Digital Currency & Blockchain Quarterly Litigation Update

Key Takeaway: A complaint filed on April 24 marks the fourth time in 2024 that participants in the digital assets industry have filed lawsuits affirmatively challenging the SEC’s authority to regulate digital assets — one headlined by the operator of a proposed decentralized exchange, one by a boutique retailer that issues tokens to promote its products, one by digital asset trade organizations challenging the SEC’s Dealer Rule, and the latest by Consensys, which seeks a declaratory judgment that ETH is not a security. The lawsuits open up another front in the industry’s efforts to obtain regulatory clarity from the SEC.

The LEJILEX Lawsuit

The first lawsuit came in February 2024, when LEJILEX, the operator of a proposed decentralized exchange, joined forces with the Crypto Freedom Alliance of Texas (CFAT), a Texas-based digital-asset trade organization, to file a declaratory judgment action against the SEC in the US District Court for the Northern District of Texas, Fort Worth Division. LEJILEX v. SEC, No. 24-cv-168 (N.D. Tex. filed Feb. 21, 2024). The plaintiffs’ complaint asks the district court to declare that “secondary-market sales of digital assets … are not sales of securities” under US securities laws, and to enjoin the SEC “from bringing an enforcement action against LEJILEX or similarly situated CFAT members premised on any purported failure to register as securities exchanges, brokers, or clearing agencies.”

LEJILEX and CFAT argue that the SEC has no authority to regulate digital assets because digital assets generally are not “securities” — specifically, “investment contracts” — because a “security” requires “ongoing obligations on the part of the issuer or seller toward the buyer.” Stand-alone digital assets and the secondary sale of those assets, the plaintiffs contend, “do not constitute ‘investment contracts,’” because an investment contract requires “an exchange of capital for some ongoing stake in the common enterprise into which the investor is becoming vested, with a corresponding obligation on the issuer or seller to manage that enterprise for the investor’s benefit and share resulting profits.” 

The plaintiffs also argue that the “major questions” doctrine prevents the SEC from regulating digital assets, because the near-century-old securities laws could not have been intended to charge the SEC with regulating the new innovation of digital assets.

(These arguments may seem familiar because they are similar to the ones raised by the centralized exchanges defending against the SEC’s enforcement actions and most recently rejected in SEC v. Coinbase, a case separately discussed below.)

LEJILEX alleges that it “faces a genuine threat” of an SEC enforcement action once it launches its proposed decentralized exchange, “just as the SEC has recently done to other digital asset platforms (including Bittrex, Coinbase, Binance, and Kraken).” CFAT contends that the SEC’s digital-asset enforcement activities have “negatively affected [it] twice over,” because its members face the same threat as LEJILEX, and the SEC’s broad assertion of jurisdiction over digital assets makes it “harder for CFAT to convince Texas policymakers to develop and adopt the sensible policies that the Texas digital asset industry needs.”

The Beba Lawsuit

Approximately one month after the LEJILEX lawsuit was filed, Beba LLC and the DeFi Education Fund filed a lawsuit in the US District Court for the Western District of Texas, Waco Division, captioned Beba LLC v. SEC, No. 24-cv-153 (W.D. Tex. filed Mar. 25, 2024). Like the LEJILEX lawsuit, the Beba action seeks a declaratory judgment that the SEC lacks the authority to regulate digital assets. But the Beba challenge tacks on an additional claim: that the SEC has a “policy” of treating digital assets as securities, and that the SEC adopted that “policy” without undertaking notice and comment rulemaking, as required by the Administrative Procedure Act (APA).

Beba sells duffel bags, backpacks, and wallets handcrafted by tailors in Kenya. Beba developed and gave away a digital asset, the BEBA token, to use in conjunction with Beba’s sales of merchandise. For example, individuals holding more than 200 BEBA tokens could buy a Beba-produced Ndovu Duffel at a discounted price. 

In the past, Beba has distributed its tokens through an “airdrop” giveaway. Beba would like to conduct another airdrop but fears that the BEBA token, which is tradeable on third-party exchanges, might be viewed as a security in light of the SEC’s enforcement actions. Beba contends that its tokens are not securities because they are not “investment contracts” within the meaning of the securities laws, and that the SEC lacks clear authority under the “major questions” doctrine to regulate digital assets.

Similar to LEJILEX, Beba seeks a declaratory judgment that states: (1) “Beba’s first airdrop … is not an unlawful sale of securities”; (2) Beba’s “planned second airdrop … is not an unlawful sale of securities”; and (3) “BEBA tokens themselves are not investment contracts.” Beba has also asked the district court to conclude that the SEC violated the APA by “adopt[ing] a new unwritten policy that nearly all digital assets are securities and the majority of transactions involving digital assets are securities transactions,” and to vacate that “policy.”

The Dealer Rule Challenge

On April 23, 2024, CFAT and the Blockchain Association filed a lawsuit in the Northern District of Texas’s Fort Worth division, challenging a recently finalized SEC rule that broadened the definition of “dealer” (Dealer Rule) under the Securities Exchange Act of 1934, as amended (the Exchange Act). Crypto Freedom Alliance of Texas v. SEC, No. 24-cv-361 (N.D. Tex. filed April 23, 2024) (CFAT). CFAT is the first litigation challenge to the Dealer Rule by the digital assets industry.

The Dealer Rule interprets the Exchange Act’s definition of “dealer” to include any market participant that “engages in a regular pattern of buying and selling securities that has the effect of providing liquidity to other market participants by”: (1) “[r]egularly expressing trading interest that is at or near the best available prices on both sides of the market”; or (2) “[e]arning revenue primarily from capturing bid-ask spreads, by buying at the bid and selling at the offer, or from capturing any incentives offered by trading venues to liquidity-supply trading interest.” Further Definition of “As a Part of a Regular Business” in the Definition of Dealer and Government Securities Dealer in Connection with Certain Liquidity Providers, 89 Fed. Reg. 14,938 (Feb. 29, 2024).

During the SEC’s notice-and-comment period for the Dealer Rule, the digital assets industry expressed concerns about the impact that the Dealer Rule would have on decentralized finance (DeFi), in particular the liquidity provided through DeFi products, structures, and activities. Industry participants remarked that the Dealer Rule was intended to solve problems that may not exist in the digital assets industry; they warned that promulgating the Dealer Rule might dry up liquidity in the digital assets market and discourage innovation not just in digital assets but also Web3 more generally. Participants in the industry asked the SEC to carve out digital assets from the scope of the Dealer Rule.

The SEC responded to the industry’s concerns with a terse statement in the final Dealer Rule that “[t]he dealer framework is a functional analysis based on the securities trading activities undertaken by a person, not the type of security being traded.” Crypto assets, the SEC said, would not be treated differently: “the Commission is not excluding any particular type of securities, including crypto asset securities, from the application of the final rules.”

Unlike LEJILEX and Beba, the CFAT lawsuit is not a broad challenge to the SEC’s authority to regulate digital assets, although that issue is certainly embedded in the plaintiffs’ allegations. Rather, the two trade groups have alleged that the Dealer Rule violates the APA in multiple ways.  

First, the plaintiffs argue that the SEC exceeded its statutory authority by changing the definition of “dealer” from the traditional understanding — a definition that turns on “the kinds of services a person offered to customers” — to one based on a post hoc determination of market effects. DeFi offerings, the plaintiffs assert, would have fallen outside of the traditional definition but are now swept into the new one articulated by the Dealer Rule. CFAT and the Blockchain Association contend that the effects are far-reaching and staggering: participants in liquidity pools who make passive contributions and who engage in transactions “executed by operation of [automated market maker] software” may be treated as dealers, subject to the full array of regulatory obligations that dealers must undertake to comply with the Exchange Act.

Second, CFAT and the Blockchain Association assert that the SEC acted arbitrarily and capriciously in brushing aside serious concerns raised by the digital assets industry. Because the SEC has failed to provide guidance on when a digital asset constitutes a security, it is impossible to tell when the Dealer Rule might apply to digital assets. The plaintiffs also contend that the SEC failed to address the industry’s square-peg-in-round-hole concerns: that the Dealer Rule addresses problems that simply do not arise in the DeFi context. And, according to the plaintiffs, the SEC acted arbitrarily and capriciously by failing to address the many adverse impacts that the Dealer Rule would have on the digital assets industry.

CFAT was determined by the court to be “related” to another case challenging the Dealer Rule, National Association of Private Fund Managers v. SEC, No. 24-cv-250 (N.D. Tex. filed Mar. 28, 2024), and both cases are now before Judge Reed O’Connor in the Northern District of Texas. 

Consensys Challenges the SEC’s ETH “Power Grab”

For years, the digital assets industry and regulators alike have understood that Ether cryptocurrency (ETH) is not a security. The SEC said as much in 2018, when its Director of the Division of Corporation Finance stated: “current offers and sales of Ether are not securities transactions.” The Commodity Futures Trading Commission followed suit by asserting regulatory jurisdiction, with its chairs declaring that “ether is a commodity” and that ETH falls “within the commodity regime.” 

Against that backdrop, Consensys developed its MetaMask wallet software, which, among other things, allows individuals to self-custody their ETH. The MetaMask platform has two features of note: MetaMask Swaps, which allows users to buy, sell, or exchange tokens (including ETH) through decentralized exchanges operated by third parties; and MetaMask Staking, which allows users to deposit ETH into a third-party liquid staking protocol.

After some recent equivocation, the SEC appears to have backtracked on its long-held position on ETH, now taking the view that ETH is a security. On April 10, 2024, the SEC sent Consensys a Wells notice, which expressed the enforcement staff’s view that Consensys unlawfully acted as an unregistered broker-dealer by operating its Swaps and Staking features. (According to Consensys, the SEC has also taken the position that MetaMask Staking constitutes the unlawful offer and sale of unregistered securities.) The Wells notice, Consensys revealed, was the culmination of about two years’ worth of investigative activity.

Consensys filed a pre-enforcement challenge in the Northern District of Texas, Fort Worth division, seeking a declaratory judgment that the SEC lacks jurisdiction over ETH because ETH is not a “security” — specifically, an “investment contract.” Consensys Software Inc. v. Gensler, No. 24-cv-369 (N.D. Tex. filed April 25, 2024). Consensys’ arguments about why ETH is not an “investment contract” are similar to the arguments raised in LEJILEX and Beba: “Consensys’ sales of ETH lack … [a] contractual undertaking” to “deliver value at a later date”; “ETH holders have no expectation in the income, profits, or assets of any business”; and there is no ”central manager or promoter for … investment profit,” and the “major questions” argument. Consensys also raises an argument unique to ETH: that the SEC seeks to “pull the rug out” from underneath Consensys “by deeming ETH a security.” According to Consensys, it relied on the SEC’s representations about ETH being “outside its domain” in building its business “around the Ethereum blockchain,” and “launching features such as MetaMask Swaps … and MetaMask Staking.” Consensys alleges that the SEC’s about-face in treating ETH as a security deprives it of fair notice that would make any enforcement action a violation of due process. Consensys also denies that MetaMask Swaps and MetaMask Staking violate securities laws—they are software interfaces, Consensys claims, not “broker activity” or an offer and sale of securities.

Consensys seeks both declaratory and injunctive relief that prevents “the SEC from continuing any investigation or commencing an enforcement action against Consensys based on the premise that Consensys’ transactions in ETH are securities transactions.” It also asks the court to hold that the SEC violated the APA by characterizing ETH as a security, despite its prior position that ETH is a commodity. It also asks the court to conclude that the SEC has no statutory authority to investigate or bring an enforcement action against Consensys regarding the Swaps or Staking features of its MetaMask software.

The Road Ahead

The SEC may file a motion to dismiss in LEJILEX, Beba, and Consensys. In doing so, the agency may raise a number of jurisdictional arguments that, if successful, would prevent the reviewing courts from reaching the merits. Although the Fifth Circuit’s decision in Braidwood Management, Inc. v. EEOC, 70 F.4th 914 (5th Cir. 2023), opened the door to declaratory judgment actions like the ones brought by the LEJILEX and Beba plaintiffs, we expect that the SEC will challenge the plaintiffs’ standing and test the Fifth Circuit’s observation in Braidwood that “[n]ot every case in which a governmental authority has so far chosen not to prosecute can overcome the standing barrier.” Id. at 929 n.27. The SEC may argue that the threat of enforcement is not “sufficiently concrete” and that there are no “clear harms hanging over plaintiffs’ heads.” Id. The SEC may also argue that the plaintiffs’ challenges are not the kind of pre-enforcement challenges permitted by Braidwood. Braidwood involved religious exemptions to the Title VII framework, while LEJILEX and Beba raise questions about whether the securities framework applies at all.

Beba may face an additional hurdle in its claim that the SEC should have engaged in notice-and-comment rulemaking before adopting a policy that treats most digital assets as securities. The SEC is likely to argue that the described policy governs its enforcement discretion, which is not reviewable under the APA. 5 U.S.C § 701(a)(2) (the APA applies “except to the extent that agency action is committed to agency discretion by law”). The SEC may also contend that the policy is not a “final agency action” because it is ultimately not the SEC that determines the rights and obligations of token issuers — i.e., whether digital assets are “securities” — but the court that decides the fate of any enforcement action that the SEC brings. 

Because Consensys has received a Wells notice, it may not face some of the jurisdictional challenges that LEJILEX and Beba may encounter. Indeed, it may be able to argue that there is a concrete risk of imminent harm caused by the SEC’s overreach: the SEC has indicated that it may take action against Consensys soon. Still, the SEC may argue that Consensys’ legal arguments are best saved for an enforcement action — and that questions about whether ETH is an “investment contract,” or whether Consensys was deprived of fair notice, are best suited in such an action, if such an action should arise. In addition, Consensys’ APA claims may face the same uphill climb as Beba's APA claim: the SEC may argue that the agency action characterizing ETH as a security is an exercise of enforcement discretion unreviewable under the APA, or that the characterization is not sufficiently “final” to be reviewed. 

As for CFAT, recent activity in the related Private Fund Managers case seems to indicate that the SEC will proceed straight to summary judgment, which is the norm in APA cases, because judicial review is based on the administrative record developed during the rulemaking process. (In other words, there is usually no discovery, and the court can decide the merits right away.) While it is possible that the SEC may raise jurisdictional arguments as part of its summary-judgment briefing, the fact that CFAT involves a more targeted challenge to a discrete and final action taken by the SEC makes jurisdictional arguments less likely than in LEJILEX and Beba. 

Key Takeaway: The SEC’s service of a Wells notice on Uniswap Labs marks a significant step toward what could be the SEC’s first enforcement action against a decentralized exchange, and it signals a potential escalation of the SEC’s practice of regulation by enforcement as it shifts focus to DeFi.

On April 10, 2024, in a blog post titled “Fighting for DeFi,” Uniswap Labs (Uniswap) issued a statement it had been served with a Wells notice from the Enforcement Division of the SEC. In its statement following the Wells notice, Uniswap challenged the SEC’s position that “most” tokens are securities, reasoning that “the overwhelming volume of traded tokens are definitively not securities — they are stablecoins, community and utility tokens, and commodities like Ethereum and Bitcoin.” Uniswap also criticized the SEC’s unwillingness to provide clarity or a path forward on registration for companies building technology on blockchains in the United States.

The statement went on to outline the transformative power of the Uniswap protocol, which it described as an “experiment to build software that embodied the benefits of the decentralized Ethereum blockchain” that has since become essential infrastructure on the blockchain markets, including (i) processing $2 trillion in transactions without a hack; (ii) integrating with thousands of applications built by teams around the world; and (iii) facilitating more than 2,000 replications of its open-source smart contract protocol.

While not sharing the Wells notice itself, the statement set forth legal arguments in response to potential SEC claims. The statement argued that the SEC lacks authority to pursue its potential claims, citing Judge Analisa Torres’ decision in SEC v. Ripple Labs, Inc., 20-cv-10832 (S.D.N.Y. filed July 13, 2023), for the proposition that secondary market transactions in digital assets generally do not constitute investment contacts, and Judge Katherine Polk Failla’s decision in Risley v. Universal Navigation Inc., 22-cv-2780 (S.D.N.Y. filed Aug. 29, 2023), for the proposition that Congress, rather than the SEC, should be responsible for addressing crypto regulation. The statement also argued that the Uniswap protocol should not constitute an unregistered exchange or unregistered broker, citing Judge Failla’s recent ruling in the case of SEC v. Coinbase, 23-cv-4738 (Mar. 27, 2024), which held that Coinbase’s operation of its noncustodial wallet did not require it to register as a broker, even if it takes fees. Finally, the statement argued that the protocol’s governance token, UNI, does not meet the legal definition of an “investment contract” under Howey, since (i) there is no contract or promise between Uniswap Labs and the token holders; and (ii) there is no common enterprise because the token’s value is not dependent solely on Uniswap Lab’s efforts. The statement further stated that the Uniswap technology ecosystem is sufficiently decentralized, like Bitcoin or Ethereum.

Uniswap Labs has indicated its intention to fight against the SEC’s allegations if an enforcement action is ultimately brought, which is poised to be one of the most closely watched disputes of the coming year.

Key Takeaway: On April 3, 2024, a former holder of LDO tokens filed an amended class action complaint against the governing body of the liquid staking protocol Lido, alleging that Lido’s LDO is an unregistered security and that the Lido decentralized autonomous organization (Lido DAO) is liable for the plaintiff’s losses attributable to the decline in the token price. The outcome of this lawsuit could have significant implications for the Lido DAO, LDO token holders, and the broader DeFi and blockchain community, including the potential liability that could accrue to institutional investors in decentralized projects.

Lido is a liquid staking protocol that allows users to delegate ETH to a network of validators and earn staking rewards. Lido users can also obtain derivative tokens called stETH that can be used in connection with other applications. The Lido network is governed by the holders of LDO, the governance token of the Lido DAO. Lido has the largest total value locked of any liquid staking derivative, with more than $30 billion worth of cryptocurrency currently locked within its contracts.

The case of Samuels v. Lido DAO, 23-cv-6492 (N.D. Cal.), arises from a lawsuit filed by Andrew Samuels on behalf of a class of LDO token holders against Lido DAO, as well as AH Capital Management LLC, Paradigm Operations LP, Dragonfly Digital Management LLC, and Robot Ventures LP (collectively, the Investor Defendants). With regard to Lido DAO, the complaint alleges that Lido DAO began as a “general partnership” led by institutional investors, which later decided to sell LDO tokens to the public by allegedly convincing centralized exchanges to list the tokens for sale, thereby providing liquidity for the original institutional investors. The complaint further alleges that the DAO was originally set up with the goal of avoiding regulatory scrutiny because “[t]he Lido DAO is a fully-decentralized organization with no legal entities.”

With regard to the Investor Defendants, the complaint alleges that they effectively controlled the governance function, since 64% of the LDO tokens are allegedly “dedicated to the founders and early investors” and therefore “ordinary investors like Plaintiff are unable to exert any meaningful influence on governance issues.” The complaint borrows recent statements from SEC Chairman Gary Gensler, arguing that that the LDO token is a security “because there’s a group in the middle [between the tokens and investors] and the public is anticipating profits based on that group.”

The plaintiff filed an amended complaint on April 3, 2024, which expanded upon the allegations raised in its initial pleading, including (i) describing how the institutional investors in Lido were allegedly identified as key “strategic partners” and members of the “Lido family”; (ii) providing further details about the process Lido allegedly went through to get the LDO governance tokens listed on exchanges, including submitting listing applications to the centralized exchanges; and (iii) compiling evidence of alleged “touting” on social media, including screenshots of posts about the token listing and the price of LDO, and encouraging the public to participate in governance. The amended complaint also described the plaintiff’s attempts to contact the Lido DAO and how the DAO had not yet communicated directly with the plaintiff or the court.

As of this writing, no counsel has entered an appearance on behalf of Lido DAO. The defendants’ motions to dismiss are due to be filed on May 2, 2024. 

Key Takeaway: The SDNY continued its pattern of finding that digital assets may constitute securities under the Howey Test, holding that the SEC adequately alleged that Coinbase, a publicly traded digital assets exchange, violated the Exchange Act by selling securities without registering, and that its staking program violated securities laws. Importantly, however, the court held that the SEC did not adequately plead that Coinbase’s noncustodial wallet required registration as a broker.

On March 27, 2024, Judge Failla of the Southern District of New York, in the case of SEC v. Coinbase, Inc., No. 23-cv-4738 (S.D.N.Y. filed Mar. 27, 2024), ruled on Coinbase’s motion for judgment on the pleadings pursuant to Federal Rule of Civil Procedure 12(c). The court held that the SEC had adequately alleged that Coinbase’s trading platform violates Section 5 of the Securities Act of 1933, as amended (the Securities Act) for operating an unregistered exchange, Section 17(A)(b) of the Exchange Act for failing to register as a clearing agency and as a broker pursuant to Section 17(A)(b) of the Exchange Act, and found control liability pursuant to Section 20(a) of the Exchange Act. The court also rejected Coinbase’s argument that the SEC had violated the “major questions” doctrine, the Due Process Clause, and the APA by bringing this action. Importantly, however, the court did grant Coinbase’s motion as to its wallet, finding it did not need to register as a broker.

At issue were several of Coinbase’s services for its customers, including (i) a trading platform that facilitates intermediated transactions in hundreds of different digital assets; (ii) Prime, a trading platform for institutional customers; (iii) a staking program; and (iv) a noncustodial wallet. The SEC alleged that each of these services violated federal securities laws. Coinbase filed a motion for judgment on the pleadings pursuant to Federal Rule of Civil Procedure 12(c).

The court first addressed the “major questions” doctrine, finding that the cryptocurrency industry “falls far short” of being a “‘portion of the American economy’ bearing ‘vast economic and political significance.’” The court also found that the SEC was not acting outside of its authority. Similarly, the court rejected Coinbase’s arguments that the SEC violated Coinbase’s rights under the Due Process Clause for failure to provide notice and violated the APA.

In regard to the exchange claims, the court examined by way of exemplar two of the 13 tokens named in the SEC complaint, Solana and Chiliz. Based upon its analysis of these two tokens, the court found that the SEC had plausibly alleged at least some of the 13 tokens identified in the complaint were investment contracts and thus securities pursuant to SEC v. W.J. Howey Co., 328 U.S. 293 (1946). It also rejected Coinbase’s assertion that because these tokens were sold on a secondary market, they were not investment contracts. In doing so, the court rejected the decision in SEC v. Ripple Labs, which found dispositive the manner of sales such that the sales of tokens on secondary markets (i.e., exchanges) were not securities transactions. The court also rejected the argument that investment contracts require a written contract.

The court found that Coinbase’s staking program violated Sections 5(a) and 5(c) of the Securities Act because this too was an investment contract. The court found persuasive, among other factors, that users’ digital assets were transferred by Coinbase to an omnibus wallet controlled by Coinbase, Coinbase then stakes these assets in connection with its own nodes and those picked by Coinbase, it then distributes the profits on a pro rata basis after deducting its commission, and that Coinbase marketed its program as generating returns for its customers.

The court, however, found that the SEC failed to plead adequate facts demonstrating that Coinbase acts as a broker pursuant to 15 U.S.C.§§ 78c(a)(4)(A) by making its noncustodial wallet available to consumers. The Exchange Act defines a broker as “any person engaged in the business of effecting transactions in securities for the account of others.” The court found that Coinbase’s wallet did not implicate many of the standard factors used to assess whether a person is required to be registered as a broker. Specifically, the court found that the SEC did not allege that “the [w]allet application negotiates terms for the transaction, makes investment recommendations, arranges financing, holds customer funds, processes trade documentation, or conducts independent asset valuations.”

While the court found that Coinbase’s alleged active solicitation, comparing of prices, routing of customer orders, and charging compensation were broker-like activities, these factors were not enough to trigger the registration requirement. In particular, the court held that Coinbase’s routing activities were not done in a manner consistent with services traditionally performed by brokers, because Coinbase does not provide “trading instructions to third parties or direct[] how trades should be executed." The court further noted that Coinbase does not perform any important trading functions for its users, because it “has no control over a user’s [digital assets] or transactions via the [w]allet, which product simply provides the technical infrastructure for users to arrange transactions on the other DEXs in the market. Id. Similarly, the software’s ability to find the best value for the trade did not constitute the same measure of activity as routing or making investment decisions.

Key Takeaway: On March 18, 2024, a federal judge took the unusual move of sanctioning attorneys for the SEC for intentionally misleading the court about evidence used to obtain a temporary restraining order to freeze the assets of Utah-based crypto company Debt Box. In a scathing 80-page order issued March 18, 2024, Judge Robert J. Shelby of the District of Utah criticized the SEC’s conduct as “a gross abuse of the power entrusted to it by Congress” that “substantially undermined the integrity of these proceedings and the judicial process.”

The case of SEC v. Digital Licensing Inc., No. 23-cv-00482 (D. Utah), stemmed from allegations that Debt Box and others functioned as unregistered cryptocurrency brokers and offered and sold unregistered securities, lied to investors, and misappropriated funds for personal gain. In July 2023, the SEC sought an order to freeze Debt Box’s assets, arguing that a temporary restraining order (TRO) was necessary because the SEC had evidence that Debt Box and its principals had taken efforts to evade law enforcement and move assets overseas to the United Arab Emirates. After an ex parte hearing, the court issued a TRO that froze the defendants’ assets and appointed a receiver. In September 2023, two groups of defendants moved to dissolve the TRO, arguing, among other things, that the SEC “made two sweeping claims of exigency” in support of its ex parte TRO application, neither of which were true, providing bank records to support their positions.

Based upon the evidence presented at the hearing that followed, in November 2023, the court reversed the restraining order and asset freeze and issued an order to show cause (OSC) directing the SEC to show why the court should not impose sanctions for its conduct in obtaining and defending the TRO. SEC attorneys admitted their statements were “inaccurate” and based on a “misunderstanding” but argued that sanctions were not warranted because they had not engaged in any bad-faith conduct. The SEC then filed a motion to dismiss, without prejudice, the entire action and to vacate the OSC hearing.

The court rejected the SEC’s characterization of events, remarking that SEC attorneys were “attempt[ing] to subtly shift the language to gloss over and perpetuate the misconduct.” The court found that not only had the SEC made false statements to obtain the TRO, but the SEC had also exacerbated its misconduct by affirming and reiterating the false statements previously made and by communicating additional false and misleading statements to the court after being confronted with evidence of its errors. The court noted it was “deeply troubl[ed]” by the “reflect[ion] [of] a misapprehension that SEC attorneys are not only exempt from binding ethical obligations but also operate above the traditional adjudicative process.”

Holding that the SEC’s conduct constituted subjective bad faith and “a gross abuse of the power entrusted to it by Congress and substantially undermined the integrity of these proceedings and the judicial process,” the court imposed sanctions of attorneys’ fees and costs for all expenses arising from the TRO and appointment of the receiver, including the receiver’s costs and fees — expenses that were directly traceable to the SEC’s misconduct. The court also denied the SEC’s motion to dismiss.

Key Takeaway: The Second Circuit reversed the SDNY, holding that the US-based class action plaintiffs had sufficiently alleged that the US court had jurisdiction over the company due to Binance’s assertion it had no location and its alleged use of US-based servers to accept the US residents’ trades.

In the case of Williams v. Binance, 22-972 (2d Cir.), on March 8, 2024, the Second Circuit reversed the Southern District of New York’s decision dismissing the plaintiffs’ securities class action complaint against Binance.com (Binance) on the grounds that the lawsuit against Binance constituted an impermissible extraterritorial application of securities laws under Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010).

The plaintiffs, all US residents, allege that Binance, a digital assets exchange, violated Section 12(a)(1) of the Securities Act by selling digital securities in the form of tokens without registering as a securities exchange, and that the tokens purchased on Binance are now at a fraction of their value when the plaintiffs purchased them from Binance. Binance filed a motion to dismiss, alleging, among other things, a lack of jurisdiction. Binance asserts it has no physical headquarters in any jurisdiction and operates in a decentralized manner. The plaintiffs, however, allege that in the United States, Binance has servers, employees, and customers; that each plaintiff purchased its tokens on Binance from the United States; and that Binance targeted US customers in its marketing and customer support.

The Second Circuit, in applying Morrison, found that the plaintiffs, by claiming that they purchased tokens in the United States, effectuated through the US-based servers, had sufficiently alleged “that two transactional steps giving rise to an inference of irrevocable liability occurred in the United States. First, the transactions at issue were matched, and therefore became irrevocable, on servers located in the United States. Second, Plaintiffs transacted on Binance from the United States, and pursuant to Binance’s Terms of Use, their buy orders became irrevocable when they were sent.” The court noted that Binance “has not registered in any country, purports to have no physical or official location whatsoever, and the authorities in Malta, where its nominal headquarters are located, disclaim responsibility for regulating Binance.” This lack of location troubled the court; it noted that the “answer to where that matching occurs cannot be ‘nowhere.’” Consequently, the court found the allegations sufficient to plead that the matching occurred on US servers and, therefore, in the United States Further, since the facts alleged fail to identify any other jurisdiction, the court found no comity issues barred jurisdiction here in the United States. The court separately found jurisdiction proper because Binance denies having any location, and the plaintiffs have “plausibly alleged that irrevocable liability attached when they entered into the Terms of Use with Binance, placed their orders, and sent payments from the United States.”

The Second Circuit also rejected the defendants’ claims that the plaintiffs’ claims were untimely. The court found that none of the claims brought pursuant to federal securities statutes began to accrue until after they made their token purchases.

Key Takeaway: On January 10, 2024, the SEC approved a series of applications for proposed spot bitcoin exchange traded products (ETPs). This approval follows an August 29, 2023, decision from the US Court of Appeals for the DC Circuit finding that the SEC’s prior decision to deny approval for Grayscale Investments LLC’s proposed spot bitcoin ETP was arbitrary and capricious, in violation of the APA. The DC Circuit’s ruling and subsequent SEC approvals have been hailed as a major victory for the crypto industry. The victory stands as an important reminder that federal courts continue to be an important check on the power of government agencies.

