It's not just international police trying to hold Terraform Labs accountable for a collapse that took $40 billion from investors. The Securities and Exchange Commission has charged Terraform and its CEO Do Kwon with securities fraud for allegedly running a "multi-billion dollar" crypto asset scheme. The blockchain startup purportedly misled investors by falsely claiming that its TerraUSD asset was a stablecoin pegged to the US dollar, with high yields (up to 20 percent). The firm also fooled people by claiming its Luna token would gain value thanks to a Korean mobile payment app that used the Terra blockchain to settle transactions.

Terraform and Do Kwon didn't provide "full, fair and truthful disclosure" for their crypto asset securities, SEC chair Gary Gensler says. The charges include registration and anti-fraud violations of the Securities Act and Exchange Act.  

TerraUSD and Luna lost their peg to the US dollar in May 2022, with the prices of both plunging to near-zero. Investors lodged complaints accusing Terraform and Kwon of running a Ponzi scheme, and the freefall contributed to the collapse of the crypto hedge fund Three Arrows Capital. The crypto exchange Binance quickly faced a lawsuit over claims it incorrectly marketed TerraUSD as a safe asset. While Kwon insisted that he wasn't evading capture, he left his native South Korea, refused to face investigators' questions and was put on Interpol's "red notice" list.

The SEC's charges join a string of efforts to crack down on reported fraud among some of the crypto industry's biggest names. Authorities have most notably pursued FTX and its founder Sam Bankman-Fried over that exchange's downfall, while former Celsius Network chief Alex Mashinsky is also accused of defrauding investors. While crypto may still have a future, it's clear government bodies want stricter enforcement of financial laws in this arena.

Cryptocurrency exchange Coinbase has agreed a $100 million settlement with the New York State Department of Financial Services (DFS), which accused it of violating regulations related to virtual currency, money transmitting, transaction monitoring and cybersecurity. "These failures made the Coinbase platform vulnerable to serious criminal conduct, including, among other things, examples of fraud, possible money laundering, suspected child sexual abuse material-related activity and potential narcotics trafficking," the agency said. The company will pay the state a $50 million fine and invest $50 million to address the issues flagged by the regulator and comply with a DFS-approved plan.

The agency claimed that Coinbase's practices concerning due diligence, transaction monitoring and sanctions compliance (among others) were "inadequate for a financial services provider of Coinbase’s size and complexity." It accused the company of failing to carry out sufficient background checks on customers before they opened accounts and being unable to keep up with transaction monitoring system (TMS) alerts. The DFS added that Coinbase had a months-long TMS backlog that meant the company "routinely failed to timely investigate and report suspicious activity as required by law."

By late 2021, the DFS said, Coinbase had a backlog of more than 100,000 transaction monitoring alerts it had not reviewed. It also noted that by that time, the backlog of customers who required "enhanced due diligence exceeded 14,000." Coinbase's approach to background checks amounted to a “simple check-the-box exercise,” regulators claimed. 

The DFS granted Coinbase a license to operate in New York in 2017. Compliance issues first emerged during a safety and soundness examination that the agency conducted in 2020. Following that probe, the DFS ordered Coinbase to hire an independent consultant to review the compliance program and offer recommendations on how to improve in areas in which the agency felt the company was falling short. As a result, Coinbase adopted a plan to bolster its compliance program. However, following an investigation it began in 2021, the DFS determined that the program could not "keep up with the dramatic and unexpected growth of Coinbase’s business." Coinbase now has more than 100 million users worldwide.

The agency brought in an independent monitor in early 2022 to evaluate the state of the compliance program and work with Coinbase to address the issues — all while the investigation was ongoing. As part of the settlement, the monitor will work with Coinbase for another year. The DFS can extend that timeframe at its discretion. The agency pointed out that Coinbase has started to address many of the issues and develop "a more effective and robust compliance program" under the eyes of the DFS and the monitor, though it noted that the company still isn't moving quickly enough to review older suspicious accounts.

