2022 in Review: Crypto Litigation, Compliance, Cybersecurity and Enforcement

2022 was a defining year for cryptocurrencies and other crypto assets. As valuations plummeted, litigation proliferated, and the “crypto winter” caused several high-profile crypto bankruptcies. Meanwhile, government regulators moved from watch-and-wait to a more active enforcement role. Amid these trends, crypto assets continued to raise novel legal questions and challenges for those involved in their development, sale and use, while also presenting new fact situations involving far less novel legal questions and challenges.

This Advisory continues Arnold & Porter’s ongoing series on cryptocurrencies and digital assets by summarizing key litigation and enforcement actions and examining themes and trends in general commercial litigation, intellectual property, securities, bankruptcy, cybersecurity and compliance.

General Commercial Litigation

As crypto assets gain wider use and acceptance, they have increasingly made appearances in general commercial disputes. In most cases, the claims being brought do not hinge on the status of the crypto assets themselves; instead, they center on other issues such as the terms of a contract or a party’s fiduciary duties. In at least one case this past year, however, the digital nature of the subject assets has been determinative.

One example where the digital nature of the crypto assets played only an ancillary role was Fattaruso v. Roche Freedman LLP.¹ There, Paul Fattaruso sued his former law firm, the litigation boutique Roche Freedman LLP, alleging that the firm withheld nearly $1 million in compensation and retroactively removed Fattaruso from the partnership, depriving him of a two percent share in a cryptocurrency fee estimated to be worth $250 million. Although the dispute concerned Fattaruso’s share in what his complaint described as “cryptocurrency tokens,” his claims were familiar: breach of contract, breach of fiduciary duty, conversion and other standard commercial claims.

On the other hand, the outcome in Rosenberg v. Homesite Insurance Agency, Inc.² is dependent on the treatment of the subject crypto assets. In this case, the Rosenbergs sued their homeowners insurance issuer and underwriter after it limited coverage for the theft of $750,000 worth of crypto tokens, including $600,000 worth of SafeMoon tokens, that had been stolen by hackers. The Rosenbergs’ insurance policy covered theft of “personal property owned or used by an ‘insured’ while it is anywhere in the world,” but capped coverage to $200 for “money, bank notes, bullion,” and the like. In limiting coverage for the theft of the crypto tokens, Homesite cited this special limit of liability. However, the Rosenbergs have argued that there is a difference between crypto coins, which “may resemble currencies used to transact on a blockchain,” and crypto tokens, which “more closely resemble alternative assets like art, collectibles or commodities.” The Rosenbergs argue that since the stolen SafeMoon tokens do not function as currency used for transactions on any block chain, they do not fit any reasonable definition of “money,” and their claim should not have been subject to the special limit.

As crypto assets continue to grow in popularity and cryptocurrency replaces fiat currency as a medium for conducting some transactions, it comes as no surprise that crypto assets have themselves become the thing of value being argued over. Moreover, as we continue to grapple with questions about what crypto assets are and how they should be treated within our existing frameworks, disputes like the one in Rosenberg are likely to become more common.

Intellectual Property

The rise of non-fungible tokens (NFTs) has raised numerous intellectual property issues. One animating theme has been the application of the likelihood-of-confusion doctrine, a central concept in trademark law. Likelihood of confusion exists when the allegedly infringing mark is likely to mislead the public into incorrectly believing that the mark originated from or was endorsed by the trademark holder.³ In 2022, litigation involving likelihood-of-confusion arguments played out in various shades in intellectual property disputes involving NFTs.

Yuga Labs v. Ryder Ripps⁴ provides a straightforward example. Yuga Labs created the popular Bored Ape Yacht Club (BAYC), a set of NFTs that are associated with digital pictures of particular cartoon apes. Ownership of the NFT comes along with certain rights and benefits, including a license to display the associated image and to create derivative works using the BAYC characters and brands; it also grants the owner entry into an exclusive virtual clubhouse, Discord channel, and festival called ApeFest. In its suit, Yuga Labs alleges that the defendant Ryder Ripps created his own NFTs using BAYC images, with the only difference being his use of the title “RR/BAYC” instead of “BAYC.” If these allegations are true, BAYC would have a strong case for likelihood of confusion and trademark infringement; the goods and marks at issue are essentially identical. In fact, Yuga Labs pleaded that Ryder Ripps actually intended to confuse consumers about what they are buying.

Another likelihood-of-confusion case, Hermès v. Rothschild,⁵ shows how the doctrine intersects in an artistic context with issues of freedom of expression under the First Amendment. When allegedly infringing trademarks are used artistically, the Second Circuit has held that courts must balance the “public interest in avoiding consumer confusion” against the “public interest in free expression.”⁶ In the Hermès case, Mason Rothschild created 100 original digital images depicting blurry versions of luxury Birkin handbags, selling them as “MetaBirkin” NFTs. Hermès, the owner of the Birkin trademark, sued Rothschild for infringement. In denying Rothschild’s motion to dismiss, the court found that Hermès pleaded sufficient facts to support a conclusion that Rothschild had intended to associate the NFTs with the popularity and goodwill of Hermès’s Birkin mark, rather than intending a mere artistic connection, and that the NFTs had confused the public into believing that the NFTs were associated with the company. Rothschild stated in interviews that the NFTs were a tribute to the Birkin handbag, the court noted, and that he “wanted to see as an experiment if [he] could create that same kind of illusion that [the Birkin bag] has in real life as a digital commodity.”

The digital nature of NFTs has also raised unique registration and ownership questions, an issue central to the allegations in Free Holdings Inc. v. McCoy.⁷ Free Holdings alleges that the artist Kevin McCoy and Sotheby’s falsely advertised that the Ethereum-Quantum NFT, which sold at auction for $1.47 million, was the first ever NFT. (Disclosure: Arnold & Porter is counsel for Sotheby’s in this matter.) According to McCoy and Sotheby’s, Quantum was “[o]riginally minted on May 3, 2014 on [the] Namecoin blockchain,” an Ethereum-based protocol, and was “preserved on a token minted on May 28, 2021 by the artist.” But Free Holdings asserts that it is the true owner. According to Free Holdings, the Namecoin blockchain requires a user who controls a Namecoin record to periodically update the record every 35,999 blocks, which amounts to approximately 200-250 days; when McCoy failed to update the Namecoin-Quantum blockchain record for seven years, Free Holdings claimed it. Free Holdings is asking the court to declare that it is the rightful owner of the Namecoin-Quantum NFT and that statements made by McCoy and Sotheby’s were false and misleading, among other remedies. McCoy and Sotheby’s are robustly defending the claim and consider it to be without merit. The defendants have moved to dismiss, and that motion presently is pending before the court.

These cases show how the unique qualities of crypto assets have interplayed with traditional intellectual property doctrines, bringing out old questions in new contexts and asking new questions altogether. So far there have not been any easy answers, and we expect that as courts are forced to grapple with them, new interpretations and applications will emerge.

Securities

Much of the attention this past year has focused in securities litigation. The US Securities and Exchange Commission continued its focus on registration and disclosure requirements for cryptocurrencies and other crypto assets in 2022, reflecting Chair Gary Gensler’s view that many crypto platforms and crypto tokens may fall under the SEC’s jurisdiction. In 2022, the SEC brought a number of high-profile enforcement actions in the crypto space. These include actions against companies offering crypto tokens and their promoters, including a settlement with social media influencer Kim Kardashian for allegedly touting a crypto asset on social media without disclosing the payment she received for the promotion.

Among the most legally significant developments in the SEC’s actions were two cases testing the limits of the agency’s jurisdiction. Following dozens of enforcement actions brought since 2017 alleging that various crypto tokens are securities, the SEC’s case against Ripple Labs, Inc. and two of its executives⁸ has continued to play out in the Southern District of New York, with both parties moving for summary judgment in December 2022. The closely watched lawsuit, first filed in December 2020, alleges that XRP, a crypto coin created by Ripple, is a security and should have been subject to SEC regulations, including those requiring registration. In response, Ripple has characterized XRP as a non-investment asset, and therefore not subject to the SEC’s jurisdiction. In addition, in November 2022, the SEC obtained a high-profile victory against blockchain publisher LBRY Inc.,⁹ where the district court in New Hampshire was the first to hold that a token not distributed through an initial coin offering nevertheless constituted a security. LBRY argued that its digital token, LBC, was not a security because it was not being offered as an investment opportunity; rather, it was designed for use on a decentralized “content marketplace” by content creators and audience members.

