Vanuatu has passed laws to regulate digital assets and provide a licensing regime for crypto companies wanting to operate in the Pacific island nation, which a government regulatory consultant has called “very stringent.” 

The local parliament passed the Virtual Asset Service Providers Act on March 26, giving crypto licensing authority to the Vanuatu Financial Services Commission (VFSC) along with powers to enforce the Financial Action Task Force’s Anti-Money Laundering, Counter-Terrorism Financing and Travel Rule standards with crypto firms.

The VFSC has sweeping investigation and enforcement powers under the laws, with penalties stipulating fines of up to 250 million vatu ($2 million) and up to 30 years in prison.

“God help any scammer that goes into Vanuatu because you’ll go to jail,” Loretta Joseph, who consulted with the regulator on the laws, told Cointelegraph. “The laws are very stringent.”

“The thing is, we don’t want another FTX debacle,” she added, referring to the once Bahamas-based crypto exchange that collapsed in 2022 due to massive fraud committed by its co-founders, Sam Bankman-Fried and Gary Wang, along with other executives.

“Vanuatu is a small jurisdiction. Small jurisdictions are preyed on by the players that are looking for no regulation or light touch regulation,” Joseph said. “This is certainly not that.”

“I’m so proud of them to be the first country in the Pacific to actually take a position and do this,” she added. 

New Vanuatu law regulates slate of crypto companies

The law establishes a licensing and reporting framework for exchanges, non-fungible token (NFT) marketplaces, crypto custody providers and initial coin offerings.

The law notably allows for banks to be licensed to provide crypto exchange and custody services. Source: Parliament of the Republic of Vanuatu

The VFSC said that the legislation doesn’t affect stablecoins, tokenized securities, and central bank digital currencies even though they “may in practice share some similarities with virtual assets.”

The legislation also allows for the VFSC’s commissioner to create a sandbox to allow approved companies to offer a variety of crypto services for a year, which can be renewed.

Related: Australia outlines crypto regulation plan, promises action on debanking

Joseph said Vanuatu “needed a standalone piece of legislation” that covered Anti-Money Laundering and Counter-Terror Financing requirements, as the country didn’t have existing laws suited to virtual assets.

The regulator said in a March 29 statement that it had developed the legislative framework after years of “assessing the risks associated with virtual assets,” and the laws would open “numerous opportunities for Vanuatu” and improve financial inclusion by allowing regulated services for crypto cross-border payments.

VFSC Commissioner Branan Karae had said in June that the bill was expected to pass that September, but Joseph said the legislation was “not something that was done lightly.” It had been in development since 2020 and was delayed due to changes in government, natural disasters and COVID-19 pandemic-related disruptions.

Magazine: How crypto laws are changing across the world in 2025 

The founder of the recently hacked decentralized finance protocol SIR.trading has made an emotional plea to the attacker, asking them to return around 70% of the stolen customer funds otherwise, the protocol will not survive.

“Here is my proposal, keep $100k as a fair share for your critical bug find, and return the remaining,” SIR.trading’s pseudonymous founder “Xatarrer” wrote in a March 31 onchain message to the attacker following the $355,000 hack on March 30.

“We’ll call it even. No legal games, no drama,” they added. 

Xatarrer said that SIR.trading was built on the back of four years of late-night coding and $70,000 from friends and believers without any additional venture capital funding.

“We grew to $400k TVL organically without any advertising. If you keep 100% of the funds, there is no chance for us to survive.”

Xatarrer even praised the hacker for the sophisticated hack, stating that it was “almost beautiful if it wasn’t for all the funds people lost.”

Source: SIR.trading

The hacker hasn’t responded and has already transferred the stolen funds through to Ethereum privacy solution Railgun, according to data from Ethereum block explorer Etherscan.

Xatarrer initially said on March 30 that the SIR.trading team intended to keep the protocol up and running despite the setback. “We’ve already started planning our next steps. Those impacted by the hack will not be forgotten,” it said on March 31.

Hack resulted from feature added to Ethereum’s Dencun upgrade

The hacker targeted a callback function used in the protocol’s “vulnerable contract Vault” which leverages Ethereum’s transient storage feature. 

The hacker managed to replace the real Uniswap pool address used in this callback function with an address under the hacker’s control, allowing them to redirect the funds in the vault to their address by repeatedly calling the callback function until all of the protocol’s total value locked was drained.

The transient storage feature was added to Ethereum in the March 2024 Dencun upgrade as a solution to offer users lower gas fees than gas typically required for regular storage.

Related: DeFi hacks drop 40% in 2024, CeFi breaches surge to $694M — Hacken

SIR.trading’s documentation shows that it was billed as “a new DeFi protocol for safer leverage” to address some of the challenges that often occur in leveraged trading — such as volatility decay and liquidation risks.

It comes as crypto lost to exploits and scams fell to $28.8M in March, blockchain security firm CertiK said in a March 31 X post. Around $4.8 million was subtracted from that figure after hackers involved in the 1inch Resolver incident returned the stolen funds.

Crypto exploits and scams had one of its worst months in February, headlined by the $1.4 billion Bybit hack.

Magazine: Should crypto projects ever negotiate with hackers? Probably

The hacker behind the $9.6 million exploit of the decentralized money-lending protocol zkLend in February claims they’ve just fallen victim to a phishing website impersonating Tornado Cash, resulting in the loss of a significant portion of the stolen funds.

In a message sent to zkLend through Etherscan on March 31, the hacker claimed to have lost 2,930 Ether (ETH) from the stolen funds to a phishing website posing as a front-end for Tornado Cash. 

In a series of March 31 transfers, the zkLend thief sent 100 Ether at a time to an address named Tornado.Cash: Router, finishing with three deposits of 10 Ether.

“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused,” the hacker said.

The hacker behind the zkLend exploit claims to have lost most of the funds to a phishing website posing as a front-end for Tornado Cash. Source: Etherscan

“All the 2,930 Eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money,” they added.

zkLend responded to the message by asking the hacker to “Return all the funds left in your wallets” to the zkLend wallet address. However, according to Etherscan, another 25 Ether was then sent to a wallet listed as Chainflip1. 

Earlier, another user warned the exploiter about the error, telling them, “don’t celebrate,” because all the funds were sent to the scam Tornado Cash URL.

“It is so devastating. Everything gone with one wrong website,” the hacker replied.

Another user warned the zkLend exploiter about the mistake, but it was too late. Source: Etherscan

How zkLend was exploited for $9.6 million

zkLend suffered an empty market exploit on Feb. 11 when an attacker used a small deposit and flash loans to inflate the lending accumulator, according to the protocol’s Feb. 14 post-mortem. 

The hacker then repeatedly deposited and withdrew funds, exploiting rounding errors that became significant due to the inflated accumulator. 

The attacker bridged the stolen funds to Ethereum and later failed to launder them through Railgun after protocol policies returned them to the original address. 

Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and offered to release the culprit from legal liability and scrutiny from law enforcement if the remaining Ether was returned.

Related: DeFi protocol SIR.trading loses entire $355K TVL in ‘worst news’ possible

The offer deadline of Feb. 14 passed with no public response from either party. In a Feb. 19 update to X, zkLend said it was now offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered.

Losses to crypto scams, exploits and hacks totaled over $33 million, according to blockchain security firm CertiK, but dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds. 

Losses to crypto scams, exploits and hacks totaled nearly $1.53 billion in February. The $1.4 billion Feb. 21 attack on Bybit by North Korea’s Lazarus Group made up the lion’s share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022. 

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis