Coinbase SIM-swap Lawsuit

SAMPLE COMPLAINT AGAINST COINBASE

COMPLAINT JURY TRIAL DEMANDED

Plaintiff is a resident of the State of New York, by his attorneys, Dilendorf Law Firm PLLC, as for the Complaint against Defendant COINBASE, INC. (“Coinbase” or “Defendant”) for gross negligence, violating requirements as imposed by the New York State Department of Financial Services (“DFS”) and the United States Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), and failure to put proper measures to protect its customers from security breaches, which caused Plaintiff to sustain a loss of his life savings.   Plaintiff now seeks to recover damages and equitable relief for harm sustained as the result of Defendant’s grossly negligent misconduct.  Moreover, Defendant’s grossly negligent conduct in failing to protect users’ funds on its cryptocurrency exchange result in the facilitation of money laundering activities through offshore criminal syndicates.  This willful misconduct in flagrant disregard of DFS’ and FinCen’s regulations raises a serious question as to whether Defendant should be permitted to continue operating its cryptocurrency exchange in the State of New York.

NATURE AND SUMMARY OF THE ACTION

1. Defendant operates an online exchange for general consumers and the public to exchange, invest, and trade in digital cryptocurrencies. Defendant deceptively and intentionally promoted itself as “the most trusted cryptocurrency platform,” all the while failing to take reasonable and state-mandated steps to prevent cyberattacks.
2. Defendant’s negligence, deceptive business practices, and ongoing violations of DFS and FinCEN regulations have caused extreme hardship to Plaintiff due to a preventable cyberattack that has resulted in tremendous and irrevocable financial damage.
3. Defendant obtained a license from DFS to provide cryptocurrency services in the State of New York (“BitLicense”).
4. Defendant, as a regulated cryptocurrency exchange and licensed money services business in the State of New York, is bound to (i) maintain stringent anti-hacking programs that monitor and filter transactions for potential violations of the Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) statutes; and (ii) implement measures designed to effectively detect, prevent and respond to fraud.
5. This action arises out of Defendant’s negligence and grossly deceptive business practices, committed in its capacity as a public financial institution licensed in the State of New York, which resulted in a catastrophic financial loss to the Plaintiff. Due to Defendant’s gross negligence and the practically nonexistent cybersecurity measures on the Coinbase platform, Plaintiff lost his life savings.
6. Because none of the customary cybersecurity systems were in place to prevent such a crime, Plaintiff’s assets were stolen from his account by a hacker who used a foreign device and a foreign IP address, from a location never before used by Plaintiff. Defendant thereby authorized an unknown party to access Plaintiff’s Coinbase account and immediately transfer funds into foreign wallets that have never been associated with Plaintiff, in violation of federal and state anti-money laundering regulations.
7. Defendant failed to perform adequate anti-money laundering and “know your client” (combined as “AML/KYC”) procedures, as those procedures are commonly known under FinCen and DFS guidelines and enforcement rules. As such, Defendant failed to properly monitor Plaintiff’s account and ignored its duty to investigate suspicious activities under US and New York State anti-money laundering rules.
8. Defendant failed to use its own promoted security measures “in the interest of keeping customer’s account(’s) secure,” such as increasing the processing time of transfers to 24 hours after a password reset is completed from a foreign device.
9. Defendant also failed to remedy or restore Plaintiff’s losses, despite claiming that customers’ assets will be safeguarded with the same security, vigilance and diligence commonly afforded to members of the virtual currency industry.
10. Upon information and belief, the earliest sim card phishing attacks against Coinbase go back to 2013 and have occurred countless times since then, as the result of which, Defendant’s users lost tens of millions of dollars in lifesavings.
11. As of this date, Defendant is considered the largest cryptocurrency exchange in the world, yet Defendant lacks proper anti-fraud mechanisms to safeguard its users, including users that are residents of the State of New York.
12. At all times, judging upon the history of cyber-security attacks on Defendant’s cryptocurrency exchange that resulted in the loss of users’ funds, Defendant’s actions were knowing, willful, and grossly negligent.
13. Until Defendant can demonstrate that its cryptocurrency exchange cybersecurity measures meet the standards set forth by DFS regulations relating to the conduct of businesses involving cryptocurrencies in the State of New York, Defendant’s BitLicense should be suspended, and Defendant should be precluded from operating the platform in New York.
14. Moreover, upon information and belief, Defendant failed to report to DFS and FinCEn information about Plaintiff’s theft of funds and to provide a statement of any actions taken or proposed to be taken with respect to Plaintiff’s loss of life savings, in violation of FinCen’s and DFS’s regulations and issued guidance to all virtual currency business entities.