The highest profile matter in 2022, however, stemmed from the collapse of crypto trading platform FTX after a rush of customer withdrawals led the platform to declare bankruptcy. The unraveling led to parallel criminal and civil enforcement actions, in addition to bankruptcy and other related suits by FTX account holders. The SEC and the US Commodity Futures Trading Commission filed civil actions against Sam Bankman-Fried, FTX’s co-founder and former CEO; Zixiao (Gary) Wang, FTX’s other co-founder and former CTO; and Caroline Ellison, the former CEO of Alameda Research LLC, an affiliated hedge fund, and all three were charged in the Southern District of New York, with Ellison and Wang pleading guilty to charges that include securities fraud relating to FTX-affiliated tokens. Among other things, the authorities have alleged that Bankman-Fried and others orchestrated a years-long fraud to conceal from FTX’s investors (1) the diversion of FTX customers’ funds to Alameda; (2) special treatment for Alameda on the FTX platform, including Alameda’s near-unlimited “line of credit” funded by the platform’s customers and exemption from certain key risk-mitigation measures; and (3) risks stemming from FTX’s exposure to Alameda’s significant holdings of overvalued, illiquid assets such as FTX-affiliated tokens. The government also alleged that Bankman-Fried used commingled FTX customers funds to make undisclosed venture investments at Alameda, lavish real estate purchases and large political donations.

The SEC’s aggressive pursuit of companies involved in cryptocurrency and digital assets has positioned it as the likely primary regulator of this space, consistent with Chair Gensler’s persistent focus on crypto. While many industry players and several members of Congress have called for an industry-wide rulemaking process, the SEC has indicated that it will continue its practice of issuing enforcement orders and registering individual companies in the meantime as a means of ensuring transparency and protecting investors. The SEC’s activities in 2022, with the Division of Enforcement expanding its crypto asset unit with designated trial attorneys and the Division of Corporation Finance also creating a crypto assets unit and announcing crypto disclosure expectations, show the SEC’s leadership role in the regulation of cryptocurrency and digital assets. Further, while we do not know the genesis of all of the SEC’s enforcement actions, we do know that whistleblowers have been submitting a significant number of tips to the Commission related to crypto. For the first time, Initial Coin Offerings and Cryptocurrencies broke the top three in whistleblower allegations—14 percent of whistleblower tips submitted in FY 2022 were related to the topic. Given the sharp increase in tips this year, we expect whistleblowers to be a source of future investigations in this area.

Bankruptcy

October 2021 was the peak of the golden age for crypto with a cryptocurrency market at a valuation of over $2 trillion. However, the “crypto winter” of 2022 resulted in plummeting asset values across the cryptocurrency space. While the FTX chapter 11 filing dominated the headlines in November, it was merely a domino in a sequence of other failed crypto businesses in 2022. The dominos began to fall with the implosion and subsequent bankruptcy filing on July 1, 2022 of the crypto hedge fund Three Arrows Capital (3AC) following the violent and sudden collapse of the Luna and TerraUSD cryptocurrencies in May 2022. Shortly after 3AC’s bankruptcy filing, crypto lender Voyager Digital (Voyager) sought bankruptcy protection after 3AC defaulted on its $665 million loan from Voyager. The bankruptcies of Celsius Network (Celsius), FTX, and BlockFi followed, and there may be others on the horizon.

Among the many novel issues that arise in crypto bankruptcy cases, one in particular has been front and center: are crypto assets deposited into customer accounts property of the customer or property of the bankrupt crypto company’s estate?

Just after the calendar flipped to 2023, Chief Judge Martin Glenn of the Bankruptcy Court in the Southern District of New York issued perhaps the most notable decision to date in In re Celsius Network LLC, et al.¹⁰ Asked to decide whether Celsius could sell its customers’ cryptocurrency assets held in Celsius’ Earn Accounts, which required a determination of whether such assets were property of Celsius’ bankruptcy estates or property of the customers, Judge Glenn ruled that Celsius’ “Terms of Use formed a valid, enforceable contract between [Celsius] and Account Holders, and that the Terms unambiguously transfer title and ownership of Earn Assets deposited into Earn Accounts from Account Holders to [Celsius].”¹¹ Thus, the Earn Assets (cryptocurrency assets, including stablecoins) in Celsius’s Earn Accounts became property of Celsius’ bankruptcy estate as of the bankruptcy filing. The applicability of Judge Glenn’s holding to other bankrupt crypto companies will depend on the specific terms of use customers agreed to with those companies, as well as the type of account at issue. Litigation over the ownership of deposited cryptocurrency assets and other novel issues arising in crypto bankruptcies will likely take years—customers and other stakeholders will take note as the crypto industry tries to weather this storm and regain market confidence.

