2022 In Review: Crypto Litigation, Compliance, Cybersecurity And Enforcement – Fin Tech

2022 was a defining year for cryptocurrencies and other crypto
assets. As valuations plummeted, litigation proliferated, and the
“crypto winter” caused several high-profile crypto
bankruptcies. Meanwhile, government regulators moved from
watch-and-wait to a more active enforcement role. Amid these
trends, crypto assets continued to raise novel legal questions and
challenges for those involved in their development, sale and use,
while also presenting new fact situations involving far less novel
legal questions and challenges.

This Advisory continues Arnold & Porter’s ongoing series
on cryptocurrencies and digital assets by summarizing key
litigation and enforcement actions and examining themes and trends
in general commercial litigation, intellectual property,
securities, bankruptcy, cybersecurity and compliance.

General Commercial Litigation

As crypto assets gain wider use and acceptance, they have
increasingly made appearances in general commercial disputes. In
most cases, the claims being brought do not hinge on the status of
the crypto assets themselves; instead, they center on other issues
such as the terms of a contract or a party’s fiduciary duties.
In at least one case this past year, however, the digital nature of
the subject assets has been determinative.

One example where the digital nature of the crypto assets played
only an ancillary role was Fattaruso v. Roche Freedman
.1 There, Paul Fattaruso sued his
former law firm, the litigation boutique Roche Freedman LLP,
alleging that the firm withheld nearly $1 million in compensation
and retroactively removed Fattaruso from the partnership, depriving
him of a two percent share in a cryptocurrency fee estimated to be
worth $250 million. Although the dispute concerned Fattaruso’s
share in what his complaint described as “cryptocurrency
tokens,” his claims were familiar: breach of contract, breach
of fiduciary duty, conversion and other standard commercial

On the other hand, the outcome in Rosenberg v. Homesite
Insurance Agency, Inc.
2 is dependent on
the treatment of the subject crypto assets. In this case, the
Rosenbergs sued their homeowners insurance issuer and underwriter
after it limited coverage for the theft of $750,000 worth of crypto
tokens, including $600,000 worth of SafeMoon tokens, that had been
stolen by hackers. The Rosenbergs’ insurance policy covered
theft of “personal property owned or used by an
‘insured’ while it is anywhere in the world,” but
capped coverage to $200 for “money, bank notes, bullion,”
and the like. In limiting coverage for the theft of the crypto
tokens, Homesite cited this special limit of liability. However,
the Rosenbergs have argued that there is a difference between
crypto coins, which “may resemble currencies used to
transact on a blockchain,” and crypto tokens, which
“more closely resemble alternative assets like art,
collectibles or commodities.” The Rosenbergs argue that since
the stolen SafeMoon tokens do not function as currency used for
transactions on any block chain, they do not fit any reasonable
definition of “money,” and their claim should not have
been subject to the special limit.

As crypto assets continue to grow in popularity and
cryptocurrency replaces fiat currency as a medium for conducting
some transactions, it comes as no surprise that crypto assets have
themselves become the thing of value being argued over. Moreover,
as we continue to grapple with questions about what crypto assets
are and how they should be treated within our existing frameworks,
disputes like the one in Rosenberg are likely to become
more common.

Intellectual Property

The rise of non-fungible tokens (NFTs) has raised numerous
intellectual property issues. One animating theme has been the
application of the likelihood-of-confusion doctrine, a central
concept in trademark law. Likelihood of confusion exists when the
allegedly infringing mark is likely to mislead the public into
incorrectly believing that the mark originated from or was endorsed
by the trademark holder.3 In 2022, litigation
involving likelihood-of-confusion arguments played out in various
shades in intellectual property disputes involving NFTs.