PARTIES

15. Plaintiff at all times hereinafter mentioned was and still remains a resident of State of New York.
16. Defendant Coinbase is a Delaware corporation with its principal place of business in San Francisco, California. Coinbase holds itself out as a digital currency wallet and secure online platform where merchants and consumers can transact with new digital currencies like Bitcoin and Ethereum and where users can buy, sell, transfer and store their digital currency.
17. Defendant operates a cryptocurrency exchange in the state of New York and licensed under 23 NYCRR Part 200. Defendant maintains offices within the State of New York, at 28 Liberty Street, New York 10005.

JURISDICTION AND VENUE

18. The Court has jurisdiction over Defendant pursuant to CPLR § 301 because Defendant regularly transacts business in the State of New York, has a principal place of business in New York and is licensed in the state of New York under 23 NYCRR § 200.
19. Venue is proper in this Court under CPLR § 503 because, upon information and belief, in September 2018 Coinbase opened a primary place of business in New York and because New York County is the venue chosen by Plaintiff.

FACTUAL BACKGROUND RELEVANT TO ALL CAUSES OF ACTION

20. Defendant holds itself out as a regulated and fully compliant entity, registered with the FinCEN as a Money Services Business, and calling itself “the most trusted cryptocurrency platform.”
21. Defendant is also bound by the regulations set forth by DFS, in order to maintain their BitLicense, which includes reporting on any suspicious transactions and taking immediate steps to prevent them in the future.
22. Pursuant to Section 200.7 of the NYSDFS regulation, Coinbase is a licensee of the BitLicense issued to it by DFS and was thus obligated to comply with all applicable federal and state laws, rules and regulations.
23. Section 200.16(a) “Cyber security program” of DFS states in pertinent part:

“Each Licensee shall establish effective cyber security program to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized…tampering. The cyber security program shall be designed to perform the following five core cyber security functions: (1) identify…cyber risks by, at a minimum, identifying the information stored on the Licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed; (2) protect the Licensee’s electronic systems…from unauthorized access…or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures; (3) detect systems intrusions, data breaches, unauthorized access to systems or ….other Cyber Security Events; (4) respond to detected Cyber Security Events to mitigate any negative effects; and (5) recover from Cyber Security Events and restore normal operations and services.”

24. Coinbase received a BitLicense from DFS to operate as an exchange of Cryptocurrencies within the State of New York, and thus, is a Licensee pursuant to Title 23, Chapter 1, Part 200 of the NYSDFS Regulations. Section 200.19(g) of DFS regulation mandates that:

“Licensees are prohibited from engaging in fraudulent activity. Additionally, each Licensee shall take reasonable steps to detect and prevent fraud, including by establishing and maintaining a written anti-fraud policy. The anti-fraud policy shall, at a minimum, include: (1) the identification and assessment of fraud-related risk areas; (2) procedures and controls to protect against identified risks; (3) allocation of responsibility for monitoring risks; and (4) procedures for the periodic evaluation and revision of the anti-fraud procedures, controls, and monitoring mechanisms.”

