Arrow Icon

2023 Crypto Enforcement Trends: 
SEC & CFTC Set Records as States Take the Lead

Solidus Labs Research
SEC, CFTC, OFAC and 24 U.S. states announced more crypto-related enforcement actions in 2022 than in any year prior.

Key Findings

2022 was a rocky year for cryptocurrency. Prices crashed, Terra collapsed, FTX went bankrupt, and – Solidus research now shows – regulators engaged in more enforcement than in any other year in the industry’s history. 

In 2022, the four main federal regulators with authority over cryptocurrency – the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Financial Crimes Enforcement Network (FinCEN), and the Office of Foreign Assets Control (OFAC) – announced a combined 58 crypto-related enforcement actions, a 65% jump over 2021. 

Interact with any bar in the stacked chart to view the number of actions announced by that agency in the selected year.

The SEC announced 30 crypto-related enforcement actions in 2022, more than any other regulator we identified worldwide. CFTC crypto enforcement, meanwhile, grew the most from year-to-year, with the number of actions they announced up 73% from 11 to 19. FinCEN’s activity grew the least, matching its previous one-year high.

From 2013 to 2022, the four federal agencies have imposed a combined $3.6 billion in fines against crypto market participants. The majority of these penalties – $3.4 billion – have been issued by the SEC and CFTC.

Many US states also set records last year. Regulators in 24 US states and the District of Columbia announced more crypto-related enforcement actions in 2022 than in any other year. 16 of these states also announced their first crypto-related enforcement action last year, thanks in part to the three multi-state actions coordinated by the North American Securities Administrators Association (NASAA) against BlockFi, Nexo, and Voyager; 38 states joined one or more of these three. In each case, state regulators asserted that the company’s interest-bearing crypto products constituted unregistered securities offerings. 

In the following sections, we analyze the enforcement activities of the most prolific state and federal crypto regulators, gleaning insight into:

  • How their enforcement pace changed in 2022 compared to 2021
  • The types of organizations and violations they prioritized
  • What court cases and rule changes may expand or reduce their authority in 2023

SEC crypto enforcement

The SEC announced 30 crypto-related enforcement actions, imposed $242 million in monetary penalties, and filed civil cases in parallel with nine arrests in 2022. This is a 36% increase over the 22 actions they announced in 2021, only four of which were tied to an arrest.

More than half of the firms that the SEC enforced against were either token issuers or crypto exchanges – an inevitable consequence of the SEC’s insistence that [nearly all] cryptocurrencies are securities.

Three key cases are helping to determine whether the agency's thesis will be validated by the US court system: 

  • SEC v. LBRY
  • SEC v. Ripple
  • SEC v. Wahi et al

One of these cases – SEC v. LBRY – already resulted in a summary judgment in favor of the SEC, with a New Hampshire district court judge ruling that the sale of LBRY’s “Library Credit” (LBC) token was an unregistered securities offering. This ruling threw the question of whether utility tokens can be securities into stark relief.

The other two cases are still ongoing. Below, we outline the questions at issue in each.

SEC v. Ripple

In December 2020, the SEC filed a suit against Ripple and its current and former CEOs, claiming that the company’s sale of XRP represented an investment contract and therefore a type of securities offering. 

Ripple’s Defense

  • XRP does not meet the four prongs of the Howey test for determining whether an offering qualifies as an investment contract.
  • The SEC does not have jurisdiction, because “virtually all” XRP was sold on foreign exchanges.
  • William Hinman, at the time a SEC executive, stated in a 2018 speech that the cryptocurrency Ether (ETH) was not a security because, like Bitcoin, it was “sufficiently decentralized.” Ripple argues that market participants saw this speech as a public notice that digital coins could avoid classification as a security.

See Ripple’s motion for summary judgment.

SEC’s argument

  • Ripple’s XRP token offering does in fact meet the four prongs of the Howey test, as the purchase of XRP represents: 
  1. an investment of money
  2. in a common enterprise
  3. with an expectation of profit
  4. to be derived from the efforts of others
  • Ripple targeted US-based crypto platforms to list XRP. The firm offered two US-based crypto trading platforms $1 million and $5 million, respectively, to list XRP, and “engaged in an online campaign to petition [Coinbase] to list XRP.”
  • As early as 2012, Ripple was warned that XRP offers and sales could be investment contracts under Howey. “Do not sell [the tokens],” one law firm, Perkins Coie, recommended.

