Verified Platforms
Quick Links
Where to Stay Secure
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The legal risk in Brazilian crypto isn't sitting only in the scam. It's sitting in the handoff.
Lucia is the Kodex operator who reads the system boundary before she reads the headline, and this walkthrough is about where an exchange's duty ends when a phishing loss starts.
She opens the case file, traces the path from platform to external wallet, and ignores the word “golpe” until the service map is clear.
A lot of coverage framed the recent STJ decisions as a moral question: should exchanges reimburse users after fraud? That framing is weak. The court is really asking a narrower question with bigger consequences: what exactly was the exchange hired to do in the disputed moment, and did the failure happen inside that perimeter or outside it?
Now the Superior Tribunal de Justiça has pulled the topic into two different lanes, so that distinction matters more. In a 2025 decision from the 4th Panel, the court treated a crypto platform more like a financial institution and applied the logic of Súmula 479, which imposes objective liability for fraud tied to the provider's own operational risk. In April 2026, the 3rd Panel took a different route in REsp 2.250.674, holding that the exchange was not liable when the disputed fraud materialized after the customer transferred USDT to a wallet tied to another platform.
Lucia doesn't treat those outcomes as contradiction for its own sake. She treats them as a map. If the platform security stack breaks during its own transaction flow, liability rises. If the exchange executed the instruction correctly and the loss crystallized in another platform's custody environment, liability gets much harder to pin back on the original exchange.
Sounds technical. It is. It also decides whether a reimbursement claim has structure or just emotion behind it.
The April 2026 case is the cleanest place to start because it forces the boundary question out into the open. The investor used an exchange to buy crypto, then ordered the transfer of 11,749.15 USDT to an external wallet associated with another platform. According to the 3rd Panel, the disputed fraud happened at the custody stage on that second platform, not inside the originating exchange's own service chain.
That matters because the 3rd Panel did not say crypto exchanges sit outside consumer law. Quite the opposite. Minister Ricardo Villas Bôas Cueva accepted that the relationship falls under the CDC and pointed to Law 14.478/2022 plus Banco Central Resolution 520 as part of the legal framework for virtual asset service providers. The issue was not whether consumer protection exists. The issue was whether there was a defect in the service the exchange itself actually provided.
Lucia's read is blunt: CDC coverage is not the same thing as automatic reimbursement. If the platform received fiat, converted it, and sent the assets to the address the customer entered, the court can still say the service was performed correctly even if the funds later disappeared somewhere else.
This is why the split matters. A lot of users hear “consumer law applies” and think the case is already won. The STJ is saying the opposite. First define the service. Then define the defect. Then ask where the fraud occurred.
| Legal frame | What the court focuses on | Liability pressure |
|---|---|---|
| Platform-security failure inside the exchange flow | Missing confirmation, broken authentication, weak internal controls | Higher |
| Correct execution followed by loss in another platform or wallet custody | Whether the exchange had already completed its contracted role | Lower |
| Mixed case with user action plus suspicious system behavior | Whether the provider can prove absence of defect or exclusive fault | Disputed |
Lucia likes boundaries because they kill false certainty. When you move funds off-platform, you are not only changing addresses. You may be changing the defendant.
The 2025 case went the other way because the facts pointed to a failure inside the transaction security flow itself. A user intended to transfer 0.0014 BTC but saw 3.8 BTC disappear. The 4th Panel held that crypto platforms can be equated with financial institutions for this purpose and applied the logic of objective liability under Súmula 479.
The decisive detail was not “hackers exist.” It was evidence. The platform could not prove that the confirmation email tied to the disputed transaction had been sent. That missing record mattered because the company was arguing that the loss came from a third-party invasion of the user's device rather than from its own failure. Minister Maria Isabel Gallotti's position, as summarized by Agência Brasil, was that even a hacker narrative would not automatically erase platform responsibility if the system was not secure enough to prevent the fraud.
Lucia pauses here because this is where bad summaries flatten the doctrine. The 4th Panel did not create a rule that exchanges always pay after phishing. It did something more specific and more important: it treated certain frauds as part of the operational risk of running a custodial transaction platform. If your controls fail where they were supposed to catch the event, “third party” stops being a complete shield.
The logic comes from banking law. The force of the 2025 decision came from pulling crypto platforms closer to that risk model. The force of the 2026 decision came from narrowing the factual perimeter and saying the critical failure happened elsewhere.
Same industry. Same court. Different service boundary.
This is the part retail users usually underestimate. A phishing flow can begin in your inbox, move through a legitimate exchange interface, and end in an external wallet or second platform. The emotional story feels continuous. The legal chain may not.
Lucia sketches it as a relay rather than a single event:
The question for liability is not where panic began. The question is where the defective service sat.
That's why the April 2026 decision matters so much for anyone asking whether an exchange is responsible for scam losses in Brazil. If the exchange's logs show the transfer was initiated with the customer's own instructions, sent to the provided destination, and the actual custody failure unfolded on another platform, the claim hits a wall fast.
