North Korea Using Bitcoin

Interesting article about stepped-up use of Bitcoin and other cryptocurrencies (or perhaps more accurately, stepped-up theft of Bitcoin and other cryptocurrencies) by North Korea:

Hackers from Kim Jong Un’s regime are increasing their attacks on cryptocurrency exchanges in South Korea and related sites, according to a new report from security researcher FireEye Inc. They also breached an English-language bitcoin news website and collected bitcoin ransom payments from global victims of the malware WannaCry, according to the researcher.

The MSN article is based on a Fireye report, which likewise makes for fascinating reading, particularly their recent events timeline:

2017 North Korean Activity Against South Korean Cryptocurrency Targets

  • April 22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
  • April 26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
  • Early May – Spearphishing against South Korean Exchange #1 begins.
  • Late May – South Korean Exchange #2 compromised via spearphish.
  • Early June – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
  • Early July – South Korean Exchange #3 targeted via spear phishing to personal account.

SEC Enforcement Emphasizes Focus on ICOs

Stephanie Avakian and Steven Peikin, the co-Directors of the SEC’s enforcement division, emphasized the Commission’s focus on ICOs during a recent panel:

Other areas of focus include ensuring financial firms take the appropriate steps to safeguard sensitive information; cyber-related disclosure failures; and the growing prevalence of “initial coin offerings (ICOs),” Avakian said.

. . . .

The SEC said in July that tokens issued through ICOs, which have allowed startups to raise $1 billion so far this year, can be considered securities, meaning they would fall under laws that require disclosures and are subject to regulatory scrutiny to protect investors, unless a “valid exemption” applies.

The SEC has a number of active investigations into companies that have claimed to be in the blockchain and digital currency space but which are really just trying to steal people’s money, Peikin said.

“As with any kind of newsworthy event, roaches kind of crawl out of the woodwork and try to scam money off of investors,” he said of the rapidly growingly popularity of ICOs.

The SEC has a distributed ledger technology working group made up of about 90 people across the commission to help keep abreast of emerging developments and technologies, Peikin said.


SEC Commentary

There is an interesting discussion over at Coindesk regarding the shorthand being used to mean “not a security”:

Recently, terms like “app coin,” “app token,” “utility token” and “utility coin” have seemed to proliferate. But, what they all have in common is this: people use them interchangeably to mean “a token that is not a security.”


I have seen these different terms myself. And I agree venture capitalist Greg Murphy, who suggests that shifting and uncertain regulation is hurting the industry:


“Everybody is struggling with the definition. And there really isn’t a good one,” he said.

Murphy went on to add that there is no direct jurisprudence on the matter and, hence, you’re at the mercy of your legal counsel’s view at the time you create the token – and that can alter as the regulations change.

Because of the shifting sands, Murphy said, “You have to ask yourself: Do you really want to take on potential liability if there is the chance of it being deemed a security in the future?”



An interesting interview with SEC Enforcement Division Attorney Nick Morgan. Some excerpts:

In Morgan’s view, the key part of the Howey Test in terms of ICOs is whether the expectation of profit relied on the effort of others.

“What [the SEC are] trying to do is decide whether the investors are really passive investors or whether they’re actively involved in creating value,” said Morgan.

As a defense attorney, Morgan noted that this is the area where he would focus most of his energy in these kinds of cases because this is the “closest call” in how the Howey Test is usually applied to ICOs, especially in the case of The DAO, which the SEC released a report on in late July.

This is interesting, and echoes some of my comments following the DAO guidance. ICOs are structured in diverse ways. Some may not fit the Howey test even where they are designed to return profits to those holding the token.

As for the ICOs the government will target, Morgan initially gave a specific answer, but then broadened it to “basically anyone they feel like,” which is consistent with pretty much every other government agency:

From Morgan’s perspective, two key factors the SEC would consider before bringing a case are how strong the violation was and how many victims were involved.

“The cases — the types of fact situations — that will get the most attention are ones where disgruntled investors are coming in very upset at: ‘I was told this. I was told X and what happened was not X,’” explained Morgan. “Those are the kind of fact scenarios that are going to get a staff attorney incentivized to go — and the institutions of the SEC as a whole — incentivized to go after something.”

In addition to complaints from disgruntled investors, Morgan pointed out that the SEC’s whistleblower program could be another source of an investigation. Through this program, whistleblowers are awarded a percentage of monetary remedies that are imposed and collected by the SEC if and when enforcement action takes place.

. . . .

Having said that, Morgan also admitted that the SEC may decide to go after those who aren’t doing anything fraudulent as a way to send a message to those who are not following securities regulations.

Finally, Morgan reiterated a conclusion most commenters reached following the DAO decision. Exchanges are also on notice:

“I would not be surprised to see a case against a platform or an exchange,” said Morgan. “The exchanges are a nexus. You can effectively speak about a number of different ICOs at one time by going after an exchange, so it’s a sort of easier target, if you will, to go after an exchange than it is to go after the 12 ICOs that are being exchanged on that platform.”

