U.S. government agencies continue to take action against cryptocurrency mixing services that enable cybercriminals to obfuscate the trail of stolen proceeds on public blockchains stemming from illicit cyber activity. On November 29, 2023, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned another virtual currency mixing

Last month, the Commodity Futures Trading Commission (CFTC) announced settled charges against three decentralized finance (DeFi) protocols for various registration and related violations under the Commodity Exchange Act (CEA) during the relevant period of investigation.  As a result, each entity paid a civil monetary penalty and agreed to cease violations of the CEA.  According to a statement by Commissioner Kristin N. Johnson, these latest settlements are the first time the CFTC charged a DeFi operator (e.g., Opyn, Inc. and Deridex, Inc.) with failing to register as a swap execution facility (SEF) or designated contract market (DCM). Moreover, these latest enforcements against DeFi entities arrive soon after the CFTC’s successful enforcement and default judgment against Ooki DAO, which the CFTC alleged was operating a decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform and was violating the CEA (prior coverage of the Ooki DAO enforcement can be found here).

Unlike traditional corporate entities with a typical hierarchical structure, a decentralized autonomous organization (“DAO”) – a management structure that uses blockchain technology – functions as a leaderless entity. Without a formal corporate structure, DAOs instead operate by distributing governance rights among persons who hold a specific governance token. Consequently, federal and state courts have been grappling with how to consider a DAO under existing laws that were traditionally interpreted against long-standing corporate entities.

As discussed in a prior post, DAOs allow individuals to organize and coordinate at arms-length, and rely on code (a “protocol”) to govern and execute functions traditionally determined by governing documents, like operating agreements and articles of formation, and undertaken by executives. A DAO’s protocol is committed to a public ledger on a blockchain, which guarantees accessibility and transparency. Each member is granted governance rights – the ability to propose and approve initiatives, called proposals – through a governance token. In light of their unique makeup, DAOs lack centralized leadership and a typical top-down management structure.

Accordingly, parties have debated whether a DAO should be recognized as a general partnership under state corporation laws (i.e., N.Y. P’ship Law §10: “an association of two or more persons to carry on as co-owners a business for profit….”) or, in the case of the Commodity Futures Trading Commission’s (“CFTC”) Ooki DAO enforcement, whether a DAO could be deemed an “unincorporated association” under the Commodity Exchange Act (“CEA”). Following the filing of the CFTC’s enforcement action, it is not surprising that the structure of the Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention and industry reaction, and has raised novel legal issues.

Several questions have arisen in recent years regarding the potential liability of DAO members:

  • While DAOs are emerging as a viable structure in the DeFi space, does their non-traditional makeup necessarily shield them from real world liability?
  • Does a DAO’s structure render its activities “enforcement proof” or, at the very least, difficult to effect traditional service of process upon?
  • Can a DAO be an “unincorporated association” under federal or state law?
  • Who should be liable for the decisions made by a DAO?
  • Because token holders participate in the DAO’s governance, can they be deemed personally liable for its actions (akin to the general partners in a general partnership), even if each governance token holder is essentially unknown to the other DAO members, who likely reside in multiple jurisdictions?

On September 22, 2022, the CFTC announced an order simultaneously filing and settling charges against bZeroX, LLC (“bZeroX”) and its creators for illegally offering leveraged and margined retail commodity transactions in digital assets, operating as an unregistered futures commission merchant and failing to conduct KYC on its customers. According to the CFTC, a month prior to this settlement announcement, bZeroX transferred control of the bZx Protocol to the bZx DAO, a decentralized autonomous organization (“DAO”), which later renamed itself as the Ooki DAO.  On the same day as the bZeroX settlement was announced, the CFTC filed an enforcement action against the Ooki DAO (successor to bZeroX) for violating those same regulations.  The CFTC stated that bZeroX and its creators engaged in this unlawful activity in connection with their decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform.  The transactions executed on bZeroX, and subsequently on the Ooki DAO, were required to take place on a registered designated contract market.  Additionally, the complaint asserted that bZeroX and Ooki DAO were operating as unregistered futures commission merchants by soliciting and accepting orders from customers, accepting money or property as margin and extending credit.

The structure of Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention (and industry reaction) and raised novel legal issues.