Prior to the ruling, the SEC had denied all attempts to list bitcoin ETPs, including Grayscale’s June 2022 proposal to convert its existing bitcoin trust into a bitcoin ETP. The SEC’s position was based on its determination that the proposed ETPs did not meet the requirement of the Exchange Act that ETPs be “designed to prevent fraudulent and manipulative acts and practices.” In stark contrast, the SEC had approved two bitcoin futures ETPs. Grayscale appealed the SEC’s determination, arguing, among other things, that the SEC had acted arbitrarily and capriciously when it treated Grayscale’s proposed product differently than the previously approved products without adequate explanation. A three-judge panel of the DC Circuit ruled unanimously in Grayscale’s favor.

In making this determination, the Court of Appeals undertook a two-part analysis. First, the court determined that Grayscale’s proposed bitcoin ETP was similar across “relevant regulatory factors” to the SEC-approved products. Next, the court considered whether the SEC had adequately explained why Grayscale’s bitcoin ETP should be treated differently from the two approved bitcoin futures ETPs. For this analysis, the DC Circuit looked to how the SEC analyzed the products under its two-part “significant market test,” which the SEC uses to satisfy the Exchange Act’s requirement that products be “designed to prevent fraudulent and manipulative acts and practices.” Under that test, there must be “a reasonable likelihood that a person attempting to manipulate the ETP would ... have to trade on [the related] market to successfully manipulate the ETP,” and it must be “unlikely that trading in the ETP would be the predominant influence on prices in [the surveilled] market.”

The SEC had determined that Grayscale’s proposed bitcoin ETP failed under both prongs. But the court observed that, based on the available record, the risk of fraud and manipulation for the approved bitcoin futures ETPs was not materially different than the risk of fraud and manipulation for Grayscale’s contemplated spot ETP offering. So, under the first part of the SEC’s two-part test, the court found that the SEC should have reached the same result for Grayscale’s proposed spot ETP product as it did for the approved bitcoin futures ETPs. The DC Circuit determined that the SEC’s failure to explain the differential treatment made its decision to deny Grayscale’s application arbitrary and capricious. The court concluded that the SEC’s analysis of the second prong was unconvincing for similar reasons, because the SEC’s analysis for the approved bitcoin futures ETPs could have applied with equal force to Grayscale’s proposed product.

A cardinal rule of administrative law is that an agency must treat like products in the same way. The Grayscale decision provides the SEC with a cautionary tale that it cannot “pick and choose” winners by treating similar products differently, and that any decision-making related to a crypto product should be based on the particulars of the product.

Key Takeaway: Venture capital funds continue to be targets in securities class action litigation against crypto projects. In such cases, plaintiffs have brought federal securities claims against venture capital funds on the grounds that they (1) sold or solicited the sale of unregistered securities; (2) are liable for illegal smart contracts; and (3) are control persons of the crypto project. Venture capital funds should factor the litigation risk associated with such claims into their investment decisions. 

Venture capital funds continue to be named as defendants in securities class action litigation against crypto projects. A good example of this trend is the recent securities litigation against Uniswap Labs, Risley v. Universal Navigation Inc., d/b/a Uniswap Labs, 22-cv-2780 (S.D.N.Y. filed April 4, 2022).  In August 2023, Judge Failla of the Southern District of New York held that the creators of the decentralized digital asset exchange do not violate the federal securities laws when third parties use the exchange to trade unregistered securities, finding (1) that individuals do not enter into a legal contract with Uniswap when they access the exchange’s smart contracts; and (2) Uniswap is not the “seller” of the tokens merely because it wrote the underlying computer code for the smart contracts. The plaintiffs appealed to the US Court of Appeals for the Second Circuit. The appeal is ongoing. The venture capital funds filed their appellate brief on April 12, 2024, which illustrates the sorts of claims that venture capital funds may face in connection with crypto projects.

In the Uniswap securities litigation, the plaintiffs seek to recover the purchase price of tokens purchased on the Uniswap protocol because of alleged misconduct (e.g., “rug pull” and “pump and dump” schemes) by the “issuers” of those tokens — specifically, the parties that created the tokens and made them available on the Uniswap protocol. In so doing, the plaintiffs seek to hold venture capital funds (among other defendants) liable for declines in the value of the tokens due to that alleged misconduct. Another case to watch is Young v. Solana Labs, Inc., 22-cv-3912 (N.D. Cal. filed July 1, 2022). On January 12, 2024, the plaintiffs filed an amended complaint, which continued to include venture capital firm Multicoin Capital Management LLC as a defendant. The defendants filed their motion to dismiss on April 11, 2024; we expect a decision on their motion later this year.

The plaintiffs allege that (1) the venture capital funds invested millions of dollars in Uniswap Labs (the company that developed code underlying the Uniswap protocol) in multiple rounds of fundraising; (2) investors wrote smart contracts, wrote white papers, and read and explained others’ smart contracts and white papers; and (3) investors helped source candidates, conduct interviews, and make introductions.

At the same time, the plaintiffs acknowledge the statements of the founder of Uniswap Labs that (1) he set strategy and made decisions; (2) he never felt that investors sought to exert control over the direction of Uniswap Labs; and (3) investors deferred to him with respect to important decisions.