Cybersecurity

Owners of platforms that store and exchange crypto assets have become frequent targets of cyberattacks, raising their risk of exposure to cybersecurity-related lawsuits. Because crypto assets move seamlessly according to digital protocols, criminals have found ways to exploit vulnerabilities within the system to access and steal crypto assets and quickly resell them. Transactions—including thefts—are typically irreversible; and even when stolen goods are frozen on one platform, they can usually be quickly resold on a different platform. With few government regulations currently in place, and facing the challenges of successful government investigations and prosecutions across transnational boundaries, victims have increasingly come to depend on private litigation to attempt to recoup the value of stolen assets.

One common thread this year has been litigation over company representations about the level of security of their platforms and the insurance coverage of assets held on the platforms. In Kattula v. Coinbase Global, Inc.,¹² plaintiffs in a proposed class action allege that the cryptocurrency exchange Coinbase Global, Inc. failed to adequately implement measures to prevent cryptocurrency stored on the platform from being stolen by hackers. The plaintiffs claim that statements made by Coinbase about the security of assets entrusted to the platform were misleading and constituted an unfair and deceptive practice under Georgia state law. The plaintiffs say that Coinbase held itself out on its website as the “most trusted” and “most secure” cryptocurrency platform and that assets held online are protected by an “extensive insurance policy.”

Plaintiffs in the proposed class action Aggarwal v. Coinbase, Inc.¹³ have gone even further, alleging that Coinbase’s representations were fraudulent. The Aggarwal plaintiffs have pointed to a variety of representations Coinbase made on its website, social media and in search engine marketing, including that it offers “best in class storage,” has “industry-leading security,” that it is the “most trusted crypto exchange,” that it uses “state-of-the-art encryption,” that “your assets are protected,” and that it offers “multifaceted risk management programs designed to protect customers’ assets.” The plaintiffs have asserted that Coinbase’s claim that it had “never been hacked,” was false; in fact, according to the Aggarwal plaintiffs, customer funds had been stolen several times and security breaches are endemic to Coinbase’s system.

These cases demonstrate the importance of investing in cybersecurity protections and accurately representing the crypto firm’s history regarding cyberattacks. For platform users, these cases may demonstrate the importance of sustained and extensive diligence into the cybersecurity claims and cybersecurity experiences of the platforms which they are considering for fiduciary uses. It also bears noting that cybersecurity continues to be a priority of the SEC’s National Exam Program and its Division of Enforcement, enlarged and renamed as the Crypto Assets and Cyber Unit, which focuses on violations related to digital assets, cybersecurity controls, disclosures of cybersecurity incidents and risks, trading on the basis of hacked nonpublic information, and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms. For most platforms, it seems to be a question not of if but when criminals will attempt to get access to the firm’s platform and to assets stored on that platform. Given the potential variations among crypto firms in asset security—and therefore the importance of asset security in differentiating their offerings—companies will need to find a balance between asserting their competitive edge and making claims they can later defend, if necessary, in litigation.

Compliance

Although cryptocurrency has many valuable uses, the past year has demonstrated that it is also becoming the payment method of choice for a wide range of scams internationally. Depending on their operations, many crypto companies are subject to laws and regulations applicable to traditional banks, including anti-money laundering and trade sanctions laws. Financial regulators are increasingly showing a willingness to pursue enforcement actions against crypto industry participants for perceived unsafe and unsound practices or failures to meet AML obligations.

Anchorage Digital Bank, N.A., which specializes in digital asset custody, made headlines in January 2021 when it became the first crypto firm to receive a national trust bank charter from the Office of the Comptroller of the Currency. Less than a year later, however, the OCC ordered Anchorage to overhaul its BSA/AML compliance program and conduct an independent lookback review of prior transactions.