Yuga Labs v. Ryder Ripps4 provides
a straightforward example. Yuga Labs created the popular Bored Ape
Yacht Club (BAYC), a set of NFTs that are associated with digital
pictures of particular cartoon apes. Ownership of the NFT comes
along with certain rights and benefits, including a license to
display the associated image and to create derivative works using
the BAYC characters and brands; it also grants the owner entry into
an exclusive virtual clubhouse, Discord channel, and festival
called ApeFest. In its suit, Yuga Labs alleges that the defendant
Ryder Ripps created his own NFTs using BAYC images, with the only
difference being his use of the title “RR/BAYC” instead
of “BAYC.” If these allegations are true, BAYC would have
a strong case for likelihood of confusion and trademark
infringement; the goods and marks at issue are essentially
identical. In fact, Yuga Labs pleaded that Ryder Ripps actually
intended to confuse consumers about what they are buying.

Another likelihood-of-confusion case, Hermès v.
,5 shows how the doctrine
intersects in an artistic context with issues of freedom of
expression under the First Amendment. When allegedly infringing
trademarks are used artistically, the Second Circuit has held that
courts must balance the “public interest in avoiding consumer
confusion” against the “public interest in free
expression.”6 In the
Hermès case, Mason Rothschild created 100 original
digital images depicting blurry versions of luxury Birkin handbags,
selling them as “MetaBirkin” NFTs. Hermès, the
owner of the Birkin trademark, sued Rothschild for infringement. In
denying Rothschild’s motion to dismiss, the court found that
Hermès pleaded sufficient facts to support a conclusion that
Rothschild had intended to associate the NFTs with the popularity
and goodwill of Hermès’s Birkin mark, rather than
intending a mere artistic connection, and that the NFTs had
confused the public into believing that the NFTs were associated
with the company. Rothschild stated in interviews that the NFTs
were a tribute to the Birkin handbag, the court noted, and that he
“wanted to see as an experiment if [he] could create that same
kind of illusion that [the Birkin bag] has in real life as a
digital commodity.”

The digital nature of NFTs has also raised unique registration
and ownership questions, an issue central to the allegations in
Free Holdings Inc. v. McCoy.7 Free
Holdings alleges that the artist Kevin McCoy and Sotheby’s
falsely advertised that the Ethereum-Quantum NFT, which
sold at auction for $1.47 million, was the first ever NFT.
(Disclosure: Arnold & Porter is counsel for Sotheby’s in
this matter.) According to McCoy and Sotheby’s,
Quantum was “[o]riginally minted on May 3, 2014 on
[the] Namecoin blockchain,” an Ethereum-based protocol, and
was “preserved on a token minted on May 28, 2021 by the
artist.” But Free Holdings asserts that it is the
true owner. According to Free Holdings, the Namecoin blockchain
requires a user who controls a Namecoin record to periodically
update the record every 35,999 blocks, which amounts to
approximately 200-250 days; when McCoy failed to update the
Namecoin-Quantum blockchain record for seven years, Free
Holdings claimed it. Free Holdings is asking the court to declare
that it is the rightful owner of the Namecoin-Quantum NFT
and that statements made by McCoy and Sotheby’s were false and
misleading, among other remedies. McCoy and Sotheby’s are
robustly defending the claim and consider it to be without merit.
The defendants have moved to dismiss, and that motion presently is
pending before the court.

These cases show how the unique qualities of crypto assets have
interplayed with traditional intellectual property doctrines,
bringing out old questions in new contexts and asking new questions
altogether. So far there have not been any easy answers, and we
expect that as courts are forced to grapple with them, new
interpretations and applications will emerge.


Much of the attention this past year has focused in securities
litigation. The US Securities and Exchange Commission continued its
focus on registration and disclosure requirements for
cryptocurrencies and other crypto assets in 2022, reflecting Chair
Gary Gensler’s view that many crypto platforms and crypto
tokens may fall under the SEC’s jurisdiction. In 2022, the SEC
brought a number of high-profile enforcement actions in the crypto
space. These include actions against companies offering crypto
tokens and their promoters, including a settlement with social
media influencer Kim Kardashian for allegedly touting a crypto
asset on social media without disclosing the payment she received
for the promotion.