See SEC’s motion for summary judgment.

What’s next in SEC v. Ripple

The judge can now grant either side a win without a trial, or decide to narrow the issues that go before a jury. In the event that the court issues a broad ruling in the SEC’s favor, this would be a major legal win for the agency, and bolster its case that many of the cryptocurrencies in circulation today are unregistered securities.

SEC v. Wahi

In July 2022, the SEC brought its first-ever crypto insider trading charges against three individuals: former Coinbase employee Ishan Wahi, his brother Nikhil and their friend Sameer Ramani. In the complaint, the SEC claimed that nine of the cryptocurrencies they illegally traded were securities. Per the law firm Skadden’s analysis of the case (bold emphasis ours):

Although unclear, it is possible the SEC may have selected these nine as a
representative sample of the types of tokens that could be securities:
  • AMP, a staking token used to guarantee retail payments on the Flexa network.
  • RLY, the governance token for the Rally social token platform.
  • DDX, a token that provides governance rights, discounts and staking opportunities on the DerivaDEX derivatives exchange.
  • XYO, a token used to query geographic data, and reward those who respond.
  • RGT, a token that confers certain governance rights and discounts on Rari, a “yield-maximizing robo advisor.”
  • LCX, a utility token for a Lichtenstein-based cryptoasset exchange and trading terminal.
  • POWR, a utility for Powerledger, a peer-to-peer energy trading platform.
  • DFX, the token used to reward participants for participating in liquidity pools for DFX’s currency exchange platform.
  • KROM, a token used as the service fee for a platform that allows crypto asset traders to place range orders.

Indeed, four of the most common types of crypto tokens being minted today – governance, exchange, utility, and staking tokens – are represented as securities in the SEC’s complaint.

What’s next in SEC v. Wahi

SEC v. Wahi et al will likely take substantial time to resolve. And when it does, attorneys at ArentFox Schiff anticipate that the ruling on whether issuances of and investments in cryptocurrencies are subject to federal securities laws “is likely to pertain only to the nine subject digital assets and would not apply to other digital assets.” In the meantime, “it is incumbent for any potential investor in, issuer of, or party transacting in cryptocurrency to be aware of the risk of enforcement from various government entities.”

CFTC crypto enforcement

From calendar year 2015 to 2022, the CFTC initiated at least 49 crypto-related enforcement actions and levied fines and disgorgements totaling nearly $900 million.

Interestingly, since fiscal year (FY) 2020, the share of all CFTC enforcement  that has been crypto-related has skyrocketed from 6 to 22 percent. Just seven of the agency’s 113 total enforcement actions were crypto-related in FY 2020; in 2022, 18 of their 82 actions were. By comparison, the SEC’s crypto-related enforcement actually fell as a share of its total activity from FY 2020 to FY 2022.

Returning to the calendar year view, the CFTC announced 19 crypto-related enforcement actions and brought civil suits alongside four arrests in 2022. This is up 73% from the 11 actions it announced in parallel with just one arrest in 2021, and suggests that now more than ever, the agency sees itself as having a major role to play in ensuring crypto markets’ integrity. 

CFTC v. Avraham Eisenberg: A foot in DeFi’s door

CFTC’s most recent actions also indicate the agency has begun paying more attention to DeFi as its market share has grown. In January 2023, for example, the CFTC filed a market manipulation complaint against Mango Markets’ exploiter Avraham Eisenberg – its first-ever decentralized exchange-related charge. The SEC later piggybacked on this action with its own order, adding that the “so-called governance token” whose price Eisenberg manipulated “was offered and sold as a security.”

CFTC v. Ooki DAO: The first action against a DAO

In September 2022, the CFTC announced the first civil action ever brought by a federal regulator against a decentralized autonomous organization (DAO) and its members. 