In late October, a New York district court refused to dismiss the Department of Justice’s (DOJ) indictment against defendant Nathaniel Chastain, who was charged with wire fraud and money laundering relating to his using insider knowledge to purchase non-fungible tokens (NFTs) prior to them being featured on OpenSea, an online NFT marketplace, and later selling them at a profit. (U.S. v. Chastain, No. 22-cr-305 (S.D.N.Y. Oct. 21, 2022)). Despite the headlines and the fact that the DOJ’s press release labeled this enforcement as charges brought in “the first ever digital asset insider trading scheme,” the Chastain indictment was not actually based on the typical insider trading statutes involving securities law violations, but instead the federal wire fraud statute.  Indeed, despite having an insider trading flavor, the word “security” does not appear in the indictment and the court, in refusing to dismiss the DOJ’s wire fraud claim, ruled that the Government’s wire fraud claim does not require the presence of a “security.”

Back in 2013, the first cryptocurrency matter hit our desks. That was the beginning of the exponential growth of our digital assets practice. Recognizing the importance of the area, we launched this blog, Blockchain and the Law. In our first cluster of posts, we covered topics such as cryptocurrency taxation, blockchain and privacy, and issues surrounding initial coin offerings (or ICOs), one of the hottest issues at that time and a practice that still garners SEC scrutiny in 2022 (interestingly, there is still no consensus around when a digital asset, outside of Bitcoin, which is considered a commodity, is a “security”).

Today, blockchain-based innovations continue apace, continuously offering new opportunities (and raising challenges). In the push toward Web3 – with its decentralized, permissionless, tokenized core – there are a variety of new technologies and innovations, from DeFi to DAOs to NFTs to fan tokens to the Merge to the metaverse.  We have been privileged to work with many of the most dynamic clients in helping them build businesses around these advances.

We were thrilled to host a three-day symposium from September 19-21, 2022 to highlight some of the hottest legal and business issues affecting digital assets, featuring a full slate of discussions among our attorneys and guests from the industry.  At the symposium, we programmed virtual panels across a range of topics: SEC enforcement and securities regulation of digital assets, asset manager considerations surrounding digital assets, employee compensation and benefits issues, cryptocurrency AML considerations, digital assets in bankruptcy, decentralized autonomous organizations (DAOs), and sports and media trends and issues in Web3.  The final day of the event culminated in an in-person reception and a “Voices from the Industry” panel featuring an eclectic group of executives from across the digital asset space talking about issues that are top of mind.  In the span of a few days, we learned a lot.

In what is the New York Department of Financial Services’ (NYDFS) first enforcement action against a NYDFS-licensed “virtual currency business,” on August 1, 2022, the agency announced $30 million settlement with cryptocurrency investing platform Robinhood Crypto, LLC (“RHC”).  The settlement addressed  charges stemming from what the NYDFS cited as various deficiencies during 2019-20 of RHC’s Bank Secrecy Act (BSA) and anti-money laundering (AML) program and RHS’ cybersecurity obligations under the agency’s Virtual Currency “BitLicense” regulation (23 NYCRR Part 200) and Cybersecurity Regulation (23 NYCRR Part 500), among other things

NYDFS has been active in crypto regulation for many years. In 2015, New York was the first state to promulgate a comprehensive framework for regulating virtual currency-related businesses. The keystones of the BitLicense regulations are consumer protection, anti-money laundering compliance and cybersecurity rules that are intended to place appropriate “guardrails” around the industry while allowing innovation. In addition, NYDFS’s Cybersecurity Regulation went into effect in March 2017 and generally requires all covered entities, including licensed virtual currency businesses, to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. Licensed virtual currency companies are subject to the same AML and cybersecurity regulations as traditional financial services companies.

Recently, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, released a report on ransomware trends stating that during the first half of 2021, 68 different ransomware variants extracted approximately $600 million from victims across the country. FinCEN identified Bitcoin as the most common ransomware-related payment method in reported transactions and noted that ransomware incidents requesting Monero (XMR) – what FinCEN refers to as an anonymity-enhanced cryptocurrency – are increasing as hackers seek to reduce the transparency and traceability of such transactions.

Given this environment, the White House and Treasury Department have sought to counter the ransomware threat by taking a number of actions, including holding a virtual two-day multinational summit on ransomware, conducting classified threat briefings for critical infrastructure executives, and establishing some expected cybersecurity thresholds for critical infrastructure providers. Compounding these efforts, the Treasury Department is leveraging existing Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls that already apply to fiat currency and enforcing them more deliberately toward virtual currency to combat ransomware attacks.

Two days after the White House issued its October 13, 2021 Fact Sheet detailing these anti-ransomware efforts, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued its “Sanctions Compliance Guidance for the Virtual Currency Industry” (“Guidance”).