Among the most legally significant developments in the SEC’s
actions were two cases testing the limits of the agency’s
jurisdiction. Following dozens of enforcement actions brought since
2017 alleging that various crypto tokens are securities, the
SEC’s case against Ripple Labs, Inc. and two of its
executives8 has continued to play out in the
Southern District of New York, with both parties moving for summary
judgment in December 2022. The closely watched lawsuit, first filed
in December 2020, alleges that XRP, a crypto coin created by
Ripple, is a security and should have been subject to SEC
regulations, including those requiring registration. In response,
Ripple has characterized XRP as a non-investment asset, and
therefore not subject to the SEC’s jurisdiction. In addition,
in November 2022, the SEC obtained a high-profile victory against
blockchain publisher LBRY Inc.,9 where the
district court in New Hampshire was the first to hold that a token
not distributed through an initial coin offering
nevertheless constituted a security. LBRY argued that its digital
token, LBC, was not a security because it was not being offered as
an investment opportunity; rather, it was designed for use on a
decentralized “content marketplace” by content creators
and audience members.

The highest profile matter in 2022, however, stemmed from the
collapse of crypto trading platform FTX after a rush of customer
withdrawals led the platform to declare bankruptcy. The unraveling
led to parallel criminal and civil enforcement actions, in addition
to bankruptcy and other related suits by FTX account holders. The
SEC and the US Commodity Futures Trading Commission filed civil
actions against Sam Bankman-Fried, FTX’s co-founder and former
CEO; Zixiao (Gary) Wang, FTX’s other co-founder and former CTO;
and Caroline Ellison, the former CEO of Alameda Research LLC, an
affiliated hedge fund, and all three were charged in the Southern
District of New York, with Ellison and Wang pleading guilty to
charges that include securities fraud relating to FTX-affiliated
tokens. Among other things, the authorities have alleged that
Bankman-Fried and others orchestrated a years-long fraud to conceal
from FTX’s investors (1) the diversion of FTX customers’
funds to Alameda; (2) special treatment for Alameda on the FTX
platform, including Alameda’s near-unlimited “line of
credit” funded by the platform’s customers and exemption
from certain key risk-mitigation measures; and (3) risks stemming
from FTX’s exposure to Alameda’s significant holdings of
overvalued, illiquid assets such as FTX-affiliated tokens. The
government also alleged that Bankman-Fried used commingled FTX
customers funds to make undisclosed venture investments at Alameda,
lavish real estate purchases and large political donations.

The SEC’s aggressive pursuit of companies involved in
cryptocurrency and digital assets has positioned it as the likely
primary regulator of this space, consistent with Chair Gensler’s persistent focus on
. While many industry players and several members of
Congress have called for an industry-wide rulemaking process, the
SEC has indicated that it will continue its practice of issuing
enforcement orders and registering individual companies in the
meantime as a means of ensuring transparency and protecting
investors. The SEC’s activities in 2022, with the Division of
Enforcement expanding its crypto asset unit with designated trial
attorneys and the Division of Corporation Finance also creating a crypto assets unit and announcing crypto disclosure expectations,
show the SEC’s leadership role in the regulation of
cryptocurrency and digital assets. Further, while we do not know
the genesis of all of the SEC’s enforcement actions, we do know
that whistleblowers have been submitting a significant number of
tips to the Commission related to crypto. For the first time,
Initial Coin Offerings and Cryptocurrencies broke the top three in
whistleblower allegations—14 percent of whistleblower tips
submitted in FY 2022 were related to the topic. Given the sharp
increase in tips this year, we expect whistleblowers to be a source
of future investigations in this area.


October 2021 was the peak of the golden age for crypto with a
cryptocurrency market at a valuation of over $2 trillion. However,
the “crypto winter” of 2022 resulted in plummeting asset
values across the cryptocurrency space. While the FTX chapter 11
filing dominated the headlines in November, it was merely a domino
in a sequence of other failed crypto businesses in 2022. The
dominos began to fall with the implosion and subsequent bankruptcy
filing on July 1, 2022 of the crypto hedge fund Three Arrows
Capital (3AC) following the violent and sudden collapse of the Luna
and TerraUSD cryptocurrencies in May 2022. Shortly after 3AC’s
bankruptcy filing, crypto lender Voyager Digital (Voyager) sought
bankruptcy protection after 3AC defaulted on its $665 million loan
from Voyager. The bankruptcies of Celsius Network (Celsius), FTX,
and BlockFi followed, and there may be others on the horizon.