Protostarr ICO Shuts Down Due to SEC Call

If anyone had any doubt that the SEC is watching the ICO space very closely:

In what may be the first token to cease operations due to communication from the Securities and Exchange Commission, on Tuesday, decentralized application Protostarr closed up shop.

The token, which was billed as a way for rising internet celebrities on YouTube, Twitch and other video and live streaming platforms to get funded by their fans, had its initial coin offering in August, raising 119.5 ether, which is about $47,000 as of press time.

“After consultation with multiple lawyers, we have decided to cease further operations and refund Ethereum collected in our crowdsale that began on August 13, 2017,” it stated in a press release.


And something that should give particular pause is that this does not appear to be a slam-dunk case that the token was a security:

The Protostarr white paper explained the concept behind its dapp this way: “Protostarr is a new evolution for the world of digital media investing; changing the model from donation to investment. Using Protostarr smart contracts to invest in an up-and-coming content creator will give a new generation of unsponsored artists the ability to fund their operations while providing fans the content they are looking for and the opportunity to profit based on their success.”

. . .

After the call, Gilson called SEC specialist lawyers in the Washington, D.C. area, which is where he is based, including one who used to be an SEC investigator, but no one knew if their token would be considered a security. The SEC small business office also couldn’t give Protostarr a definitive answer, but advised the team to go the most conservative route and refund their investors.


SEC Guidance on ICOs

Everyone following blockchain legal issues knows by now that the SEC issued cryptocurrency guidance last month while reviewing the DAO, the contract that famously led to Ethereum’s split into ETH and ETC.

Overall Takeaways

  • The SEC is paying close attention to cryptocurrencies. And it has put some very smart people on it. The SEC’s report discusses the DAO in substantial detail, cites names and sources that anyone in the crypto community will recognize, and demonstrates a sophisticated understanding of the issues.
  • As expected, the SEC cited the Supreme Court’s decision in SEC v. W.J. Howey Co., 328 U.S. 293, 301 (1946), to provide the framework for determining whether specific cryptocurrencies should be considered securities. I have already discussed this in a prior post. The Howey test is nuanced, but can be summed up in a single sentence: “The test is whether the scheme involves an investment of money in a common enterprise with profits to come solely from the efforts of others.” 328 U.S. at 301.
    • While the SEC cites case law to support its conclusion that cryptocurrency (like the Ether invested in the DAO) is “money,” that case law is not entirely settled. Indeed, I think it is an open question, though I would not advise clients to risk running afoul of the securities laws based on this prong.
    • The SEC seems on more stable ground with their conclusion that the DAO is a common venture with a reasonable expectation of profits. I don’t think anyone seriously disputes that the DAO is a common venture. I would like to look more at the “reasonable expectation of profits” caselaw. But the DAO does seem to have advertised participation in future profits.
    • The “efforts of others” analysis is interesting and complex. But the SEC seems to premise their conclusion substantially on the DAO’s unique facts, where personnel were essentially running the organization, its “Distributed Autonomous” nature notwithstanding. If the SEC is confronted with a truly “Distributed Autonomous” organization, will it reach the same conclusion? Probably. One cannot dispute that the efforts involved will continue to be “of others.
  • But it does seem that the unique DAO facts may affect another necessary question: Was an investment contract being offered? Illicit behavior requires a contract to invest in securities that does not comply with SEC regulations. Part of the SEC’s analysis that the DAO constituted an investment contract as opposed to a partnership – though by no means the whole analysis – rested on the substantial control held by and the Ethereum Foundation. If a new DAO were genuinely autonomous, would the offering constitute an investment contract?
  • The SEC is being restrained for now. They could have brought down the hammer, but they chose to essentially say “What the DAO did was wrong, so don’t do it again.” They are warning future ICOs not to do the same.

Where Do We Go From Here?

  • While the SEC has been relatively restrained in enforcement, their underlying jurisdictional analysis remains the same. That means broad authority to regulate cryptocurrencies and ICOs. We can debate whether that is good or bad for investors. But it seems indisputable that with the SEC, FinCEN, the CFPB, various U.S. Attorney’s offices, and various state Attorneys General all trying to regulate cryptocurrency, business will continue fleeing to jurisdictions like Singapore and Switzerland.
  • The SEC emphasized that the securities laws apply to DAOs. But, as I mention above, it remains to be seen what the SEC will do if and when a truly autonomous, code-based DAO starts operating. If a new DAO were genuinely autonomous, would the offering constitute an investment contract? Perhaps more important, who would the SEC bring an enforcement action against? The DAO code writer, the proposal submitter, every DAO voter?

ICO Report

Autonomous NEXT recently issued a comprehensive report on ICOs. I highly recommend it for a general overview of important issues. Among other topics, it includes a discussion of cryptocurrency market value, major investors, important companies, and the regulatory framework in Switzerland, Singapore, China, Russia, the United Kingdom, and the United States.