Not long ago, Lawyer Shao received a consultation from a client.
A technical staff member of a digital wallet company was arrested by out-of-province police without warning, on the grounds that some of the wallet platform's partner merchants were suspected of operating an online gambling den. As a technical backend maintenance personnel, the employee was taken away for investigation on suspicion of "assisting information network criminal activities".
Similar cases are common in the crypto/Web3 field. Facing the sudden accusations, the client raised two questions:
"I'm in a technical position, haven't touched money, and haven't participated in profit sharing. How could this constitute a crime?
Employees of Binance, OKX, and other big platforms are fine. Why is my small platform being arrested? Is this selective law enforcement?"
Author: Lawyer Shao Shiwei
These doubts are actually common legal blind spots among Web3 practitioners. This article will systematically analyze the three major legal risks faced by technical positions in Web3 through this case and provide practical advice.
Legal Risk Blind Spot One: Do Technical Positions Also Have Risks?
Many technical personnel believe that "I'm just delivering code as needed, and how it's used is the client's business" - this logic is actually a misunderstanding of the "technical neutrality" principle.
In the crypto circle, people often cite the Tornado Cash lawsuit to argue for "technical innocence".
Tornado Cash is a decentralized privacy protocol based on Ethereum, mainly used to obfuscate transaction paths and enhance user anonymity on the blockchain. Users can "shuffle and reorganize" crypto assets through it, achieving hard-to-trace transfer effects. While widely used for personal privacy protection, it was also used by criminals for money laundering. Although sanctioned by the US Treasury in 2022, the economic sanctions were ultimately lifted in March 2025, reigniting discussions about "technical responsibility boundaries".
However, law enforcement agencies in different countries have inconsistent understandings and judicial standards for "technical neutrality".
In current judicial practice, whether a crime is constituted depends not on whether you personally committed an illegal act, but on whether the "technical service" you provided substantially assisted upstream criminal activities.
In other words, if your technical work objectively "lowers the barrier" for criminal activities - such as providing anonymous transfer, mixing functions, or means to bypass KYC - it is no longer "neutral" but "assistance".
Legal Risk Blind Spot Two: "I'm Just a Small Platform Employee, I Won't Be Targeted"
The wallet company involved is registered in the Philippines, with senior management overseas, but its business primarily targets mainland China. It employs domestic technical personnel and customer service through a "remote collaboration" model, with a loose overall operational structure, typical of the Web3 project "decentralized employment" model.
This "distributed office + domestic and foreign collaboration" architecture is extremely common in crypto projects and easily creates compliance risk hidden dangers.
According to investigations, law enforcement determined the platform's suspected illegal activities based on multiple key clues:
The wallet system has "multi-level aggregation + anonymous mixing" functions, with fund flow paths highly consistent with gambling activities;
Technical documents contain highly sensitive keywords like "mixing optimization" and "anti-tracking", suggesting attempts to evade supervision;
The entire platform lacks due diligence records for high-risk merchants and has no effective risk control mechanism.
Although technical staff did not directly handle funds or know merchant backgrounds, if the systems they develop objectively "lower criminal barriers" or "weaken regulatory effects", they can still be legally held responsible. This is a frequently applied logic in current "technical participation" criminal cases.
Compared to head virtual asset trading platforms like Binance and OKX, small Web3 projects lacking compliance mechanisms are more likely to be "prioritized" by law enforcement for practical reasons:
Head platforms have massive user bases and complex overseas structures, making cross-border investigations difficult, time-consuming, and costly. Small platforms often have personnel in-country, making arrests more "efficient";
Large platforms generally establish KYC real-name verification and AML anti-money laundering compliance defenses, forming "technical + legal" dual protection. Small platforms often lack such mechanisms;
Mainstream platforms typically have law enforcement interface systems, showing high cooperation during investigations. Small platforms, with insufficient compliance capabilities and response mechanisms, are easier targets.
Regarding the client's accusation of "selective law enforcement", policy background does exist. For instance, the "Private Economic Promotion Law" implemented on May 20, 2025, mentions protecting private economic organizations' rights and prohibiting abuse of power for economic interests.
However, it's worth noting that these policy protections primarily target compliant operating entities. For crypto projects already in legal gray areas, under regulatory red lines like the "94 Announcement" and "924 Notification", their space for policy exemption or rights protection is extremely limited due to lack of compliance endorsement.
Legal Risk Blind Spot Three: Legal Dangers Hidden Behind Remote High Salaries
The technical personnel in this case were attracted by the offer of "remote work + monthly salary of 40,000 yuan". No clock-in, no time limits, work from home - extremely flexible. Compared to traditional Web2 positions, this treatment is almost a "dream job" for many programmers, especially young people.
But they failed to notice several obvious high-risk signals:
Vague project registration location, salary settlement via USDT transfers;
No written labor contract, all arrangements communicated through Telegram groups;
No compliance audit, KYC process, or anti-money laundering system, and no public project materials.
These appearances already expose the common characteristics of "high-risk platforms".
However, many technical personnel, lacking sufficient risk prevention concepts, rarely actively examine a platform's compliance when faced with an attractive "freedom + high salary" shell. Only when problems arise do they realize they've already stepped into a gray area.
How Can Web3 Technical Personnel Ensure Compliance? Lawyer's Advice
In this legal regulation gray area of Web3, the first step for technical personnel to protect themselves is to establish basic legal risk awareness and compliance prevention thinking.
Before contacting or joining any Web3 project, be sure to judge and self-check from the following key points:
Is the project registered in a clear, regulated jurisdiction;
Has it undergone third-party code or security audits by professional institutions;
Does it have KYC, AML, and other anti-money laundering and user identity identification systems;
Does it publicly disclose basic information like project leaders, team backgrounds, and fund source paths.
After joining, maintain distance from high-risk feature modules, especially those involving:
Mixing, anonymous transfers, privacy coins;
Bypassing or evading KYC, blacklist blocking mechanisms;
Developing tools to help users hide fund sources or bypass reviews.
If encountering suspicious instructions or project party pressure, be sure to retain relevant communication records (such as Telegram chat screenshots, meeting minutes, etc.), leaving key evidence for potential future self-defense.
When signing technical cooperation agreements or outsourcing contracts, it is recommended that technical personnel clearly stipulate:
Not directly accessing user fund accounts;
Not handling user personal identity data or sensitive information;
Not participating in marketing activities involving user recruitment, distribution, or token sales.
Drawing these "legal red lines" can not only avoid potential pitfalls but also clarify responsibility boundaries afterward.
If there are still doubts about the project's legality and compliance, it is recommended to find a professional legal team for an early "project compliance health check". This can not only timely discover potential legal risks but also help technical personnel assess the potential criminal liability boundaries of their roles, preventing problems before they occur.
Lawyer's Reminder: Technical Tools Are Not Guilty, But Actual Usage May Carry Responsibility
Web3 practitioners should be clear:
When handling the boundaries between technology and law, domestic law enforcement tends to judge whether a behavior brings harm to public interests and social order based on the actual usage of technical tools and their impact on society.
In recent years, our team has handled multiple major new-type cases in the Web3 industry and participated in early compliance and risk reviews for multiple projects. Therefore, we can provide more targeted customized legal health checks and compliance advice for consultants.If you are a technical practitioner, project operator in the Web3 field, or have doubts about project compliance, welcome to chat together.
We hope that every practitioner moving forward in the wave of new technology can proceed more steadily and clearly.
