THE PERILOUS REGULATORY VACUUM OF WEB3

[Also published on Law360]

Web3 is all the rage these days but looking beyond the customary hype and flimflam touting the?next big thing, there is also unfortunately a lot to worry about.?

Consider three recent failures at three different digital asset marketplaces, which have all raised serious questions about the susceptibility of digital asset marketplaces to market manipulation, cyber-attacks and other variants of fraud and chicanery.

First,?the popular cryptocurrency exchange Crypto.com paused withdrawals for 14 hours amid conflicting reports of some sort of security incident, which ultimately amounted to stolen ether and bitcoin amounting to $31 million. What actually happened and how funds were actually stolen remains a mystery.?

Second, a blockchain analytical group has determined that over 80% of NFT trading volume at LooksRare, one of the largest NFT marketplaces, is the result of fraudulently orchestrated manipulative trading practices by LooksRare users.?

Third, in what’s being called as the biggest cryptocurrency heist of 2022, cyber criminals have apparently stolen crypto assets worth $80 million from decentralized finance platform Qubit Finance.

Taken altogether, these instances (and many other just like them) provide a stark reminder of the lack of U.S. regulatory oversight relating to digital asset trading platforms and the extraordinary threat to investors posed by these so-called Web3 trading services.

Matt Damon and Crypto.com

By now, most people have already seen Matt Damon’s?cringeworthy Crypto.com commercial?– entitled?Fortune Favors The Brave, which has garnered over 15 million views on YouTube and probably even more when it broadcasted recently during a recent NFL television block. The cryptocurrency company reportedly?spent over $100 million?for the high-profile campaign push, which is set to air in 20 countries.

The commercial finds Damon, also a Crypto.com investor (a troublesome conflict of interest?but that is another story), walking through a long hallway while delivering an "empowering" speech as he passes by epic moments in history, such as what appears to be a mountain climber summiting Mount Everest, and the Wright brothers taking to the skies, before stopping by a red planet, likely Mars. Finally, Damon delivers the catch phrase -- fortune favors the brave, before the logo for Crypto.com appears on screen.?

Say it Ain’t So Matt

Meanwhile, at Crypto.com the situation seems far less historic and more akin to perilous. The popular cryptocurrency exchange flagged a security incident and paused withdrawals on January 17, 2022, amid conflicting reports about some sort of cyber-attack.?

Blockchain security firm PeckShield later?tweeted that Crypto.com had been robbed of about $15 million?worth of Ether, which was being washed with Tornado Cash a decentralized smart contract platform that allows users to conduct anonymous transactions on the Ethereum blockchain.?

Tornado Cash,?itself a?smart contract token, is one of a few legal?cryptocurrency mixing (or "tumbling") protocols?that?can be used to obfuscate transaction history.?It can also wash crypto proceeds in ways that are raising alarm among investors and law enforcement.?While part of the growing crypto ecosystem, mixers offer a handy way for criminals to launder funds without being explicitly classified as money laundering.?

PeckShield's allegations were then reinforced by some industry analysts, including Scott Pounder, head of investigations at Crystal Blockchain,?who said that?blockchain data shows that a "significant sum" was taken from crypto.com.

Speaking to Bloomberg TV, Crypto.com CEO Kris Marszalek confirmed on January 19, 2022, that 400 accounts had been hacked during the security breach. Marszalek said the firm immediately paused withdrawals and then fixed the issue, bringing everything back online in "about 13 to 14 hours."?

Despite?tweeting to the contrary, Marszalek also hinted that money had been stolen, stating that "all of the accounts that were affected were reimbursed, so there was no loss of customer funds." Meanwhile, several crypto.com users?also admitted on Twitter?that funds had been stolen from their accounts.?

Finally, on January 20, 2022, crypto.com issued?an official statement, stating that 483 users were impacted by unauthorized cryptocurrency withdrawals on their accounts, amounting to losses of?approximately $31 million in ether and bitcoin. Crypto.com also?faulted some accounts?for a lack of 2-factor authentication for the breach, but did not provide many other details.

Why all the mystery, confusion and uncertainty? Because Matt Damon, in his disturbingly self-interested campaign, fails to mention the most important fact about Crypto.com and other so-called digital asset exchanges – that none of them are regulated, monitored or otherwise overseen by the U.S. government.

Since Crypto.com is not a registered U.S. financial firm, when a security incident occurs, there are no?teams of SEC, CFTC, Federal Reserve, Office of the Comptroller of the Currency (OCC), Financial Regulatory Authority (FINRA) or other federal auditors and compliance experts on-site to investigate and surveil for fraud, manipulation and deception.?

