Lawsuits against cryptocurrency exchanges, digital wallet providers, and mobile service companies following cyberattacks reached a new high in 2022, as hacking victims increasingly test unproven legal claims to recoup their crypto losses.
At least 50 individual lawsuits and proposed class actions have been brought since 2017 by victims—and occasionally companies—against entities they blame for failing to protect their crypto assets from hackers, a Bloomberg Law analysis of federal court dockets found. Fewer than 10 suits were being filed annually before the total jumped to 17 in 2021 and rose to 20 in 2022, the data show.
The cases against businesses like Apple Inc., Coinbase Inc., Gemini Trust Co. LLC, and AT&T Inc. claim losses ranging from as low as $4,600 to as high as $55 million—though roughly half allege crypto losses above $400,000.
The increase in litigation parallels the growing adoption of crypto amid rising cybersecurity threats. However, the success of such suits remains unclear due to a lack of precedential merits rulings, as well as obstacles like mandatory arbitration clauses that can keep those disputes out of court, attorneys and law professors said.
The majority of the lawsuits analyzed by Bloomberg Law fall into two categories: those targeting crypto trading exchanges and virtual wallet providers, alleging security measures failed to protect user accounts; and those accusing cellular providers of indirectly allowing hackers to access crypto accounts. A handful of cases also seek to learn the identities of the hackers.
Despite viability questions, the lawsuits still carry weight, said Moin Yahya, a law professor at the University of Alberta in Edmonton, Alberta.
“Notwithstanding that some of these cases will not see any recovery for the victims of hacking, there is still value in having these being brought,” Yahya said.
“As these cases get resolved by the courts, what will emerge is a clearer legal standard for what duties of care these various companies—whether it is the crypto exchanges or telecommunications companies that allow access to the exchanges—will owe their customers and users.”
Federal courts were the battleground for 94% of cryptocurrency-focused litigation in all areas, according to an empirical study by Yahya and University of Alberta Juris Doctor candidate Nicole Pecharsky recently published in the Southern Methodist University Science and Technology Law Review. The roughly 300 crypto-related cases filed from 2020 to 2022 that they identified included 18 addressing hacking—likely lower than Bloomberg Law’s findings due to limitations in his docket search platform, Yahya said.
In the Crosshairs
More than half of the lawsuits (28) in Bloomberg Law’s analysis were filed against mobile service providers—primarily T-Mobile Inc. and AT&T Inc. Complaints claimed the carriers were responsible for the “SIM-swap attacks” that allowed hackers to steal cryptocurrency.
A SIM-swap attack occurs when cybercriminals commandeer an individual’s cell phone number and transfer it to a new SIM card. Hackers often accomplish this by gaining access to a mobile carrier’s systems through phishing attacks that lure its employees into unknowingly installing malware, according to the FBI.
“Once hackers have control over the victim’s phone number, they can immediately use that control to access and take complete control of the victim’s personal online accounts, such as email and banking accounts, through exploiting password reset links and codes sent via text message to the now-hacker-controlled-phone or the two-factor authentication processes associated with the victim’s digital accounts,” one complaint filed against T-Mobile said.
SIM-swap attacks are an “industry-wide concern” among mobile service providers, a T-Mobile representative told Bloomberg Law in an emailed statement.
“T-Mobile invests heavily in measures designed to keep our customers safe,” the company’s representative wrote.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals,” a representative for AT&T said in an emailed comment. “We have security measures in place to help defeat them, and we work closely with law enforcement, our industry and consumers to help prevent this type of crime.”
The 28 SIM-swap cases reviewed by Bloomberg Law claimed a median loss of approximately $418,000 million in cryptocurrency, compared to a $200,000 approximate median reported in all other varieties of crypto-hacking litigation.
About 79% of the SIM-swap litigation analyzed was filed in 2021 and 2022, and the threat of such attacks is rising, according to the FBI.
Cryptocurrency trading exchanges and virtual wallets, which allow consumers to store their digital assets, collectively rank second on the list of litigation targets following a hack. Lawsuits against them account for 13 of the cases in the review.
Plaintiffs in these cases suffered direct hacks of their accounts or wallets and chose to directly sue the associated service provider.
“They’ll go where they think they have a greater chance of success,” Clifford Histed, a financial regulatory and litigation defense attorney at K&L Gates LLP, said of plaintiffs.
Six legal actions in the analysis were brought against “John Doe” defendants by a company or individual attempting to identify exactly who stole their cryptocurrency.
Filing lawsuits against unidentified persons allows for civil discovery actions, including court-approved depositions and subpoenas that can help a plaintiff identify and assign blame later down the road, Histed said.
Three cases Bloomberg Law analyzed included suits filed against third-party companies that stored the plaintiff’s crypto account information stolen by hackers. The complaints accused them of failing to protect data that later led to the theft of cryptocurrency.
Common Claims & Outcomes
Accusations of common-law negligence were included in 39 of the 50 cases analyzed by Bloomberg Law. The claim was likely popular in the crypto-hacking context because it’s a fundamental theory widely understood and used in the courts, Histed said, adding that it is also perceived as having a lower standard of proof.
The most frequently cited federal statute was the Federal Communications Act, which regulates telephone communications. The claim was referenced in all but six of the SIM-swap suits.
Litigation not pertaining to SIM-swap attacks most commonly included claims under the Computer Fraud and Abuse Act. The statute provides the legal basis for arguing that digital data is protected property, University of Alberta professor Yahya said.
Roughly a third of the 50 lawsuits stemming from cryptocurrency hacks remain active today, and all of the closed cases ended before producing substantive merits rulings.
About one-third of suits targeting companies, including T-Mobile and Coinbase, have been stymied by mandatory arbitration provisions in plaintiffs’ user agreements.
Arbitration provisions, which require dispute resolution outside of the judicial system, aren’t necessarily consumer friendly, said financial attorney Richard Borden of Frankfurt Kurnit Klein & Selz PC. A losing plaintiff could, for example, end up having to pay the winner’s attorneys’ fees, he said.
Other cases were dismissed voluntarily or on procedural grounds (14), and a handful of disputes ended in settlements (6).
The novelty of legal issues raised by crypto-hacking and the absence of any major rulings so far could fuel more action in the courts until regulators or policymakers step in, said Jiaying Jiang, a cryptocurrency law professor at the University of Florida.
“The impact of unclear guidance definitely will raise more cases,” Jiang said, though she cautioned that the volume of cases may also be market dependent.
While the number of crypto-hacking cases rose year over year from 2017 to 2022, it could fall in 2023 as the crypto market continues the nosedive highlighted by the implosion of exchange platform FTX Trading Ltd., attorneys and law professors said. The surge of new market participants will likely slow if cryptocurrency remains unstable, thereby reducing the pool of potential hacking victims, they said.
“That doesn’t necessarily mean that the rate of attack, the risk of attack is down,” said Michael Burshteyn, a cryptocurrency defense litigator at Morrison & Foerster LLP. “I think the risk of attack is continuously going to go up and has been. But you know, when the market fluctuates, you’re going to have a weird effect where the numbers actually look smaller.”
Litigation over hacked cryptocurrency also has a high bar of entry for individual consumers, Burshteyn said. Lawsuits are expensive, take a long time, and don’t guarantee full financial recovery, he said.
“What it boils down to is: Be really mindful as a consumer, as a participant in crypto, of your own security,” Burshteyn said.
Note: This story was derived from a keyword-search analysis of Bloomberg Law’s federal court docket system and only tallies primary defendants in each case.