25. Section 200.20(a) of DFS regulation further mandates that each Licensee shall establish and maintain written policies and procedures to fairly and timely resolve complaints.
26. Coinbase’s negligence, carelessness, and recklessness arose from, but is not limited to the following:

1. 1. failing to provide adequate cyber security measures as mentioned above which constitutes non-compliance with industry standards, governmental regulations and its own policies;
   2. failure to implement adequate security protocols – including that which is required by industry standards, governmental regulations, and its own internal policies;
   3. failing to properly implement and/or consistently failing to follow security protocols such as requiring the input of a 2FA code as a condition to execute a transfer of cryptocurrency funds out of one account to another account or cryptocurrency wallet;
   4. failing to properly advise, patrol, respond, address, and monitor customer and industry wide complaints of hackers and scammers that were targeting Coinbase users for their personal and sensitive information in order to illegally obtain access to their accounts; such complaints of hackers and scammers were prevalent and known to Coinbase;
   5. failing to abide by its own internal security policies of requiring the input of a 2FA code in order to execute the transfer of funds out of Plaintiff’s account, as well as failing to provide the required security protection to do so;
   6. failing to abide by regulations mandated by Section 200.7 of NYSDFS Regulation and Coinbase’s own internal security policies, and thus, allowing hackers and scammers to illegally obtain access to Plaintiff’s Coinbase account and causing the transfer of Plaintiff’s digital assets into an unauthorized cryptocurrency wallet;
   7. neglecting to abide by Section 200.19(g) of the DFS regulations by failing to mitigate security risks created by hackers and scammers and failing to monitor the fraudulent conduct of hackers and scammers; Coinbase failed to act in good faith and to the detriment of Plaintiff by failing to fairly and timely resolve Plaintiff’s complaint as required by Section 200.20(a) of the NYSDFS Regulations.

27. On February 7, 2018, DFS issued guidance to all virtual currency business entities licensed under 23 NYCRR Part 200 of NY Banking Law. Under this Guidance, virtual currency operators, such as Coinbase, are required to implement measures designed to effectively detect, prevent, and respond to fraud, attempted fraud, and similar wrongdoing.
28. Furthermore, immediately upon the discovery of any wrongdoing, a virtual currency business operator must submit to DFS a report stating all pertinent details known at the time of the report. The operator must also submit to DFS, as soon as practicable, a further report or reports of any material developments relating to the originally reported events, along with i) a statement of the actions taken or proposed to be taken with respect to such developments, and ii) a statement of changes, if any, in the operator’s operations that have been put in place or are planned in order to avoid repetition of similar events.
29. Defendant failed to take these actions, as presented in detail in the foregoing sections. Upon information and belief, Defendant failed to submit to the DFS the information relating to the theft of Plaintiff’s assets, arising out of Defendant’s grossly negligent misconduct.
30. Similarly, upon information and belief, Defendant ignored said guidance by failing to report a countless number of similar security breaches, resulting in a total loss of funds deposited by New York residents onto the Coinbase platform.
31. Furthermore, as a money services business, Defendant has strict obligations under the Currency and Foreign Transactions Reporting Act of 1970, a.k.a. the Bank Secrecy Act, to monitor customer transactions and report any suspicious activities to law enforcement authorities. See 31 U.S.C. § 5311; 12 C.F.R. § 208.63.
32. The USA Patriot Act of 2001 (the “Patriot Act”) reinforced this obligation and underscored the importance of implementing robust internal systems to detect and report money laundering and other suspicious activities. Defendants failed to follow the regulations promulgated pursuant to the Patriot Act requiring financial institutions to institute an anti-money laundering (“AML”) program and allowed Plaintiff’s funds to be transferred to unknown wallets. Such actions are implicated in money laundering activities.
33. Upon information and belief, Defendant failed to report to FinCen, per Patriot Act and BSA obligations, Plaintiff’s theft of funds incident and transfer of such funds to the unidentified wallet

Defendant describes themselves as the preeminent cryptocurrency exchange

34. Defendant Coinbase released a Public Statement, pledging to “lead the way” in developing robust cyber security program. According to the Coinbase statement:

• Responsible Bitcoin exchanges are working together and are committed to the future of Bitcoin and the security of all customer funds.
• Bitcoin operators play a critical role over the Bitcoin they hold as assets for their customers.
• Acting as a custodian should require a high bar, including appropriate security safeguards that are independently audited and tested on a regular basis. Coinbase touted and positioned itself to be one of those “responsible Bitcoin exchanges.”