Other crypto firms have faced penalties in recent months for allegedly violating financial regulations. The DFS fined Robinhood $30 million in August, while the Treasury Department reached a settlement with Kraken over claims that the exchange provided services to customers in Iran in violation of US sanctions. According to The New York Times, regulators are investigating Binance over possible money laundering violations. Before its collapse in November, FTX was said to have been under investigation too — the company's founder, Sam Bankman-Fried, pled not guilty to federal fraud charges this week. It was also reported last summer that the Securities and Exchange Commission was investigating Coinbase over possible securities violations.

Top FTX executives close to Sam Bankman-Fried, Caroline Ellison and Zixiao "Gary" Wang, have pleaded guilty to fraud and are cooperating with prosecutors. The pair were convicted "in connection with their roles in the fraud that contributed to FTX's collapse," said Damian Williams, the US Attorney for the Southern District of New York in a press conference.

Ellison, the former CEO of FTX sister company Alameda Research and ex-girlfriend of Bankman-Fried, pleaded guilty to seven counts and faces up to 110 years in prison. Former FTX co-founder Wang pleaded guilty to four counts and faces 50 years. Depending on the level of cooperation, however, they could receive lighter sentences. The pair also face civil fraud charges filed by the Securities and Exchange Commission (SEC) and Commodity Future Trading Commission (CFTC). Both were released on $250,000 bonds.

The announcement was made as Bankman-Fried was being extradited from the Bahamas to New York, and add to his mounting legal woes. Wang's lawyer Ilan Graff said that his client has "accepted responsibility for his actions and takes seriously his obligations as a cooperating witness," according to The Washington Post. 

Despite their cooperation, the SEC didn't mince words in laying out its case against Ellison and Wang. "Mr. Bankman-Fried, Ms. Ellison, and Mr. Wang were active participants in a scheme to conceal material information from FTX investors," said SEC deputy director of enforcement, Sanjay Wadhwa. "By surreptitiously siphoning FTX’s customer funds onto the books of Alameda, defendants hid the very real risks that FTX’s investors and customers faced."

Bankman-Fried, meanwhile, is accused of a long list of misdeeds by multiple agencies, including the SEC, Department of Justice and CFTC. Those include defrauding FTX investors and customers of more than $1.9 billion, multiple counts of wire fraud, conspiracy to defraud investors by sharing misleading information and "surreptitiously" siphoning customer funds. The CFTC also alleges that Bankman-Fried and his cohorts "took hundreds of millions of dollars in poorly-documented 'loans' from Alameda," which they then used to purchase real estate and make political donations.

When the Bahamas Attorney General's office announced that it had arrested former FTX CEO Sam Bankman-Fried, it noted that the former FTX CEO was likely to be extradited at the request of the United States. Just over a week later, that prediction has come true: Bankman-Fried signed extradition papers on Tuesday afternoon.

According to an unsealed indictment, Bankman-Fried is facing 8 counts of conspiracy to commit wire fraud, commodities fraud, securities fraud, and more. Specifically, the SEC accuses the cryptocurrency founder of "orchestrating a massive, years-long fraud" for "his own personal benefit and to help grow his crypto empire." The Department of Justice has accused him of attempting commodities and securities fraud, conspiring to defraud investors and breaking federal election laws for donating more to political groups than is legally allowed.

Bankman-Fried originally planned to fight extradition, but indicated on Monday that he would reverse course. Now, he will be returning to the US to face those charges, a decision that might be easier on him in the short term. When the former CEO was first arrested in the Bahamas, he was denied bail and deemed a flight risk. In the United States, it's possible he could be released on bail.

Bankman-Fried has previously said that he "didn't ever try to commit fraud," and doesn't believe he's criminally liable for the fall of FTX. The New York Times reports that a defense lawyer representing Bankman-Fried in the Bahamas says that he's returning to the US because he "wishes to put the customers right, and that is what has driven his decision."

When the Bahamas Attorney General's office announced that it had arrested former FTX CEO Sam Bankman-Fried, it noted that the former FTX CEO was likely to be extradited at the request of the United States. Just over a week later, that prediction has come true: Bankman-Fried signed extradition papers on Tuesday afternoon.

