Despite limited case law, U.S. Courts consistently treat cryptocurrency like any other movable or intangible product. Although the unregulated cryptocurrency market was expected to produce novel theories and complicated opinions, the reality is the pronounced strength of a simple negligence argument. Failing to reasonably secure a digital environment creates the potential for liability – even if a criminal element caused the actual damage.
On April 27, 2022, the Northern District of California issued an opinion in Fraser v. Mint Mobile, LLC, refusing to dismiss a lawsuit against a cell phone carrier for acts of negligence that resulted in cryptocurrency theft. And, two days ago, the Southern District of California received a complaint seeking class action status against a cryptocurrency exchange for basic negligence. Both cases attempt to demonstrate defendant malfeasance through a simple duty, breach, and proximate cause analysis – despite the presence and plotting of unknown thieves.
Even with attenuation between the defendant’s omission and the realized damages, the Fraser Plaintiff survived a Motion to Dismiss, claiming that his mobile carrier’s (Mint) failure to adhere to its own security protocols resulted in SIM hacking and theft of currency from his digital wallet. Claims under the Computer Fraud and Abuse Act and California’s Unfair Competition law failed, but allegations for breach of implied contract and negligence survived initial court scrutiny.
An initial response to the facts in Fraser is “WTF does SIM Hacking have to do with Cryptocurrency?” Valid question with a surprisingly simple answer: smart phones mimic the owner’s identity. In Fraser, Mint Mobile suffered two data breaches on June 8 and June 10, 2021, during which phone numbers, account numbers, and other personal identifying information of its customers were stolen. On June 11, 2021, a criminal armed with the stolen information opened a new mobile telecommunications account with a different carrier and ported the victim’s telephone number and service to the criminal’s new phone.
Within only one hour and eleven minutes of transferring the mobile telecommunications account from the victim’s control to the criminal’s new fraudulent account, the criminal began “draining” the victim’s cryptocurrency account. The Fraser Plaintiff argued that on June 8, 2021, he implemented two-factor authentication with Mint, which required both a password and pin to make changes to his account. The petition alleged that Mint not only bypassed this security feature, but also waited approximately 1 month before notifying its customers – thereby providing the criminals a substantial head start.
Using a “but-for” test, the Fraser court connected the dots between Mint’s failure to confirm Plaintiff’s multifactor authentication setup and the cryptocurrency theft, noting that SIM Hacking is a real and well-known threat to consumers. While the criminal element undoubtedly presented an “independent and superseding factor” outside Mint’s control, Mint increased the risk of harm to the Plaintiff and the foreseeability of theft.
On May 2, 2022, the Southern District of California received the complaint in Sarcuni, et al v. bZx, et al, in which cryptocurrency investors (the plaintiffs) asserted negligence claims against the bZx crypto-exchange and its owners for failure to implement the advertised security features. Pointing to two insecure blockchain platforms infiltrated by cyber criminals, the plaintiffs alleged that a simple phishing email to a single employee resulted in a November 2021 theft of tokens and irreversible damages.
Despite advertising “world class security” and promising “minimized risk” to its investors, plaintiffs claim that bZx failed to implement sufficient security procedures, including appropriate employee supervision, to prevent the successful phishing of one developer from resulting in $55 million in stolen cryptocurrency. A motion to dismiss is likely coming soon from bZx, but with the recent holdings in Fraser v. Mint, the criminal element that attacked bZx is highly unlikely to shield it from continued litigation.