35. As set forth herein, by such statements and its conduct in general, Coinbase assumed a duty to protect and safeguard the assets of its exchange customers.

Plaintiff Sets Up a Coinbase Account

36. In or about 2017, Plaintiff created an account with Coinbase.
37. The procedure for establishing a Coinbase account was and remains merely providing a name, email address, password, and Plaintiff’s state of residence, followed by verification.
38. Coinbase does not use distinct usernames; a customer’s email address is their username. Plaintiff enabled Duo Two-Factor Authentication (Duo 2FA) as an added layer of security for Coinbase transactions. Upon information and belief, and according to the Coinbase website, Duo 2FA is endorsed by Coinbase, and it clearly states: “Authenticators like Duo … provide an extra layer of protection in addition to your password. When using an authenticator for your two-step verification codes, you’ll be protected even if your password is stolen or your phone number is ported since these apps are tied to your mobile device and not your phone number.”
39. At all times, Defendant assured Plaintiff and continues to assure customers that it “collects and verifies” customer information “in order to (a) protect Coinbase and the community from fraudulent users and (b) keep appropriate records of Coinbase’s customers.” Coinbase states these efforts are made due to its status as “a regulated financial service company operating in the US,” and “ensures we remain in compliance with KYC/AML laws in the jurisdictions in which we operate….”
40. At all times, Defendant assured Plaintiff and continues to assure its customers that their “withdrawal and trading limits … (and) USD Wallet transfer limits … are based on the identifying information and/or proof of identity (customers) provide to Coinbase.”

Plaintiff Loses Cellular Service and is Unable to Access Coinbase Account

41. On August 26, 2020 at or around 10:00 pm EST, Plaintiff lost cellular service on his phone.
42. Simultaneous to Plaintiff’s lost cellular service on August 26, 2020, Plaintiff was unable to access his Coinbase account through the Coinbase App or through his computer.
43. At or around 10:00 pm EST on August 26, 2020, Plaintiff attempted to call Coinbase Customer Service at 1(888)908-7930, but due to lack of cellular service, was unable to place this call.
44. At or around 10:15 pm EST on August 26, 2020, Plaintiff emailed Coinbase Customer Service and notified them of his loss of cellular service.
45. At or around 10:15 pm EST on August 26, 2020, Plaintiff directed Coinbase to lock his account. This direction was given via email to Coinbase Customer Service.
46. At all relevant times herein, Coinbase failed to adequately keep Plaintiff informed regarding the status of Plaintiff’s funds deposited with Coinbase.

Plaintiff Attempts for Five Days to Reach Coinbase

47. For five days, between August 26, 2020 and August 31, 2020, Plaintiff was unable to access his Coinbase account and was unaware of the status of the account.
48. During the five days between August 26, 2020 and August 31, 2020, Plaintiff sent several emails to Coinbase Customer Service, requesting that Coinbase clarify the status of his account.
49. On or before August 27, 2020, Plaintiff was told by his mobile carrier, Sprint, that his mobile number was ported to an unknown third-party carrier.

Coinbase Fails to Protect Plaintiff’s Account

50. At all times, Coinbase stated and continues to state: “Coinbase takes a number of steps to ensure the security of our customers’ accounts.” At all times, Coinbase stated and continues to state: “When a Coinbase customer attempts to reset their password, we take precautions to ensure that it is a legitimate request. This means that our customers may only reset their passwords from devices they have previously verified, or from locations they have previously logged in from.” At all times, Coinbase stated and continues to state: “If you are having trouble resetting your password, you will need to: 1. Reset it from a device you have previously used to access Coinbase. 2. Reset it from a location (IP address) you’ve previously used to access Coinbase.”
51. On August 26, 2020, Coinbase received three sequential requests for a password reset for Plaintiff’s account. Each of the above-mentioned password reset requests were made from a foreign, web-enabled device never before used by Plaintiff. These communications were received from a device containing information not stored by Coinbase to identify Plaintiff.
52. Each of the above-mentioned password reset requests were made from a device with an IP address never before used by Plaintiff. The IP address from which these requests were made was geographically located in Denver, Colorado; Plaintiff resides in New York. Per the Coinbase website, the Plaintiff’s state of residence is one of only four identification markers used by Coinbase.
53. As such, a password reset request from a Colorado-based IP address was a clear marker of suspicious activity.
54. After the third password reset request, 19 Sign-out Sessions were recorded from the same, foreign IP address and foreign device.

