I've written a couple of blog posts in the past about crypto currency and why I think co-ops need to stay far away from everything to do with them. I now realize, however, that I was somewhat misguided - not in sounding an alarm about the crypto hype, but in the audience that I was directing my warnings to. I was focused on worker co-ops, where I was happy to not see any real uptake. However, I failed to realized that the most obvious place for crypto to infiltrate the co-op sphere was not in worker co-ops, but in credit unions. In retrospect, this was a huge oversight on my part. Of course the funny money people would be going after our financial institutions - and it appears they've managed to hook their first big fish in the CU space.
US credit union launches stablecoin crypto as part of digital asset platform, reads the headline in Co-operative News that alerted me to their catch. Stable coins, for those fortunate enough to be unfamiliar with them, are crypto tokens that claim to maintain a stable price, unlike the wildly fluctuating prices of other tokens. Tether was the first and most famous stablecoin, initially claiming to hold one US dollar for every one tether in circulation, thereby guaranteeing a 1-to-1 dollar-to-tether exchange rate. If you, like me, wonder how a business proposes to make money simply by swapping dollars for tokens, and tokens for dollars, on a 1-to-1 basis, you wouldn't be alone. But while a lot of people pointed out the model didn't make any financial sense, that didn't stop the crypto world from taking it up as a supposedly less risky way to hold their tokens. However, the truth surfaced pretty quickly that Tether was not, in fact, holding one dollar for every tether, but rather using a bunch of those dollars to purchase bonds and other investment instruments, and making their money on the returns from those. You would think that such a revelation would have had tether holders running for the exits, after discovering that their tokens had been sold to them on a lie — and some did — but most just shrugged their shoulders and carried on as usual, probably because the fact that there weren't enough dollars on hand to cover all the tether in circulation meant that if a large enough portion did try to redeem their tether for dollars, they wouldn't have been able to, which would likely cause the token to quickly collapse in classic bank-run fashion.
But the CU in the headline, St Cloud Financial Credit Union, isn't using tether, but rather creating their own stablecoin with the help of a couple of firms: Mettalicus and DaLand. After reading the Co-operative News article - and remembering Yves Smith's dictum that "crypto = prosecution futures" — I immediately did a search for "Mettalicus hack," and while I did expect to find something (tons of crypto projects get hacked), I was actually surprised by the severity of what I found. The first search result was from an August 21st, 2025 article in the San Francisco Business Times titled, Fired executive accuses S.F. crypto firm Metallicus of using customer funds for payroll. Oh no.
Here, in part, is what the SFBT has to say:
Donald Berk, a banking veteran who previously served as a board member and chief operating officer of Metallicus Inc., sued the company in San Francisco Superior Court, alleging age discrimination and whistleblower retaliation. In the suit, Berk claimed he was fired by the company after raising concerns of discrepancies in the company's financial reporting — specifically, he said customers' crypto tokens could have been paid out to employees receiving large salaries, some up to $1 million a year.
"In reviewing the company’s coin balances, Mr. Berk became concerned that the 'hole' in the financial reporting was a result of Metallicus unlawfully taking customer tokens to fund its own payroll obligations," the lawsuit said. "When Mr. Berk raised concerns regarding the stark disparity in compensation between his own meager salary and the extraordinary salaries received by his younger counterparts — particularly during 2022, when Metallicus generated no revenue — his employment with Metallicus was abruptly terminated.
...Berk also claims in the suit that the company was investigated by the U.S. Securities and Exchange Commission in 2024, possibly for selling crypto tokens without a brokers license or for "double minting" tokens, a practice where owners of cryptocurrencies use the same tokens for multiple transactions. Metallicus is the developer of a number of tokens including XPR.
If I were St Cloud FCU, I would be talking to my lawyers about how to get out of any contracts we've already signed with this company, ASAP.
Rather troubled by what I found, I continued my search and soon came across this Forbes article from May of last year: How BankSocial And Metallicus Are Banking On Blockchain In 2024. From this article I discovered that,
This is also not the first exploration of blockchain technology by credit unions. In 2016, CU Ledger was a proof-of-concept project based on distributed ledger technology that was led by the Credit Union National Association and the Mountain West Credit Union Association and designed to prepare credit unions for the future. "This could be a real game changer," Rich Meade, chief of staff/COO for CUNA, said. "This technology could be the next email, the next internet, the next big thing, so we're really excited about doing that."
Since then, CULedger changed its name in 2021 to Bonifii and is a credit union-owned CUSO (credit union service organization) and has a primary focus on protecting credit union customers from fraud with identity verification solutions.
I had to chuckle a little bit at this, as practically every attempt at implementing blockchains for anything in the real world have followed this exact same cycle: first the loud claims about how this will change everything, then the quiet folding of the project a few years later, or its conversion into something actually useful by removing the crypto elements. But while it may be amusing to watch people fail in utterly predictable ways, I was more troubled by the thought that a lone CU was preparing to pay a private company to do something that two large CU orgs had already failed to make work. I would think that if anyone was well situated to figure out how CUs can make use of some technology or other, it would be CU trade organizations. What do Metallicus and DaLand know that CUNA and MWCUA don't?
And then I noticed the name of the company that the failed CU blockchain project had turned into: Bonifii. I recognized the name only because I had just seen it in the article about the lawsuit over misused funds at Mettalicus.
Metallicus acquired the fintech Bonifii last year in an effort to begin offering crypto services like digital asset wallets and stablecoins to credit union customers. Its Banking Innovation Program partners include Dublin-based Patelco Credit Union.
Insert confused Scooby-Doo sound effect here...
So two CU orgs created a cooperatively-owned back office service provider for CUs, which was then demutualized sometime in the latter half of 2024 and sold to a crypto firm, which is now using it to sell crypto services to other credit unions. Is it just me, or does something smell off in here?
Obviously, by this point in my impromptu investigation I was getting pretty concerned. Then I found what I initially set out searching for: a hack of Metallicus. And this time, the story comes straight from the Metallicus website:
On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured.
...Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality.
If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.
This hack of their loan protocol took place one year ago, in Sept of 2024. Hopefully they've gotten better at security since then, but one really has to ask why a Credit Union is doing business with a firm that is being sued for misusing customer funds and retaliation against whistleblowers, that's been investigated by the SEC, and that's been recently hacked by someone named letsgopuppy. The services on offer seem to be things that Credit Unions already do just fine, without blockchains, like providing money transfers between accounts within or between CUs. In fact, the only services being offered by Metallicus that struck me as something that CUs don't already do perfectly well without blockchain, is allowing customers to engage in crypto gambling. In fact, if you visit Metallicus' website, that is pretty much the only thing you'll find - different ways to gamble on crypto. For instance, here's an article explaining how to use the Metallicus loan platform to gamble on crypto token price movements using borrowed money (which no one should ever do, btw).
I'm going on the record now as stating that this will end in tears for SCFCU and their members. If I were a member, I would be calling for the resignations of whoever signed off on this immediately. I think the best case scenario for this initiative is for it to be short-lived and to get quietly shelved before too much member capital is expended — the worst case scenario is that some hack, or executive malfeasance, takes Metallicus down and SCFCU and their members get dragged down with it. I don't know how bad this will turn out to be for SCFCU, but I am entirely certain that it won't turn out well.
Add new comment