According to an unsealed indictment, Bankman-Fried is facing 8 counts of conspiracy to commit wire fraud, commodities fraud, securities fraud, and more. Specifically, the SEC accuses the cryptocurrency founder of "orchestrating a massive, years-long fraud" for "his own personal benefit and to help grow his crypto empire." The Department of Justice has accused him of attempting commodities and securities fraud, conspiring to defraud investors and breaking federal election laws for donating more to political groups than is legally allowed.

Now, Bankman-Fried will be coming home to face those charges — which might actually be easier on him in the short term. When the former CEO was first arrested in the Bahamas, he was denied bail and deemed a flight risk. In the United States, it's possible he could be released on bail.

Bankman-Fried has previously said that he "didn't ever try to commit fraud," and doesn't believe he's criminally liable for the fall of FTX. The New York Times reports that a defense lawyer representing Bankman-Fried in the Bahamas says that he's returning to the US because he "wishes to put the customers right, and that is what has driven his decision."

LastPass CEO Karim Toubba has revealed that the password manager has been breached again. Toubba said the company detected an unusual activity within a third-party cloud storage service that it shares with its parent company GoTo, which was formerly known as LogMeIn. To investigate the incident, LastPass has teamed up with security firm Mandiant. Together, they've determined that the unauthorized party got into LastPass' cloud service by using information obtained from the security breach it suffered in August this year. Further, they've discovered that the bad actor was able to access "certain elements" of its customers' information.

If you'll recall, LastPass was hacked back in August, and Toubba admitted after an investigation that the unauthorized party had internal access to its systems for four days. The hacker was able to steal some of the password manager's source code and technical information, but LastPass said customers' data and encrypted password vaults remained untouched. Apparently, the hacker's access was limited to the service's development environment. While the unauthorized party was able to access some user information this time, LastPass said customers' passwords remain safely encrypted. 

In an announcement of its own, remote work and collaboration tools provider GoTo has admitted that bad actors gained entry into its development environment. Like LastPass, the company has assured customers that its products and services are fully functional despite the breach. The password manager and its parent company are still investigating the incident to understand its scope, so we'll likely hear more details in the coming months. 

If you were a T-Mobile customer in August 2021, you may get a few dollars from the carrier in the near future. It has agreed to settle a consolidated class action lawsuit filed against the company over a data breach that exposed the personal information of 76.6 million "current, former and prospective customers." Back when T-Mobile's CEO, Mike Sievert, admitted and apologized for the breach, the carrier said the individual who hacked its network used "specialized" tools and knowledge of its infrastructure in order to gain access to its testing environment. That individual then stole customer data from the network and sold them on hacker forums.

The type of information that the bad actor sold varies per person, but it could include the name, birth date and social security number for each individual. T-Mobile got in touch with people affected by the data leak shortly after it came to light and offered them two free years of access to McAfee’s ID Theft Protection Service. Now, they're also getting monetary compensation, though it will likely be a few dollars at most. While the $350 million settlement may sound substantial, a huge chunk of that amount will go towards paying off legal fees. The rest will be divided among tens of millions of affected customers. According to the SEC filing spotted by GeekWire, the company will also spend $150 million on data security technologies throughout this year and the next.

The settlement still has to be approved by the court. But if it does, it will "resolve substantially all of the claims brought by the company’s current, former and prospective customers who were impacted by the 2021 cyberattack." You can read the full proposed settlement here.

NFT marketplace OpenSea shared today that it’s the victim of another data breach — though this time the target is one of its vendors. An employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses associated with OpenSea accounts and newsletter subscriptions with an unknown third party. Any OpenSea account holder or newsletter subscriber should assume their email address was among those impacted, according to a blog post by the company’s head of security Cory Hardman. At this time it does not appear any passwords or other personal information was stolen.

The company is working with Customer.io to investigate the matter. “Please stay vigilant about your email practices, and be alert for any attempt to impersonate OpenSea via email,” wrote Hardman.

Unlike a previous phishing attack on OpenSea in February that resulted in hundreds of NFTs being stolen, there appears to be no further reported damage beyond the leaked email addresses. Still, the number of people likely impacted by the breach is significant. Hackread noted that 1.8 million users made purchases through the Ethereum network on OpenSea, according to data from Dune Analytics.