Coinbase Authenticates a Foreign Device for Access to Plaintiff’s Account, then Authorizes a Password Reset 

55. Coinbase authenticated a foreign device after this suspicious activity, first by a Verified Second Factor and then by a Device Confirmation.
56. Coinbase violated its own policy and procedure in authenticating this foreign device without Plaintiff’s authorization. Coinbase’s own policy states: “Coinbase uses Device Verification, a security feature that requires all devices (mobile and computer) and IP addresses to be authorized before accessing your account.”
57. Coinbase then authorized a password reset for Plaintiff’s account from a foreign device, to an unknown party.
58. This password reset was in violation of Coinbase’s own policy, which states, “Coinbase only processes password reset requests from devices that have been previously authorized to access your account.”)
59. Coinbase also contradicts itself and states: “If you are resetting your password from a new device, our system may delay the processing time for 24 hours in the interest of keeping your account secure.”
60. Coinbase authorized an unknown party with a foreign device and foreign IP address to access Plaintiff’s Coinbase account.

Coinbase Allows Immediate Transfer of All Funds from Plaintiff’s Account

61. Coinbase allowed this Coinbase-authorized but unknown party, using a foreign device and foreign IP address, to immediately transfer Plaintiff’s funds, which is inconsistent with its own policy and with industry standards. These standards call for a 24-hour security period before transfer of funds following suspicious activity. See 23 NYCRR § 200.16 Cybersecurity; licensees must establish and maintain an effective cybersecurity program.
62. After granting the password reset, Coinbase immediately allowed funds to be transferred to unknown wallets, which is inconsistent with industry-standard of other crypto firms, and which would have immediately frozen transfers for at least 24 hours to minimize risks of theft.
63. Coinbase allowed this authorized but unknown party, using a foreign device with a foreign IP address, to immediately transfer funds into wallets never before used by Plaintiff. See 23 NYCRR § 200.16.
64. Coinbase authorized all of Plaintiff’s funds to immediately be depleted, an action unlike previous activity of Plaintiff and inconsistent with industry standards and safety protocol.
65. Coinbase authorized the entirety of Plaintiff’s funds to be transferred in violation of its own Transaction Limits.

Coinbase Refuses to Remedy Plaintiff’s Losses

66. The transactions in question were authorized by Coinbase.
67. The transactions in question were NOT authorized by Plaintiff.
68. The transactions in question, authorized by Coinbase but not by Plaintiff, were known to Coinbase and Coinbase thus had notice, per Coinbase policy.
69. Coinbase refuses to return or restore Plaintiff’s losses, despite assuring Plaintiff and all Coinbase customers that (i) cryptocurrency stored on Coinbase’s servers is covered by their insurance policy and (ii) customers will be protected even if customer’s password is stolen or phone number is ported.
70. Upon information and belief, Coinbase has not reported the above-referenced cyberattack to proper regulatory authorities.
71. Upon information and belief, Coinbase failed to notify its customers of numerous cyberattacks on its site, resulting in multi-million dollar thefts from Coinbase users.

FIRST CAUSE OF ACTION
NEGLIGENCE

72. Plaintiff repeats, realleges, and incorporates by reference all preceding and succeeding paragraphs as if set forth in their entirety herein.