LooksRare

Make no mistake about it: the market for NFTs is hot, hot, hot.??

NFT which stands for “non-fungible token,” consists of a sole digital asset somehow recorded, like a certificate of ownership, on a blockchain ledger to prove title and authenticity of anything unique, such as tweets, artwork, images, videos, in-game items and even title to real property. Celebrities from?Paris Hilton?to?Jimmy Fallon; athletes from?Tom Brady?to?John Cena; musicians from?Snoop Dogg?to?Kings of Leon; and even politicians from?Melania Trump?to?Anthony Weiner, are all cashing in on the NFT craze.?

But there is one problem that these?celebpreneurs?forget to mention. The estimated $22 billion wholly unregulated NFT marketplace?creates extraordinary opportunities?for theft, fraud, trickery and market manipulation.??

Actually, in the NFT marketplace, market manipulation appears not only?rampant and tolerated, but also encouraged. And NFT market fraud appears not only?accepted and rewarded, but also taught.?

Consider the?recent alarming news about LooksRare, the NFT marketplace that has quickly emerged to become perhaps the second largest NFT marketplace.?

NFT analytics firm?CryptoSlam?reported that?it had identified more than $8.3 billion worth of wash trading?(the practice of simultaneously buying and selling an issuer's stock at the same price) from LooksRare, making up?the vast majority of trading volume?on the marketplace to date.

Though LooksRare’s staggering initial trading numbers appeared suspicious, the platform has reportedly?failed to institute measures?to disincentivize users from buying and selling their own NFTs at exaggerated prices. LooksRare even went so far?as to retweet?a thread from an investor that labeled such manipulative tactics as “genius.”

LooksRare is not the only NFT trading platform with tales of fraud and underhandedness.?Similar allegations?of washed trades and market manipulation have also arisen concerning the National Basketball Association (NBA) NFT marketplace, which has become a mainstay for NBA fans.

Along the same lines, recent cases of?insider trading and front running, shill?bot-bidding, and other more?elaborate forgery and?rugpull scams, have?surfaced at OpenSea, the leading NFT marketplace which was recently valued at $1.5 billion.?In fact, there’s an?entire?Twitter account?dedicated to documenting NFT thefts.

But the smoke and mirrors uncovered to date concerning NFT marketplaces is probably just the?tip of the iceberg. Orchestrating a market manipulation scheme on an NFT trading platform is actually easy to execute (read how to conduct your own scheme right here), especially given that there is no government surveillance of trading; no mandated compliance procedures and no designated U.S. agency to police misconduct.?

Qubit

Just like NFT trading platforms, cryptocurrency trading platforms similarly lack critical investor protections. Take for example,?the recent apparent $80 million cyber-attack?of Qubit Finance’s DeFi Platform.?

The DeFi platform said their protocol was exploited by a hacker who eventually stole 206,809 Binance coins from Qubit's QBridge protocol, worth more than $80 million?according to PeckShield. An hour after the first message, the company explained that they were tracking the exploiter and monitoring the stolen cryptocurrency. But Qubit apparently was unsuccessful in their investigation and recently took to Twitter to beg hackers to return the more than $80 million in stolen cryptocurrency.?

Qubit desperately sent multiple messages on Twitter to the hacker offering a bug bounty of $250,000 and begging for a return of the stolen funds.?Pleaded the Qubit finance team: "We propose you negotiate directly with us before taking any further action. The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty offer is not what you are looking for, we are open to have a conversation. Let's figure out a situation."?

This kind of hack is not a surprise, it is an inevitability. This kind of investor loss is not a shock, it is a sad reality.

In truth, cryptocurrency, NFT and other digital asset platforms that are hacked have no other recourse but to beg for mercy. But why should they even care??Their profits remain intact and the missing cryptocurrency or other digital asset did not belong to them in the first place.??

While the U.S. regulatory framework can certainly be unreasonable at times, in the end, you can bet that if $80 million is stolen from a U.S. financial firm, a legion of U.S. auditors, examiners and prosecutors would investigate immediately, and arrive on-site to review the titanic volume of records that the regulated entity must maintain to protect investors.?

The Lack of Web3 U.S. Regulatory Oversight

The significance of a lack of U.S. federal registration and oversight of digital asset trading platforms (cryptocurrency, NFT or otherwise) cannot be overstated. These DeFi trading platforms, which have quickly infused themselves into the U.S. financial landscape, are not subject to the vigorous U.S. federal safeguards historically rooted in the DNA of U.S. financial institution registration and regulation.?

