In the wake of digital heists, legal redress remains scarce for victims suing cryptocurrency platforms and mobile service providers accused of inadequately safeguarding users' assets, including crypto wallets and phone numbers.
Despite the rise in cybercrime, complaints blaming cryptocurrency theft on companies' lack of security fell to just 11 cases in 2023, after peaking at 20 new cases a year earlier, according to an analysis by Bloomberg Law docket data. The main reason victims cannot find redress in court is private arbitration provisions that save the largest cryptocurrency exchanges and mobile service providers from litigation, filings show.
Arbitration and other contractual protections, such as liability limits, are protecting these popular targets from cryptocurrency theft hacks, including cryptocurrency exchanges.
"We're seeing a lot more legal sophistication in the cryptocurrency industry, and we typically see that with new and emerging technologies," Wortman said. "The other aspect besides enforcing arbitration is putting limits on liability," because until a few years ago cryptocurrency companies had not established contractual protections "that were sophisticated enough to enforce."
Cryptocurrencies have been an especially popular financial target for hackers and ransomware attacks because they are more difficult to trace than more traditional financial transactions that use US currency. The decline in lawsuits seeking monetary recovery fits with recent investigation revealing that while hacking incidents increased in 2023, the total value stolen from crypto exchanges more than halved in one year, according to blockchain analysis firm Chainalysis. Of the new lawsuits filed in 2022, only one remains active, while seven were dismissed and eight were taken to arbitration.
Two of the lawsuits filed last year were voluntarily dismissed but the other nine remain active. More than half allege that a customer's cryptocurrency was stolen through a scam called SIM swapping in which hackers take an individual's phone number and use it to log into their accounts.
"We're possibly seeing an over-focus on publicly filed litigation because remember, we're just seeing publicly filed litigation over SIM swapping, because there's someone else to sue," he said. Brenda Sharton, global chair of Dechert LLP's cybersecurity practice. That makes mobile service companies โattractive targets,โ she added.
"If it's phishing, who are you going to sue?" she said.
Legal lessons
A possible explanation for the sudden drop may be that the plaintiffs' bar association has not found cryptocurrency cases profitable, he said. Sterling MillerCEO and Senior Attorney at Hilgers Graben PLLC.
Most cryptocurrency theft litigation has been brought by individual victims, and few class-action lawsuits have been filed over elaborate and targeted hacking campaigns. Most complaints end up dismissed or sent to private arbitration before a monetary settlement is reached. Juries almost never participate, according to data from Bloomberg Law.
In-house attorneys should take note of settled litigation as examples of successful methods for ending cases and avoiding litigation over cryptocurrency theft, Miller said. General counsel should make sure their โterms and conditions have an arbitration provision and a no class action provision,โ because courts typically uphold them, she said.
One of the few class action lawsuits still active involves claims that Atomic Wallet's lax cybersecurity protections allowed North Korean cybercriminals to steal more than $100 million in funds from approximately 5,500 user wallets.
Avoiding lawsuits through arbitration also helps companies avoid public disclosures, from unwanted media attention to court records; Companies facing certified class action lawsuits must notify state and federal regulators. These disclosures open โdoors that you want to stay closed no matter what,โ said Wortman, who also advises clients on financial services regulation.
Wortman said an open question in the case law is whether cryptocurrencies qualify as funds under the Electronic Funds Transfer Act of 1978, as he said district courts have issued divergent rulings in cases alleging violations of the law.
Cyber โโdefenses
Cryptocurrency theft peaked in 2022, when hackers stole a total of $3.7 billion in funds, according to the Chainalysis report. In one of the largest crypto cybersecurity incidents of the year, hackers stole approximately 600 million dollars from gaming blockchain company Ronin.
"Most of the time these are common law negligence claims, and these are very sophisticated threat actors," Sharton said. "So you can have a cutting-edge program and still get hacked."
Even though cryptocurrency hacks intensified in 2023, only $1.7 billion in funds were stolen, according to Chainalysis. This was likely due to a combination of beefed up platform security and the decline in value of widely used tokens like Bitcoin that year, Wortman said.
โHigh-profile compromises of exchanges and wallets caused several companies to fail due to a lack of trust,โ Ken Westin, director of field information security at cyber threat detection firm Panther, said in an email. Labs.
"There has been a lot more attention paid to protecting crypto wallets after some of the large account compromises," he said.