Duty to protect Plaintiff’s funds

73. Defendant assumed responsibility for providing Plaintiff with the highest standards of cryptocurrency custody, including safeguarding Plaintiff’s cryptocurrency from cyberattacks.
74. At all relevant times, Defendant held itself out to be a financial institution in compliance with 23 NYCRR § 200.
75. At all relevant times, Defendant held itself out to be a financial institution in compliance with KYC/AML monitoring and reporting, including to the industry standards and stringent requirements of FinCEN, DFS and BitLicense.
76. As detailed above, Defendant’s negligent actions include, but are not limited to:

1. 1. Authenticating a foreign device after numerous failed password reset requests and 20 log-ins from a foreign IP address never before used by Plaintiff.
   2. Authenticating a foreign device through an erroneous Device Confirmation.
   3. Authenticating a foreign device through an erroneous Verified Second Factor.
   4. Allowing a password reset from a foreign device.
   5. Failing to delay, “in the interest of keeping customer’s account(’s) secure,” the processing time of transfers for 24 hours after a password reset from a foreign device.
   6. Authorizing an unknown party with a foreign device and foreign IP address to access Plaintiff’s Coinbase account.
   7. Authorizing an unknown party with a foreign device and foreign IP address to immediately transfer funds from Plaintiff’s account into foreign wallets never before used by Plaintiff.
   8. Failing to ensure Plaintiff’s funds despite claiming Coinbase is responsible for all authorized transactions.
   9. Failing to remedy Plaintiff’s losses despite assuring Plaintiff and other Coinbase customers they will be protected even if customer’s password is stolen or phone number is ported.

89. Defendant owed Plaintiff a duty of care to provide cryptocurrency custody, safeguarding and keeping services with the security, and vigilance and diligence
90. Defendants breached this duty by providing cryptocurrency custody services that did not meet this standard, as demonstrated above.
91. Plaintiff has incurred substantial financial damages as a direct result of Defendant’s breach of duty of reasonable care, as alleged herein.
92. As a consequence of Defendant’s breach of duty of reasonable care, Plaintiff has been damaged in the sum to be determined by this Court. Today, the Plaintiff’s portfolio would be worth more than $400,000
93. Defendant had a duty to protect all funds in Plaintiff’s account and failed in this duty by not locking the account or having proper mechanisms in place to stop a cyberattack and fraudulent transfer of assets.
94. Under DFS regulations, it was the duty of the Defendant to take the proper precautions to ensure that security breaches could not occur.
95. Twenty (20) consecutive failed attempts to log in from unknown IP address should have raised red flags for Coinbase.
96. Defendant has previously been accused of similar breaches in customer accounts due to a lack of appropriate cybersecurity and has clearly been “on notice” for an ongoing problem over the past two to three years.
97. Defendant failed to address this issue, resulting in Plaintiff suffering undue financial damages.
98. As a licensed Money Services Business in the State of New York, Defendant is the holder of customer funds, and therefore the responsible party for protecting customer assets. Rather than protecting these assets in accordance with DFS, BSA, FinCEN, and BitLicense regulations, Defendant allowed an unknown party to transfer a basket of crypto held by the client from Plaintiff’s account to unknown wallets held by foreign IP addresses.
99. Defendant failed to perform adequate “anti-money laundering” and “combined KYC/AML procedures, as those procedures are commonly known under FinCen guidelines and enforcement rules.
100. Defendant was also negligent in allowing a foreign IP address to access funds owned by the Plaintiff when so many red flags were present.

Duty to Report Suspicious Activity

101. Defendant was negligent in its failure to abide by DFS regulations and take such precautions, failure to file a report with DFS, and failure to freeze Plaintiff’s account for a period of at least 24 hours following suspicious activity.
102. Defendant’s compliance department should have reached out to the Plaintiff to make him aware of the situation before the Plaintiff reached out to them.

Duty of Care

103. As detailed above, beginning in 2017 when Plaintiff opened a Coinbase account, and continuing through the present, Coinbase made false and misleading representations to Plaintiff.
104. Coinbase’s false and misleading representations include, but are not limited to the following statements:

1. 1. Coinbase is the most trusted cryptocurrency platform.
   2. You will be protected even if your password is stolen or your phone number is ported.
   3. Coinbase takes a number of steps to ensure the security of our customers’ accounts.
   4. When a customer attempts to reset their password, we take precautions to ensure that it is a legitimate request.
   5. Our customers may only reset their passwords from devices they have previously verified, or from locations they have previously logged in from.
   6. If you are having trouble resetting your password, you will need to: 1. Reset it from a device you have previously used to access Coinbase (or) 2. Reset it from a location (IP address) you’ve previously used to access Coinbase.
   7. Coinbase uses Device Verification, a security feature that requires all devices (mobile and computer) and IP addresses to be authorized before accessing your account.
   8. Coinbase only processes password reset requests from devices that have been previously authorized to access your account.
   9. If you are resetting your password from a new device, our system may delay the processing time for 24 hours in the interest of keeping your account secure.
   10. The use of all Coinbase Services is subject to a limit on the amount of volume, stated in U.S. dollar terms, you may transact or transfer in a given period (e.g. daily).
   11. Customers will be protected even if customer’s password is stolen or phone number is ported.
   12. We are not responsible for any claim for unauthorized or incorrect transactions unless you have notified us in accordance with this section.

105. These misleading representations resulted from Coinbase’s negligence and/or lack of due diligence and/or lack of adherence to virtual currency industry standards.
106. Plaintiff, at the time these representations were made and at the time Plaintiff engaged the services of Coinbase, was ignorant of the falsity of Coinbase’s representations and believed them to be true.
107. Coinbase was fully aware that its representations were and continue to be essential to the safekeeping and security of Plaintiff’s and all customers’ virtual currency.
108. Coinbase owed a duty to Plaintiff to use reasonable care to impart correct and accurate information to Plaintiff because of the nature of the relationship that existed between them.
109. Coinbase is entrusted to possess unique and specialized expertise as a cryptocurrency custodian that is licensed by the State of New York and adheres to the highest of cryptocurrency standards and requirements including KYC/AML compliance and reporting, and those required by FinCEN, DFS and BitLicense.
110. Defendant knew that Plaintiff intended to rely and in fact relied on such expertise and representations.
111. In justifiable reliance on Coinbase’s representations, Plaintiff entrusted Coinbase with the security and safekeeping of his assets.
112. As a direct and proximate result of the negligent misrepresentations made by Defendant alleged herein, and Plaintiff’s reliance on such, Plaintiff suffered monetary damages.
113. Plaintiff seek damages based upon the unlawful conduct of Coinbase in failing to properly monitor customer accounts that held Plaintiff’s money and ignoring its duty to investigate suspicious activities under the US and New York State anti-money laundering rules.

SECOND CAUSE OF ACTION
GROSS NEGLIGENCE

114. Plaintiff repeats, realleges, and incorporates by reference all preceding and succeeding paragraphs as if set forth in their entirety herein.
115. Defendant owed the duty to the Plaintiff and its users to provide security, consistent with industry standards and requirements, governmental regulations, and its own internal policies, to ensure that its computer systems, networks, and personnel adequately protect the financial information of users who utilized the Coinbase, as well as ensuring that the user’s account information would not be attacked by hackers.
116. Plaintiff was aware and under the assumption and belief, and relied upon Defendant’s misleading misrepresentations that they are the most trusted and safest cryptocurrency platform in the world.
117. Upon information and belief, between 2013 and to this date, Coinbase’s users’ accounts were subject to countless sim card phishing attacks, which Defendant failed to prevent, resulting in tens of millions of dollars in life saving losses by the residents of New York State.
118. Defendant owed a duty of care to Plaintiff and its users because Plaintiff and other Coinbase users were foreseeable and probable victims of hackers.
119. DFS imposes a duty upon Defendants to implement cyber security measures to protect the exchange, and its users’ accounts, sensitive information, and funds, from unauthorized access, use or tampering.
120. Given the history of countless sim card phishing attacks on Defendant’s users’ accounts, Defendant was aware and could reasonably foresee that the inadequate security would cause Plaintiff and other such users to sustain substantial financial harm and was therefore charged with a duty to adequately prevent users’ accounts from hacker attacks.
121. As a direct and proximate result of Defendant’s grossly negligent conduct, Plaintiff has suffered injury and is entitled to punitive damages in an amount to be proved at trial.