Yesterday the company sent emails to OpenSea users who they suspected were involved, warning them to be on the lookout for phishing emails and other scams. Beyond standard advice such as not to download attachments or click on a link from an OpenSea email, users were also warned not to sign wallet transactions directly from an email or to share or confirm secret wallet phrases.

The identity of the third party who received the breached email addresses has not been revealed. A representative from Customer.io toldTechCrunch that the employee behind the breach had “role-specific” access to the OpenSea data that they abused. “We do not believe any other clients’ data has been compromised, but we are continuing to investigate. The employee in question has had all access removed and has been suspended pending the conclusion of our investigation.”

A Seattle jury has found Paige Thompson, a former Amazon software engineer accused of stealing data from Capital One in 2019, guilty of wire fraud and five counts of unauthorized access to a protected computer. The Capital One hack was one of the biggest security breaches in the US and compromised the data of 100 million people in the country, along with 6 million people in Canada. Thompson was arrested in July that year after a GitHub user saw her post on the website sharing information about stealing data from servers storing Capital One information. 

According to the Department of Justice, Thompson used a tool she built herself to scan Amazon Web Services for misconfigured accounts. She then allegedly used those accounts to infiltrate Capital One's servers and download over 100 million people's data. The jury has decided that Thompson violated the Computer Fraud and Abuse Act by doing so, but her lawyers argued that she used the same tools and method also used by ethical hackers.

The Justice Department recently amended the Computer Fraud and Abuse Act to protect ethical or white hat hackers. As long as researchers are investigating or fixing vulnerabilities in "good faith" and aren't using the security holes they discover for extortion or other malicious purposes, they can no longer be charged under the law.

US authorities, however, disagreed with the assertion that she was only trying to expose Capital One's vulnerabilities. The Justice Department said she planted cryptocurrency mining software onto the bank's servers and sent the earnings straight to her digital wallet. She also allegedly bragged about the hack on online forums. 

"Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself," US Attorney Nick Brown said. Thompson could be sentenced with up to 20 years of prison time for wire fraud and up to five years for each charge of illegally accessing a protected computer. Her sentencing hearing is scheduled for September 15th.

If you have a tendency to talk to people you don't know on LinkedIn, you may want to take extra care. According to a CNBC report, the company has acknowledged a "recent uptick of fraud on its platform," and this time the scams involve persuading users to make investments in cryptocurrency. It's been deemed as a "significant threat" by Sean Ragan, the FBI's special agent in charge of the San Francisco and Sacramento field offices in California, who spoke to the outlet.

CNBC said the schemes typically began with someone pretending to be a professional and reaching out to LinkedIn users. They would engage in small talk, offering to help users make money through crypto investments. First, they would tell their targets to go to an actual crypto investment platform, but "after gaining their trust over several months, tells them to move the investment to a site controlled by the fraudster." Thereafter, the money is "drained from the account."

According to victims interviewed by CNBC, the fact that they trusted LinkedIn as a platform for networking lent credibility to the investment offers. 

Ragan told CNBC that "the FBI has seen an increase in this particular investment fraud," which the outlet said "is different from a long-running scam in which the criminal pretends to show a romantic interest in the subject to persuade them to part with their money."

Linkedin

In a statement published yesterday, LinkedIn encouraged users to report suspicious profiles. The company's director of trust, privacy and equity Oscar Rodriguez told CNBC that "trying to identify what is fake and what is not fake is incredibly difficult."

LinkedIn's article urges users to "only connect with people you know and trust" and to "be wary of... people asking you for money who you don't know in person." The company added "This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings."

It also lists "job postings that sound too good to be true or that ask you to pay anything upfront" and "romantic messages or gestures, which are not appropriate on our platform" as signs of potential fraud attempts.

The company isn't fully relying on its users reporting suspicious accounts as its only defense against scammers on its platform. "While our defenses catch the vast majority of abusive activity, our members can also help keep LinkedIn safe, trusted, and professional," Rodriguez wrote in the statement. LinkedIn also reported that "96% of detected fake accounts and 99.1% of spam and scams are caught and removed by our automated defenses."