The plaintiffs assert three different types of federal securities claims against the unaffiliated venture capital funds (which they lump together):

Sellers of Unregistered Securities: The plaintiffs assert claims under Section 12(a)(1) of the Securities Act for selling or soliciting the sale of unregistered securities. The plaintiffs allege that the venture capital funds were sellers with respect to every transaction on the Uniswap protocol because the defendants (including the venture capital funds) wrote, controlled, and maintained the smart contracts on the Uniswap protocol. The plaintiffs also allege that the venture capital funds solicited their purchases based on statements by Uniswap Labs and its founder about the Uniswap protocol.

Rescinding Smart Contracts: The plaintiffs assert claims under Section 29(b) of the Exchange Act, which permits a party to rescind an illegal contract with another party. The plaintiffs seek to rescind their purchases of tokens through smart contracts, alleging that (1) there was contractual privity between the plaintiffs and the venture capital funds for all transactions on the Uniswap protocol because the venture capital funds helped create the smart contracts on the Uniswap protocol; and (2) those smart contracts were illegal because they violated the Exchange Act.

Control Person Liability: The plaintiffs assert claims under Section 15 of the Securities Act and Section 20 of Exchange Act against the venture capital funds as “control persons.” The plaintiffs allege that the venture capital funds controlled Uniswap Labs because of (1) their investments in Uniswap Labs; and (2) the operational experience that they provided to Uniswap Labs.

The ultimate decision by the Court of Appeals with respect to the plaintiffs’ claims should help clarify the litigation risk associated with investments in crypto projects.

Key Takeaway: As global adoption of digital assets continues to grow, there has been a corresponding uptick in cyberattacks within the crypto industry, and a corresponding focus on cybersecurity by private litigants, regulators, and enforcement agencies. Cybersecurity risks will continue to expose the crypto industry to civil litigation and regulatory enforcement actions by government agencies.

In response to cyberattacks on digital asset exchange platforms, a common response by token holders — whether the holder fell victim to a phishing attack or other targeted scheme, or the platform itself was subject to an attack and breach — is to sue the platforms, exchanges, and even telephone carriers for failing to implement adequate security measures to protect the holders or for failing to stop the transmittal of stolen funds. For instance, alleging a loss of funds due to a cyberattack on the platform, users of Atomic Wallet filed suit last year for the platform’s failure to protect against security vulnerabilities and implement best practices. See Meany v. Atomic Protocol Systems, No. 23-cv-01582 (D. Colo. filed Jun. 21, 2023). In a case recently argued before the Ninth Circuit Court of Appeals on March 8, a digital asset holder brought an action against AT&T after $24 million was stolen from his crypto accounts through a “SIM-swapping” attack through which a hacker intercepted the holders’ texts and telephone calls. Terpin v. AT&T Mobility, No. 18-cv-6975 (C.D. Cal. filed Aug. 15, 2018). In another case involving a victim of a “SIM-swapping” attack, Dellone v. Coinbase, Inc., a digital asset holder brought an action against Coinbase, AT&T, and the unidentified hackers, alleging that Coinbase was negligent in its duty to safeguard the holder’s sensitive personal and financial information and failed to implement reasonable cybersecurity protocols consistent with industry standard, governmental regulations, and its own internal policies. No. 23-cv-01408 (E.D. Cal. filed Sept. 26, 2023).

Companies are also fighting back with their own lawsuits against hackers and scammers. For instance, on April 4, 2024, Google brought a complaint against a group of alleged crypto scammers under the Racketeer Influenced and Corrupt Organizations Act (RICO), alleging that the scammers defrauded more than 100,000 people across the globe by uploading fraudulent investment and crypto exchange apps to Google Play. Google LLC v Sun et al., No. 24-cv-2559 (S.D.N.Y. filed Apr. 4, 2024). According to the complaint, the defendants’ fraud scheme has caused Google to expend substantial resources to detect, deter, and disrupt the defendants’ actions in order to protect Google users and Google’s product and services and has impaired Google users’ confidence and trust in Google, its services, and its platforms.

As cybersecurity threats continue to increase, government agencies are tightening regulations and bringing corresponding enforcement actions to strengthen cybersecurity policies and procedures for cryptocurrency companies. For instance, on November 1, 2023, the New York State Department of Financial Services (DFS) announced the Second Amendment to its Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500, a regulation that requires financial services firms to develop and implement cybersecurity programs to prevent and mitigate cyberattacks. While the regulation has been effective since January 1, 2017, the November 2023 amendments require companies to comply with enhanced regulatory changes, including additional controls to prevent unauthorized access to information systems and regular risk and vulnerability assessments, by April 29, 2024. A recent enforcement action underscores DFS’ focus: in January, DFS entered into a consent order with cryptocurrency company Genesis Global Trading that requires the company to pay an $8 million penalty to New York State for failure to comply with DFS’ virtual currency and cybersecurity regulations. The order called out the company’s failure to keep its cybersecurity program in lockstep with the company’s overall growth, failure to adequately protect consumer nonpublic information, and noncompliance with several areas of Regulation 500.

Cybersecurity risks are an ever-present issue and risk for any business, and the crypto industry is no exception.