THIRD CAUSE OF ACTION
DECEPTIVE BUSINESS PRACTICES IN VIOLATION OF GENERAL
BUSINESS LAW § 349

122. Plaintiff repeats, realleges and incorporates by reference all preceding and succeeding paragraphs as if set forth in their entirety herein.
123. New York’s General Business Law (“GBL”) § 349 prohibits deceptive and misleading business practices. Specifically, under the plain language of GBL § 349(a), “deceptive acts and practices” in the conduct of any business, trade, or commerce “are hereby declared unlawful.”
124. GBL § 349(h) grants a “right of action” to “any person who has been injured by reason of any violation of this section.”
125. Coinbase’s practice of claiming to adhere to the highest standards of cryptocurrency custody is deceptive and misleading and led to material damages for the Plaintiff.
126. Coinbase’s practice of negligence, detailed herein, is deceptive, misleading and resulted in material damages for Plaintiff.
127. Coinbase’s practice of significant, continuous, negligent misrepresentations about services and safeguards, detailed herein, is deceptive, misleading and lead to material damages for Plaintiff. Coinbase’s practice of falsely advertising to the public that it insures its client’s funds is deceptive and misleading under GBL § 349.
128. Coinbase’s practice of falsely advertising to the public that customers will be protected even if customer’s password is stolen or phone number is ported is deceptive and misleading under GBL § 349.
129. Coinbase’s practice of falsely advertising to the public that it adheres to the highest standards of cryptocurrency standards and requirements including KYC/AML compliance and reporting, and those required by FinCEN, DFS and BitLicense are deceptive and misleading under GBL § 349.
130. Plaintiff relied upon Coinbase’s advertised and represented capabilities and assurances when Plaintiff entrusted Coinbase with his assets.
131. Pursuant to GBL § 349, Plaintiff is entitled to a right of action against Coinbase, to be heard in this Court.
132. Pursuant to GBL § 349, this Court is granted authority to award to Plaintiff reasonable attorneys’ fees expended in prosecuting this action.
133. Pursuant to GBL § 349, Plaintiff is entitled to a judgment for deceptive business practices, awarding damages against Coinbase in an amount to be determined by this Court.

 WHEREFORE, Plaintiff demands a judgment as follows:

(a) A judgment awarding Plaintiff actual compensatory damages;

(b) A judgment awarding Plaintiff exemplary and punitive damages for Defendant’s knowing, willful and intentional misconduct;

(c) Pre-judgment and post-judgment interest;

(d) Attorney’s fees, expenses, and the costs of this action; and

(e) All other and further relief as this Court deems necessary, just and proper.

JURY TRIAL DEMANDED

Plaintiff demands a trial by jury on all issues so triable.

Resources:

• MSB Registrant Search | FinCen.gov
• House.Gov Report | Here’s How Hackers Can Hijack Your Online Bitcoin Wallet
• TechCrunch: Coinbase vulnerability is a good reminder that SMS-based 2FA can wreak havoc
• Forbes: All That’s Needed To Hack Gmail And Rob Bitcoin: A Name And A Phone Number
• Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security
• Three Individuals Charged for Alleged Roles in Twitter Hack
• Report of the Joint economic committee | Congress of The United States – Chapter 9: Building a secure future, one blockchain at a time
• VIRTUAL CURRENCIES. Additional Information Reporting and Clarified Guidance Could Improve Tax Compliance | GAO
• Virtual Currency Businesses: The Market and Regulatory Issues – Joint Informational Hearing Assembly Banking and Finance Committee Assembly Select Committee on Technological Advances
• The Future of Cryptocurrency: Countering Fraud and Regulating Digital Assets
• Virtual Currency: Financial Innovation and National Security Implications
• Risks and Vulnerabilities of Virtual Currency. Cryptocurrency as a Payment Method
• DFS Authorizes Coinbase To Form Coinbase Custody Trust Company LLC
• Treasury Sanctions Individuals Laundering Cryptocurrency
• Bitcoin Dealer Indicted on Money Laundering Charges