Among the many novel issues that arise in crypto bankruptcy
cases, one in particular has been front and center: are crypto
assets deposited into customer accounts property of the customer or
property of the bankrupt crypto company’s estate?

Just after the calendar flipped to 2023, Chief Judge Martin
Glenn of the Bankruptcy Court in the Southern District of New York
issued perhaps the most notable decision to date in In re
Celsius Network LLC, et al.
10 Asked to
decide whether Celsius could sell its customers’ cryptocurrency
assets held in Celsius’ Earn Accounts, which required a
determination of whether such assets were property of Celsius’
bankruptcy estates or property of the customers, Judge Glenn ruled
that Celsius’ “Terms of Use formed a valid, enforceable
contract between [Celsius] and Account Holders, and that the Terms
unambiguously transfer title and ownership of Earn Assets deposited
into Earn Accounts from Account Holders to
[Celsius].”11 Thus, the Earn Assets
(cryptocurrency assets, including stablecoins) in Celsius’s
Earn Accounts became property of Celsius’ bankruptcy estate as
of the bankruptcy filing. The applicability of Judge Glenn’s
holding to other bankrupt crypto companies will depend on the
specific terms of use customers agreed to with those companies, as
well as the type of account at issue. Litigation over the ownership
of deposited cryptocurrency assets and other novel issues arising
in crypto bankruptcies will likely take years—customers and
other stakeholders will take note as the crypto industry tries to
weather this storm and regain market confidence.


Owners of platforms that store and exchange crypto assets have
become frequent targets of cyberattacks, raising their risk of
exposure to cybersecurity-related lawsuits. Because crypto assets
move seamlessly according to digital protocols, criminals have
found ways to exploit vulnerabilities within the system to access
and steal crypto assets and quickly resell them.
Transactions—including thefts—are typically
irreversible; and even when stolen goods are frozen on one
platform, they can usually be quickly resold on a different
platform. With few government regulations currently in place, and
facing the challenges of successful government investigations and
prosecutions across transnational boundaries, victims have
increasingly come to depend on private litigation to attempt to
recoup the value of stolen assets.

One common thread this year has been litigation over company
representations about the level of security of their platforms and
the insurance coverage of assets held on the platforms. In
Kattula v. Coinbase Global, Inc.,12
plaintiffs in a proposed class action allege that the
cryptocurrency exchange Coinbase Global, Inc. failed to adequately
implement measures to prevent cryptocurrency stored on the platform
from being stolen by hackers. The plaintiffs claim that statements
made by Coinbase about the security of assets entrusted to the
platform were misleading and constituted an unfair and deceptive
practice under Georgia state law. The plaintiffs say that Coinbase
held itself out on its website as the “most trusted” and
“most secure” cryptocurrency platform and that assets
held online are protected by an “extensive insurance

Plaintiffs in the proposed class action Aggarwal v.
Coinbase, Inc.
13 have gone even further,
alleging that Coinbase’s representations were fraudulent. The
Aggarwal plaintiffs have pointed to a variety of
representations Coinbase made on its website, social media and in
search engine marketing, including that it offers “best in
class storage,” has “industry-leading security,”
that it is the “most trusted crypto exchange,” that it
uses “state-of-the-art encryption,” that “your
assets are protected,” and that it offers “multifaceted
risk management programs designed to protect customers’
assets.” The plaintiffs have asserted that Coinbase’s
claim that it had “never been hacked,” was false; in
fact, according to the Aggarwal plaintiffs, customer funds
had been stolen several times and security breaches are endemic to
Coinbase’s system.

