Estonia.

In general, paying state fees for cases where an organization, a natural monopolist, loses your money due to an internal automatic hack should be free for the victims, not only for their rights but also to ensure that organizations dedicated to preventing the misuse of AI receive reports and real evidence of violations by artificial intelligence and other automatic and semi-automatic hacking systems

(which will obviously become fully automatic because any profitable things become automatic).

Maybe it would help if a funder from the AI sphere got involved.

Do you have any contacts with lawyers or specialists, like Jaan Tallinn (he is from Estonia), or from UK who could apply pressure to resolve this case? Or at least fund the effort from that side?

Many victims are ready to give back 5 times the funds invested by the funders, maybe even more.

The issue is not just about money, but about the marketing pressure on the perpetrators and the platforms that benefit from such errors within their established systems.

Beautiful declarative populist laws are wonderful, but we also need real procedures and methods to enforce existing laws. To make people be  proactive in defending of their civil rights.

In general, if all laws were actually enforced, there would be less need for additional AI-specific regulations.

Law consists of three parts: “hypothesis, disposition, sanction,” and if any of these components are missing, businesses find it profitable to act according to the profitable Christian tradition of first making profitable mistakes and then asking for forgiveness.

Therefore, the concrete implementation of any regulations and their actual enforcement from the perspective of rights restoration is crucial. In the area of international civil law, this is extremely difficult, but experience shows that only private initiatives have a positive impact on combating AI and other threats.

However, we need community support, especially in modern conditions where protection depends more on marketing and funding rather than simply being right from the perspective of idealized law.

Thank you for your attention.

I hope this story was interesting to you, community of LessWrong. I would appreciate any help. I am ready to provide any details, links, and so on.

Kind regards,
Petr Andreev

Both companies, Binance and 3Commas by information from American (SEC) and Estonian regulator answered that both companies haven’t any financial licences, so it show how companies could evade any law requirements

Some main points from here:

1. AI manipulation, funds concentration threat

2. Lack of investigation by Binance and 3Commas, and lack of open to people cooperation of law enforcement

3. Use of fake KYCs and proxy-persons (API Trading Platform in general and esspecially by low-liquidity pair trading could evade KYC barrires and make money lounering on any stocks, forex etc)

4. Monopolistic behavior and issues arising from the rapid growth of industry leaders

5. Absence of robust security technologies, such as RSA or zero-proof for token encryption; connection was as simple as login+password. Lack of reset filters, with hackers demonstrating knowledge of abnormal Binance filters

6. No refunds, fake #SAFU assurances. Challenges with consumer protection in international law, absence of adequate consumer contracts, unfair terms, and no accountability; Binance's Hong Kong arbitration is ineffective even in Hong Kong (after CEXes like Binance, situation will be even worse with DEXes) No CFO at Binance https://x.com/mikealfred/status/1598106156811317248?s=20

7. Obstruction of representative work, as Binance exclusively communicates with consumers directly. No working old consumers procedures, no any new ‘code is law’ narratives

8. Refusal to provide API logs by Binance and 3Commas, no forensics actions etc
leading to issues in governance Failure to block or reset API tokens during the hack attack

9. Authorities' silence regarding Data Protection Officer status in 3Commas before December
(https://ariregister.rik.ee/eng/company/16238525/3Commas-Invest-O%C3%9C?search_id=13cb749&pos=1
https://ariregister.rik.ee/eng/company/14125515/3Commas-Technologies-O%C3%9C?search_id=13cb749&pos=2)

You could read executive summary report about incident here: https://www.linkedin.com/posts/petr-andreev-841953198_crypto-and-ai-threat-summary-activity-7165511031920836608-K2nF?utm_source=share&utm_medium=member_desktop

Thank you for your attention. I hope this story was interesting to you, community of LessWrong. I hope you read this without anger and approach the incident with genuine interest. I am ready to provide any details, links, and so on. I would appreciate any help, mentorship, and guidance.

And thank you for the wonderful work you do!

0 comments

Comments sorted by top scores.