A quick refresher on DAOs

A DAO is an organization that is governed by the holders of its “governance token.” These holders typically manage a software project, like a DeFi protocol, online club, or metaverse platform, and their governance tokens:

  • Correspond to a set amount of voting power within the organization
  • Can be acquired via purchase or airdrop
  • Are tradable on secondary markets

The CFTC’s complaint – filed against the DAO of the DeFi protocol Ooki, which allowed US retail investors to engage in leveraged crypto trading – asserted that each Ooki DAO governance token holder who voted on one or more governance measures was participating in an “Unincorporated Association,” and was therefore subject to liability for the protocol’s violations of CFTC regulations and the Commodities Exchange Act. Because the DAO lacked a physical presence, the CFTC served notice to these DAO members by submitting documents on the Ooki DAO forum and in the chat box of the Ooki DAO’s website. 

Read law firm Willkie Farr & Gallagher LLP’s analysis for a full breakdown of the enforcement action, commissioner Summer K. Mersinger’s dissenting statement, and the lawsuit’s potential impact. (Disclosure: former CFTC Chair Christopher Giancarlo, one of the authors of this analysis, is an advisor for Solidus Labs.)

FinCEN crypto enforcement

From 2015 to 2022, FinCEN announced just five actions in total, the most recent of which was a $29 million civil penalty. All five charges have been the result of violations of the Bank Secrecy Act (BSA), a federal law requiring money services businesses like crypto exchanges to implement and maintain effective anti-money laundering (AML) programs.

Two legislative tailwinds are likely to accelerate FinCEN’s enforcement pace in 2023:

  1. Amendments to section 9714(a) of the Combating Russian Money Laundering Act

The Combating Russian Money Laundering Act, as recently amended, allows FinCEN to prohibit U.S. financial institutions from engaging in funds transmission to or from any company found to be a “primary money laundering concern” in connection with Russian illicit finance. Violators of this prohibition face civil and criminal penalties equal to two times the value of whatever transactions they facilitate.

FinCEN leveraged this law for the first time in an order against Bitzlato on January 18th, 2023, and similar orders may be forthcoming.

  1. The strengthening of the Treasury Department’s anti-money laundering whistleblower program

The updated AML whistleblower program, which President Biden signed into law in late December, 2022 comes with three major improvements:

  • The establishment of a minimum potential award of 10% of monetary penalties in any enforcement action
  • The acceptance of tips related to sanctions-evasion violations
  • Protection against employer retaliation

These improvements bring FinCEN’s program “directly in line with the [Securities and Exchange Commission’s] whistleblower award program,” said Jane Norberg, a former head of the SEC program, in a recent WSJ newsletter on the subject. “Now with these additional strengthenings, it’s time for banks and others subject to this legislation to sit up and pay attention.”

OFAC crypto enforcement

OFAC announced eight crypto-related enforcement actions in 2022, up 60% from the five it announced in 2021. It also initiated sanctions against three new categories of crypto services last year – darknet markets, bitcoin miners and crypto mixers.

While OFAC’s earliest crypto enforcement efforts consisted largely of sanctions against individual addresses, the agency started targeting larger entities like exchanges in 2020, and also began to impose fines. But in 2022, the biggest and most controversial story was that of OFAC’s Tornado Cash designation.

OFAC’s Tornado Cash designation: The action and its impact

In August 2022, OFAC sanctioned the Ethereum mixer Tornado Cash for facilitating the laundering of over $455 million worth of crypto stolen by the Lazarus Group, a previously-sanctioned, state-sponsored North Korean hacking organization.

Tornado cash was the most popular mixer on Ethereum at the time, having received over $7.6 billion worth of deposits since August 2019, so the sanctions were met with strong pushback. Two lawsuits were promptly filed against OFAC – one led by Coin Center and another bankrolled by Coinbase.

Open-source analysis indicates that since OFAC's announcement, weekly Tornado Cash withdrawals have fallen by more than 80%. Many staking pools have also begun to comply with the sanctions by excluding Tornado Cash deposit & withdrawal transactions from new Ethereum blocks. As of January 22nd, 2023, 71% of new blocks on Ethereum are OFAC-compliant.