The plaintiff in IRA Financial Trust v. Gemini Trust
Company, LLC
14 has alleged that crypto
asset exchange Gemini Trust Company similarly misrepresented the
security of its platform. The plaintiff, which provides
self-directed retirement accounts for customers, claims that
hackers stole crypto assets held for its customers on the Gemini
platform. The plaintiff alleges that when it decided to allow
customers to purchase crypto assets for their retirement accounts,
it did so in reliance on statements made by Gemini about the
platform’s “security-first mentality,” its
“leading security program” and its insurance coverage for
digital assets.

These cases demonstrate the importance of investing in
cybersecurity protections and accurately representing the crypto
firm’s history regarding cyberattacks. For platform users,
these cases may demonstrate the importance of sustained and
extensive diligence into the cybersecurity claims and cybersecurity
experiences of the platforms which they are considering for
fiduciary uses. It also bears noting that cybersecurity continues
to be a priority of the SEC’s National Exam Program and its
Division of Enforcement, enlarged and renamed as the Crypto Assets and
Cyber Unit
, which focuses on violations related to digital
assets, cybersecurity controls, disclosures of cybersecurity
incidents and risks, trading on the basis of hacked nonpublic
information, and cyber-related manipulations, such as brokerage
account takeovers and market manipulations using electronic and
social media platforms. For most platforms, it seems to be a
question not of if but when criminals will
attempt to get access to the firm’s platform and to assets
stored on that platform. Given the potential variations among
crypto firms in asset security—and therefore the importance
of asset security in differentiating their
offerings—companies will need to find a balance between
asserting their competitive edge and making claims they can later
defend, if necessary, in litigation.


Although cryptocurrency has many valuable uses, the past year
has demonstrated that it is also becoming the
payment method of choice for a wide range of scams
. Depending on their operations, many crypto
companies are subject to laws and regulations applicable to
traditional banks, including anti-money laundering and trade
sanctions laws. Financial regulators are increasingly showing a
willingness to pursue enforcement actions against crypto industry
participants for perceived unsafe and unsound practices or failures
to meet AML obligations.

Anchorage Digital Bank, N.A., which specializes in digital asset
custody, made headlines in January 2021 when it became the first crypto firm to receive a national trust bank
from the Office of the Comptroller of the Currency.
Less than a year later, however, the OCC ordered Anchorage to overhaul its BSA/AML
compliance program
and conduct an independent lookback review
of prior transactions.

More recently, the Department of Treasury’s Office of the
Foreign Asset Control and Financial Crimes Enforcement Network
imposed civil money penalties on two cryptocurrency exchanges for
deficiencies in their sanctions compliance programs. In October,
OFAC levied a $24 million fine against Bittrex,
for apparent violations of multiple sanctions programs,
including those prohibiting US companies from doing business with
Iran, Sudan, Syria Cuba, and the Crimea region of Ukraine.
Importantly, according to OFAC, Bittrex knew or should have known
that its customers were located in the sanctioned parts of the
world based on their physical address information collected at
customer onboarding and their IP addresses, but failed to screen
this customer information. In a separate but parallel action,
FinCEN assessed a civil money penalty to Bittrex in the amount of
$29 million for allegedly failing to implement and maintain an
effective AML program.

In November, Payward Inc. d/b/a Kraken agreed to pay a
six-figure penalty to OFAC and to invest an additional $100,000 in
certain sanctions compliance controls after Kraken allegedly
processed cryptocurrency transactions for individuals located in
Iran. OFAC found that although Kraken had maintained controls
intended to prevent users from opening an account while in a
sanctioned location, it failed to timely implement geolocation
tools, including an automated IP address blocking system.
Specifically, Kraken allegedly allowed users to establish their
accounts outside of sanctioned jurisdictions but then failed to
block those users from transacting in Iran.

Earlier this month, the New York State Department of Financial
Services imposed a $50 million fine on Coinbase, Inc. and ordered it to invest an
additional $50 million in its compliance program after it found
failures in Coinbase’s compliance program that violated New
York Banking Law and DFS’s virtual currency, money transmitter,
transaction monitoring and cybersecurity regulations. DFS’s
consent order detailed that after an examination and subsequent
enforcement investigation, DFS found that Coinbase’s BSA/AML
program was inadequate for a financial services provider of
Coinbase’s size and complexity.