These sacrosanct standards and practices are not only the hallmark of U.S. financial institutions such as banks, investment companies, exchanges, brokerages and other financial firms but have also rendered U.S. capital markets the most transparent, efficient, reliable, safe, trustworthy -- and most sought after in the world.?

Vigorous U.S. financial regulation is also why when investors contact their broker to trade shares of Tesla, Apple or any other security, they are confident that the transaction will be executed as planned – and if not, the entity not only risks loss of licensure, fines and disgorgement but also prison for individuals involved.?

Hence, it comes as no surprise that that the?U.S. Securities and Exchange Commission?(SEC),?Commodity Futures Trading Commission?(CFTC), and the?Financial Crimes Enforcement Network?(FinCEN), have all sounded the alarm about digital trading platforms and the threat they pose to retail investors, because these platforms currently operate unfettered, unmonitored and essentially free from regulatory oversight. As a result, the potential for market manipulation and volatile swings or flash crashes could devastate investors.

Moreover, given the international, virtual and shadowy nature of digital trading platforms, the risks of trading become further amplified, while the U.S. government’s ability to pursue off-shore digital fraudsters and recover funds remains severely limited.?

Indeed, U.S. Internal Revenue Service (IRS)?criminal investigators see cryptocurrencies and non-fungible tokens as ripe for fraud, including money laundering, market manipulation and tax evasion.?Along these lines, IRS?investigators seized $3.5 billion worth of cryptocurrencies?tied to financial crimes during fiscal year 2021, a figure that accounted for 93% of all the assets seized by the division in that time frame.

U.S. Financial Regulatory Protections

U.S. registration of financial firms: (1) mandates that investor funds and securities be handled appropriately; (2) ensures that investors understand the risks involved in purchasing the often illiquid and speculative securities that are traded on a cryptocurrency platform; (3) makes buyers aware of the last prices on securities traded over a cryptocurrency platform; and (4) provides adequate disclosures regarding their trading policies, practices and procedures. Overall, entities providing financial services must carefully handle access to, and control of, investor funds, and provide all users with adequate protection and fortification.

But in stark contrast, for digital asset platforms like NFT trading facilities and so-called cryptocurrency exchanges, there exist:

• No record-keeping and archiving requirements with respect to operations, communications, trading or any other aspect of business;?
• No requirements regarding the pricing or order flow of transactions or the use internal platforms and payment systems by employees;?
• No reason to abide by U.S. statutes and rules prohibiting manipulation, insider trading, trading ahead of customers and other fraudulent behavior by customers or employees;?
• No mandated cybersecurity requirements or standards to combat online attackers and protect customer privacy;?
• No requirement to establish mandated training or code of conduct requirements;?
• No obligation to have in place internal compliance, customer service and whistleblower teams to address and archive customer complaints;?
• No requirement to?reverse charges?if any dispute or problem arises;?
• No mandated robust and documented processes for the redress and management of customer complaints (N.B. that and even if there was a formal complaint filing structure in a digital asset trading platform, the pseudo-anonymous nature of virtual currencies, ease of cross-border and interstate transport, and the lack of a formal banking edifice creates enormous challenges for law enforcement to investigate and apprehend any individuals who use cryptocurrencies for illegal activities);
• No obligation to follow publicly disseminated national best bid and offer and other related best execution requirements;
• No minimum?financial?standards?for operation, liquidity, and net capital;?
• No U.S. governmental team of objective auditors and examiners to inspect and scrutinize the fairness, execution and transparency of transactions;
• No requirement to ensure consistency of trading operations i.e. that the trading protocols used, which determine how orders interact and execute, and access to a platform's trading services, are the same for all users; and
• No obligation to design ethics and compliance codes for Wall Street entities (regardless of registration status) which would ban their employees from investing in cryptocurrency or NFT investments based on the same arguments as the ban of initial public offerings and options – i.e. that they are too risky and may tempt an employee to steal if not prohibitive.

SEC v. Kin H. Lee

Consider the case of?SEC v. Kin H. Lee?to illustrate how meaningful regulation and enforcement can prevent fraud and thievery in a U.S. registered financial marketplace.??

About??20 years ago, FINRA alerted an investigative team in the SEC’s Office of Internet Enforcement regarding some suspicious trading on NASDAQ. A trader by the name of Kin H. Lee was allegedly using multiple nominee accounts for washed sales to create the impression of an active market in 6 securities, typically engaging in a series of large volume wash sales at gradually increasing prices, thereby creating the illusion that the stock price was rising due to genuine market demand.

