The front-runner didn't see the race ending with a Stichting shell game. On June 5, 2025, the Dutch Financial Markets Authority (AFM) and the Fiscal Information and Investigation Service (FIOD) raided the offices of Knaken Payments, a small Amsterdam-based crypto exchange that had been operating since 2019 without ever obtaining a proper license. The result: bankruptcy, frozen accounts, and 30,000 clients left wondering where their €8 million in digital assets went. The exchange's CEO publicly claimed client funds were safe. The prosecutor found otherwise.
I've audited smart contracts that looked robust on paper but leaked value through backdoors. Knaken's failure offers a more primitive lesson: legal structures are not cryptographic proofs. A Stichting—a Dutch legal foundation meant to isolate client assets—is only as strong as the assets it actually holds. When AFM asked for proof, the Stichting was empty. The code didn't lie, but the legal wrapper did.
Context: The MiCA Enforcement Shockwave
The Markets in Crypto-Assets (MiCA) regulation came into full force across the European Union on June 30, 2025. But the Netherlands, known for its aggressive financial oversight, began enforcement early. Knaken was a prime target: it had never obtained an AFM license despite years of operation, had no clear KYC/AML framework, and its business model relied on a network of partner banks to handle fiat on-ramps. When one bank terminated its relationship under regulatory pressure, Knaken's liquidity dried up. The exchange tried to keep running by commingling client crypto with operational funds—a practice that the Stichting structure was supposed to prevent.
The collapse is not an isolated event. It is the first major casualty of MiCA's 'comply or die' mandate in the EU's most crypto-friendly jurisdiction. But the real story isn't about regulation—it's about systemic fragility baked into the CeFi model. Knaken's clients didn't lose their coins because of a smart contract exploit or a 51% attack. They lost them because the exchange's management treated legal forms as a substitute for actual asset segregation.
Core: A Forensic Dissection of the Failure
Let's strip the narrative fluff. Knaken was not a hacker's victim. It was a victim of its own incentive structure. The exchange offered trading services, held customer deposits in a single pool of wallets—both hot and cold—and used a Stichting as a 'legal wall' between the operating company and client assets. In theory, the Stichting should have held all client funds in trust, separate from exchange liabilities. In practice, the Stichting had no assets. The exchange was using client money to pay expenses, cover withdrawals, and maybe worse.
During my 2017 EOS smart contract audit, I identified a race condition that could allow infinite token minting under specific block producer configurations. I published a 40-page paper that was ignored by the press but cited by three exchanges. The parallel: both cases involve a carefully built structure that hides a critical flaw—one in code, one in organizational design. In Knaken's case, the flaw was not cryptographic but operational: the legal entity meant to safeguard assets was never funded. The race condition in EOS would have taken consensus to trigger. Here, a single CEO could drain the Stichting at any moment.
The numbers: 30,000 customers, €8 million in crypto assets, average balance just over €260. The trustee appointed to recover assets has already warned that recovery is unlikely. The FIOD investigation is ongoing, and criminal charges are probable. This is CeFi's dirty secret: code audits mean nothing when the admin can transfer funds without on-chain evidence. The exchange didn't need a bug in its order book; it needed a functional Stichting.
A bug is just a feature that hasn't met the right regulator. Knaken's 'feature' was using client deposits as operational float. When AFM demanded proof of segregated funds, the feature became a bug. The exchange collapsed faster than a poorly constructed Uniswap V2 liquidity pair.
Contrarian: What the Bulls Got Right
Despite the obvious failures, there is a counter-intuitive point worth examining. Some industry observers argue that MiCA is too strict, that it stifles innovation by forcing small exchanges to bear heavy compliance costs. In Knaken's case, that argument misses the mark. The exchange wasn't forced out by compliance costs—it was forced out because it never even tried to comply. The AFM gave ample time; Knaken chose to operate in the grey zone.
The bulls also claim that 'crypto is global, and regulation is local'—that users will simply move to unregulated platforms or decentralized exchanges. But as I saw during the DeFi Summer of 2020, when I reverse-engineered Uniswap V2 MEV bots and realized that 15% of LP fees were being siphoned by sandwich attacks, the 'decentralized' narrative often hides its own central points of failure. For now, DEXes lack the fiat on-ramps that most users need. Knaken's closure will push some Dutch users toward self-custody, but many will migrate to other centralized exchanges—especially those that can demonstrate regulatory compliance.
What the bulls got right: regulatory clarity, once enforced, accelerates institutional adoption. Coinbase and other MiCA-compliant platforms will absorb Knaken's user base. The 'compliance premium' is real. In my 2022 Terra/Luna collapse analysis, I mathematically proved the feedback loop between LUNA and UST was unsustainable. The market ignored the math until the crash. Similarly, now the market is ignoring the compliance math until the next exchange falls.
Takeaway: The Only Immutable Asset Is Integrity
The Knaken collapse is not a cautionary tale about overregulation. It is a cautionary tale about the gap between legal constructs and operational reality. A Stichting on paper is not a Stichting in practice. A CEO's promise is not a proof of reserves.
When will we learn to verify the source, then verify the code? And when will we demand the same rigor for legal structures? The industry is still young, but the scars are aging. If you are using any centralised exchange today, ask for their asset attestation. If they give you a legal opinion instead of a cryptographic proof, you are holding their debt, not your coin.
A bug is just a feature that hasn't met the right regulator. Knaken's feature became a bug. The next one might be yours.