These enforcement actions highlight the challenges
cryptocurrency companies may face when implementing compliance
frameworks, which must be designed to address the compliance risks
attendant to these new and evolving technologies. It is also clear
that the federal and state financial regulators will exercise their
enforcement authority to maintain customer confidence in the US
financial system.


In 2021, many crypto assets hit all-time price highs,
accompanied by the growth of new companies seeking to capitalize on
cryptocurrencies and other crypto assets. In 2022, a cooling
economy and market volatility led to a “crypto winter,”
generating plummeting prices, crypto company bankruptcies, and
renewed skepticism of the entire crypto industry. While many of the
enforcement actions and litigation from 2022 represent a
continuation of previous developments, the crypto industry has
borne the brunt of additional scrutiny from both individuals and
government regulators. The resulting litigation and enforcement
actions have spanned the gamut, highlighting both crypto’s
increasing use cases and unique aspects.

Enforcement actions and litigation continue to struggle with
fitting cryptocurrency and other crypto assets into existing legal
frameworks. But, although blockchain technology is new, many of the
relevant legal concepts are not. From likelihood of confusion to
whether crypto tokens constitute securities to anti-money
laundering compliance, the applicable doctrines are foundational to
the relevant area of law.

Moreover, while the blockchain technology on which crypto assets
operate is “decentralized,” private plaintiffs and
regulators have not suffered from a lack of targets. Many consumers
store and use crypto assets through centralized access points, such
as exchanges and wallet providers. In addition, entrepreneurs have
developed new cryptocurrencies or tokens and have piloted new uses
of blockchain technology. Across these various categories,
centralized points and novel applications have become the subject
of litigation and enforcement. Indeed, the very decentralization
and anonymity of blockchain technology, as well as the involvement
of unregulated or unsophisticated players, have made the crypto
space especially susceptible to fraud, from companies committing
fraud themselves to companies that are vulnerable to fraudulent
uses of their technology and systems by others.

Lastly, as Congress continues to contemplate regulation for the
crypto industry, we have seen litigation and enforcement actions as
an alternative means of enforcing compliance. These have ranged
from class actions to high-profile individual suits to enforcement
actions by the SEC, CFTC, OCC and OFAC. The likelihood of
litigation and enforcement has encouraged companies operating with
digital assets to re-examine their policies and procedures and to
enhance their compliance programs.

* Michael Treves contributed to this Advisory. Mr. Treves is
a graduate of New York University School of Law and is employed at
Arnold & Porter’s Washington, DC office. Mr. Treves is
admitted only in New York. He is not admitted to the practice of
law in Washington, DC.


1. Case No. 2022-005345-CA-01 (Fla. 11th Cir.

2. Case No. 0:22-cv-00691-WMW-JFD (D. Minn.).

3. See, e.g., Streetwise Maps, Inc.
v. Vandam, Inc.
, 159 F.3d 739, 743 (2d Cir. 1998).

4. Case No. 2:22-cv-04355-JFW-JEM (C.D.

5. Case No. 1:22-cv-00384-JSR (S.D.N.Y.).

6. Rogers v. Grimaldi, 875 F.2d 994, 999 (2d
Cir. 1989); see, e.g., Twin Peaks Prods. v.
Publ’ns Int’l Ltd.
, 996 F.2d 1366, 1379 (2d Cir.

7. Case No. 1:22-cv-00881-JLC (S.D.N.Y.).

8. SEC v. Ripple Labs Inc., Case No.
1:20-cv-10832 (S.D.N.Y.).

9. SEC v. LBRY Inc., Case No. 1:21-cv-00260

10. Case No. 22-10964 (MG) (Bankr. S.D.N.Y. Jan. 4,

11. Id. at 30.

12. Case No. 1:22-cv-03250-TWT (N.D. Ga.).

13. Case No. 4:22-cv-04829-JSW (N.D. Cal.).

14. Case No. 1:22-cv-04672-AT (S.D.N.Y.).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.