Other notable OFAC crypto enforcement actions

Organization
Date
Type of entity
Type of Action
Fines
Reason
11/2022
Exchange
Settlement
$362,158
Facilitating Iranian sanctions evasion
5/2022
Mixer
Sanctions
N/A
Facilitating illicit transactions
4/2022
Bitcoin miner
Sanctions
N/A
Facilitating Russian sanctions evasion
4/2022
Exchange
Sanctions
N/A
Facilitating ransomware payments
11/2022
Exchange
Sanctions
N/A
Facilitating Russian illicit finance
11/2022
Exchange
Sanctions
N/A
Facilitating ransomware payments
9/2021
Exchange
Sanctions
N/A
Facilitating ransomware payments
2/2021
Exchange
Settlement
$507,375
General sanctions violations
12/2020
Exchange
Settlement
$98,830
General sanctions violations

State crypto enforcement

State crypto enforcement largely began in 2018 with the kickoff of the North American Securities Administrators Association’s (NASAA’s) “Operation Cryptosweep.” According to NASAA, more than 40 jurisdictions throughout North America participated in the crackdown, initiating more than 330 inquiries and investigations and announcing at least 85 enforcement actions related to ICOs or cryptocurrency investment products. 

Since then, states have been off to the races. A September 2022 report by NASAA found that states brought 89 crypto enforcement actions in 2021, a 71% year-on-year increase over the 52 they brought in 2020. In 2022 this upward trend has continued: State regulators have announced at least 112 enforcement actions in 2022 – another 26% increase.

This puts the number of state crypto enforcement actions at about two times the number of federal enforcement actions in 2022. Evidently, state regulators are a force to be reckoned with in the crypto industry.

The most active states: Texas & Alabama

The Alabama Securities Commission (ASC) and the Texas State Securities Board (TSSB) tied for the highest number of crypto enforcement actions announced by any state regulator in 2022, filing six cases apiece. Four of these actions were the result of coordinated, multistate inquiries; the two single-state actions in each state were cease and desist orders regarding unregistered securities offerings.

Of the two regulators, the Texas State Securities Board (TSSB) stands out especially. The TSSB produced the first crypto enforcement order ever announced by a state in 2017 — the same year as the first crypto-related action from the CFTC — and has since announced 58 more, quadruple that of the next-most active state regulators, the Colorado Division of Securities and Washington State Department of Financial Institutions (DFI).

Crypto enforcement takeaways for 2023

  • The CFTC’s crypto enforcement pace accelerated by 73% year-on-year, the fastest of any federal regulator. In the absence of clarity around whether most cryptocurrencies are securities or commodities, the agency has staked out new territory in the most decentralized realms of the crypto industry, leading the charge against non-compliant DeFi and DAO activities.
  • Regulators in 24 states and the District of Columbia broke crypto enforcement records in 2022, and 16 states announced their first crypto enforcement action ever. State actions have often proven to be a bellwether of upcoming federal enforcement – last year, for example, states were the first to act against Voyager, Celsius, and Nexo.
  • The SEC announced 30 crypto-related enforcement actions in 2022, more than any other regulator we identified worldwide. The agency continues to insist that nearly all cryptocurrencies are securities, and a judge in one of three recent court cases that could validate this thesis has ruled in their favor.
  • OFAC sanctioned crypto service providers like mixers and miners for the very first time in 2022. The agency’s designation of the Ethereum mixer Tornado Cash, in particular, has obligated many previously-unregulated crypto market participants like US-based validators to adjust to stay compliant.
  • FinCEN’s upgraded whistleblower program and enhanced ability to combat Russian money laundering gave the agency renewed strength in 2022. The agency has already made its first use of the latter, sanctioning the cryptocurrency exchange Bitzlato in January 2023.
  • In 2023, crypto companies that fail to deploy effective KYC, AML, trade surveillance, and sanctions screening programs risk more regulatory enforcement and reputational damage than ever.

Methodology

Solidus gathered the information contained in this research entirely from public data sources – including the websites of SEC, CFTC, FinCEN, OFAC, and banking and securities regulators from all 50 US states and District of Columbia. Only standalone, civil enforcement actions against entities accused of violations involving crypto have been counted.

This report has been compiled for informational and educational purposes only and should not be construed as investment or legal advice. While the information provided is believed to be accurate, it may include errors or inaccuracies. Any trades, speculations, decisions, and regulatory or legal actions made on the basis of any information in this report, expressed or implied herein, are committed at your own risk, financial or otherwise. We always recommend you consult with experienced outside experts and/or consultants who can discuss your specific situation.

Solidus Sync
Stay up to date with our newsletter

Get in touch

Learn more about how Solidus enables safer crypto trading
Loader Animation