More recently, the Department of Treasury’s Office of the Foreign Asset Control and Financial Crimes Enforcement Network imposed civil money penalties on two cryptocurrency exchanges for deficiencies in their sanctions compliance programs. In October, OFAC levied a $24 million fine against Bittrex, Inc. for apparent violations of multiple sanctions programs, including those prohibiting US companies from doing business with Iran, Sudan, Syria Cuba, and the Crimea region of Ukraine. Importantly, according to OFAC, Bittrex knew or should have known that its customers were located in the sanctioned parts of the world based on their physical address information collected at customer onboarding and their IP addresses, but failed to screen this customer information. In a separate but parallel action, FinCEN assessed a civil money penalty to Bittrex in the amount of $29 million for allegedly failing to implement and maintain an effective AML program.

In November, Payward Inc. d/b/a Kraken agreed to pay a six-figure penalty to OFAC and to invest an additional $100,000 in certain sanctions compliance controls after Kraken allegedly processed cryptocurrency transactions for individuals located in Iran. OFAC found that although Kraken had maintained controls intended to prevent users from opening an account while in a sanctioned location, it failed to timely implement geolocation tools, including an automated IP address blocking system. Specifically, Kraken allegedly allowed users to establish their accounts outside of sanctioned jurisdictions but then failed to block those users from transacting in Iran.

Earlier this month, the New York State Department of Financial Services imposed a $50 million fine on Coinbase, Inc. and ordered it to invest an additional $50 million in its compliance program after it found failures in Coinbase’s compliance program that violated New York Banking Law and DFS’s virtual currency, money transmitter, transaction monitoring and cybersecurity regulations. DFS’s consent order detailed that after an examination and subsequent enforcement investigation, DFS found that Coinbase’s BSA/AML program was inadequate for a financial services provider of Coinbase’s size and complexity.

These enforcement actions highlight the challenges cryptocurrency companies may face when implementing compliance frameworks, which must be designed to address the compliance risks attendant to these new and evolving technologies. It is also clear that the federal and state financial regulators will exercise their enforcement authority to maintain customer confidence in the US financial system.

Conclusion

In 2021, many crypto assets hit all-time price highs, accompanied by the growth of new companies seeking to capitalize on cryptocurrencies and other crypto assets. In 2022, a cooling economy and market volatility led to a “crypto winter,” generating plummeting prices, crypto company bankruptcies, and renewed skepticism of the entire crypto industry. While many of the enforcement actions and litigation from 2022 represent a continuation of previous developments, the crypto industry has borne the brunt of additional scrutiny from both individuals and government regulators. The resulting litigation and enforcement actions have spanned the gamut, highlighting both crypto’s increasing use cases and unique aspects.

Enforcement actions and litigation continue to struggle with fitting cryptocurrency and other crypto assets into existing legal frameworks. But, although blockchain technology is new, many of the relevant legal concepts are not. From likelihood of confusion to whether crypto tokens constitute securities to anti-money laundering compliance, the applicable doctrines are foundational to the relevant area of law.

Moreover, while the blockchain technology on which crypto assets operate is “decentralized,” private plaintiffs and regulators have not suffered from a lack of targets. Many consumers store and use crypto assets through centralized access points, such as exchanges and wallet providers. In addition, entrepreneurs have developed new cryptocurrencies or tokens and have piloted new uses of blockchain technology. Across these various categories, centralized points and novel applications have become the subject of litigation and enforcement. Indeed, the very decentralization and anonymity of blockchain technology, as well as the involvement of unregulated or unsophisticated players, have made the crypto space especially susceptible to fraud, from companies committing fraud themselves to companies that are vulnerable to fraudulent uses of their technology and systems by others.

Lastly, as Congress continues to contemplate regulation for the crypto industry, we have seen litigation and enforcement actions as an alternative means of enforcing compliance. These have ranged from class actions to high-profile individual suits to enforcement actions by the SEC, CFTC, OCC and OFAC. The likelihood of litigation and enforcement has encouraged companies operating with digital assets to re-examine their policies and procedures and to enhance their compliance programs.

Arnold & Porter actively monitors and reports on key litigation and enforcement developments in the cryptocurrency and crypto assets space and has deep expertise across the regulatory, litigation and transactional aspects of the industry. Should you have any questions, please reach out to any author of this Advisory or your regular Arnold & Porter contact.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.