If, on the other hand, there is evidence that the exchange failed to generate confirmation, failed to block an anomalous transaction, failed to authenticate the exact disputed movement, or cannot document what its own control layer did, the case starts to look like the 2025 panel instead.
Lucia treats this as a practical diagnostic. Before outrage, map the failure point.
A simple habit helps here. Before sending funds to a new destination, rehearse the action in the Market Simulator first if the impulse is being driven by urgency, not clarity. The platform won't mirror an exchange lawsuit, but it does expose one behavioral truth: once the click happens, the chain of consequences gets harder to reverse than your confidence suggested two minutes earlier.
The headline is about reimbursement. The deeper consequence lands on exchanges themselves.
A split like this pressures platforms to do two things at once:
Lucia reads the dispute as a pricing signal. If some panels treat authorized or quasi-financial crypto platforms more like institutions carrying operational fraud risk, then security costs rise. Insurance assumptions change. Customer support scripts stop being enough. Product design starts to matter as legal evidence.
Recent Brazilian regulation matters here too. The crypto framework is no longer living in a legal vacuum. Once virtual asset service providers sit closer to regulated financial infrastructure, the argument that they are mere neutral pipes becomes harder to sustain in cases involving their own controls. But the April 2026 decision shows the counterweight: regulation does not erase the need to identify the exact service delivered in the disputed moment.
This is one reason SPAV Authorization Brazil: 2026 Exchange Deadline matters beyond licensing headlines. Formal oversight does not guarantee reimbursement. It does, however, raise the stakes around what a platform is expected to monitor, document, and defend when things go wrong.
The external-wallet step keeps showing up because it changes the fact pattern more than users realize.
When Lucia walks someone through safe transfer behavior, she starts with the same ugly truth every time: the platform screen can feel like one continuous environment even when the legal responsibility isn't. A wallet address pasted inside an exchange window can still point to a custody regime the exchange does not control.
So the April 2026 panel focused hard on the stage of the operation. Purchase, conversion, transfer, custody. Those are not just product verbs. They are separate liability compartments.
If you want the plain-language version, it looks like this:
| Step | What you think is happening | What the court may ask |
|---|---|---|
| Buy on exchange | “I am still protected by the platform” | Was the purchase flow executed correctly? |
| Transfer out | “I am still inside the same action” | Did the exchange just follow your instruction? |
| Funds sit in external wallet or second platform | “The original platform should help” | Who was actually providing custody at that point? |
A guide like How to Send Crypto Safely matters more than fee comparisons when you're moving assets for the first time. The expensive mistake is rarely the network fee. It's assuming the security perimeter moved with you when it didn't.
Lucia has no patience for clean narratives that hide operational friction. The handoff is where clean narratives go to die.
Yes, but not because the click becomes irrelevant. It matters because user action does not automatically prove exclusive fault.
The point sits underneath both STJ lines. Under the CDC, a provider can still try to exclude liability by proving either absence of defect or exclusive fault of the consumer or a third party. In practice, though, those defenses become harder if the platform cannot show its own controls worked as designed.
This is where phishing cases often turn messy. A user may have clicked a malicious link, copied a poisoned address, or approved a transfer under false pretenses. None of that fully resolves the case if the platform also failed at the point where it was supposed to detect something abnormal.
Lucia watches this same pattern in security behavior. Panic shortens the decision window. The wrong destination starts to look familiar. One confirmation step gets skipped mentally before it gets skipped technically. If that sounds abstract, PIX Confirmation Trap: Real-Time Malware Hijacks Transfers shows the same behavioral structure in a payment rail users already understand: urgency, interface trust, then a handoff too late to undo.
Here is the bridge between legal doctrine and behavior. The court is trying to decide whether the platform's security architecture meaningfully carried its share of the risk. You are trying not to enter the dispute at all.
Lucia hates vague timelines because courts hate them more. If a loss happens, the useful question is not “was I scammed?” The useful question is “what evidence shows where the failure occurred?”
Start with a tight record:
The list sounds procedural because it is. But procedure is what separates a platform-security case from a post-transfer custody case.
Lucia would rather build the chain before the memory gets edited by panic. On Kodex, that same discipline is what Pattern Intelligence is built to force back into view: what you actually did, in what sequence, under what emotional load. On the platform, that framing is behavioral, not legal. But the lesson transfers. Reconstruction beats impression.
The real question is which failure the court can tie back to the exchange.
That is the lesson of the STJ split. One panel saw a platform-security failure serious enough to carry objective liability. Another saw a completed service followed by a loss in someone else's custody layer. Both positions can coexist because they are answering different factual questions.
Lucia closes the file the same way she opened it: by tracing the perimeter, not the outrage. If you want to know whether an exchange is responsible for scam losses in Brazil, stop asking the headline version. Ask where the platform's role ended, what proof exists for its own controls, and whether the missing money disappeared inside that boundary or after it.
Colder than the headline, yes. It also decides the case.