Lee had also allegedly placed numerous unmatched buy and sell limit orders at prices substantially higher and lower than the prices at which his wash sales were executed. These "phantom" orders had little or no chance of ever being executed but were visible to the public as evidence of an active market.

After artificially inflating the price/volume of the targeted securities, Lee allegedly sold his position which he had previously acquired at a lower price. Lee conducted his scheme anonymously from his home computer using online brokerage accounts to route his orders to via an electronic communications network.

The SEC Office of Internet Enforcement caught Lee because the surveilled entities involved were SEC registered entities that had to maintain and report Lee’s underlying trading data to FINRA and the SEC. The SEC had jurisdiction because he was manipulating securities.?The SEC acted not only to protect the investors who fell victim to Lee’s scheme but also to safeguard the integrity of all financial markets.?

Without admitting or denying the allegations made by the SEC, Lee consented to the entry of an order enjoining him from violating Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The order required Lee to pay $100,892 in disgorgement and pre-judgment interest, pay a civil penalty of $60,000, and prohibited Lee from engaging in pattern day trading.

Lee, the SEC and the NFT Marketplace

Unfortunately for NFT marketplaces like LooksRare, where similar market manipulations like Lee’s can apparently flourish, there is no SEC cop on the beat.

NFT market players can recruit co-conspirators to manipulate the price of NFTs, buying NFTs at a low price, pumping up prices by generating their own artificial demand for the NFT and dumping the NFT along the way.

The wildly ranging NFT pricing volatilities provide an ideal playground for orchestrating:

• Matched Order schemes (entering NFT trades with the knowledge that a matching order on the opposite side has been or will be entered);
• Washed Trading schemes (simultaneous or near-simultaneous selling and repurchasing of the same NFT for the purpose of generating activity and increasing the price);
• Painting the Tape schemes (placing successive orders in small amounts at increasing or decreasing prices to create an artificial demand scenario); or
• Spoofing schemes (placing successive ask offers in small amounts at increasing prices, creating the illusion of anticipated demand).

Looking Ahead

The intensifying investment fervor over NFTs runs parallel to that of other flourishing markets like NBA and Pokemon trading cards, which have experienced an extraordinary resurgence since the pandemic. NFT mania is also akin to the staggeringly high-flying emerging markets for digital chattel, like bitcoin, ether and the now infamous dogecoin. Never before has investing become so unrestricted and egalitarian. Anyone with an Internet connection can happily join the fray.?

But while exciting, refreshingly nostalgic and perhaps even a lot of fun, the gamification of digital asset investing also poses a serious threat in particular for main street investors. Sinking hard earned cash into nascent, wildly fluctuating and wholly unregulated cryptocurrency and NFT markets, is rife with risk.?

For instance, NBA Top Shots itself acknowledges that the emperor has no clothes in its?Service Terms of Use, requiring its users to acknowledge that NFTs “have no intrinsic value,” and not to “make any claim that alleges, in whole or in part, that any NFT has anything more than nominal value.”?

Some argue that NFTs exist so that the crypto-fanatics can pitch the latest miraculous “get rich quick” elixir to earn real dollars from techno-neophyte investors whose idea of due diligence is a 5-minute Google search. Once the digital grifters collect the cash, there no longer exists any reason for the NFT to carry on -- except perhaps to evaporate into the ether that created it.?

The cadre of starving artists who helped pump the cryptocurrency and who shelled out real U.S. dollars to pay for the minting of the NFTs “may get a few crumbs” from the undertaking, but in the end,?experts point out?that the promoters, the trading platform owners and the other NFT profiteers?are the ones who will typically commandeer the real profits.??

Others have declared that doing business on digital asset trading platforms, whether trading crypto, NFTs or otherwise, is like bartering and haggling in the Wild West. I disagree.?

To me, given the startling lack of U.S. regulatory oversight, the best way to describe the entire Web3 marketplace is anarchy. Even worse, it’s thieves robbing thieves amid an unsurveilled, dog-eat-dog counterfeit financial free-for-all – rife with an almost post-apocalyptic Walking Dead-like lawlessness and disorder (except of course, without the zombies).?

*John Reed Stark?is president of?John?Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last?11 of which?as Chief of its Office of Internet Enforcement. He currently teaches a?cyber-law course?as a Senior Lecturing Fellow at Duke University Law School.?Mr. Stark also worked?for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of "The Cybersecurity Due Diligence Handbook."