Who’s Liable When Your Cryptocurrency Is Stolen?

August 18, 2023

One of the asserted advantages of blockchain and cryptocurrency is their operation outside the commercial banking system. However, this very feature poses a challenge when cryptocurrency is stolen—or more accurately, transferred without the account holder’s consent—leaving account holders with limited recourse. Unlike traditional banks, which can trace the funds, block transfers, or “claw back” fraudulent funds, crypto exchanges have limited ability to regain fraudulently transferred funds. Moreover, user agreements with exchanges absolve any liability to the exchange for such fraudulent transfers, shifting the responsibility of account protection onto customers and mandating arbitration for dispute resolution.

Specific cryptocurrency laws governing liability in such situations remain absent. Courts, rather than forging new paths, rely on established fraudulent transfer regulations governing the banking sector. Determining whether a transfer is fraudulent under banking regulation depends both on the purpose for which the account was created and whether the stolen property is considered a “fund”. A pair of conflicting decisions arising from the theft of cryptocurrency from online broker, Uphold, shows that courts are attempting to navigate the application of new technology to these old laws. In a February decision, one court found the exchange liable for fraud, while last week, another federal judge ruled the same exchange not liable under the same statute, leaving cryptocurrency owners in a state of uncertainty.

The “Electronic Funds?” Conundrum

In 1978, in response to the emergence of “electronic” banking and its attendant risks, Congress enacted the Electronic Fund Transfer Act (EFTA). This legislation, along with its associated regulation, Regulation E, 12, aimed to delineate the responsibilities of senders, recipients, account holders, and financial institutions in cases of theft or misdirection of “electronic funds transfers.” Under the law and regulations, non-commercial customers bore limited liability for unauthorized transfers, contingent on whether they notified the bank about the unauthorized transfer. Although the regulation prescribed nominal consumer liability, typically ranging from $25 to $50, most banks voluntarily reimbursed fraud losses to promote ATM usage and curtail operational costs.

For more sophisticated commercial customers, Regulation E does not apply. Rather, those transactions are governed by UCC 4A-205, which immunizes financial institutions from liability for processing fraudulent transfers if the financial institution can demonstrate that it used “commercially reasonable” means of security and authentication. Indeed, many commercial account agreements contain language in them in which the account holder is required to stipulate that the bank’s security is “commercially reasonable.”

Crypto “Funds” Transfer?

Fast forward to the 2020’s, and the question is whether these regulations apply to all electronic funds transfers – like cryptocurrencies. If a hacker “steals” crypto from a broker, a wallet, or some other crypto transfer agent, or orders the funds transferred to another wallet, is this an electronic “funds” transfer under the 1978 law? If so, the consumer (account holder) will have limited or no out-of-pocket liability for the fraudulent transfer.

Under the statute, an “electronic fund transfer” means: any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. Significantly, the statute defines a “financial institution,” as “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person who, directly or indirectly, holds an account belonging to a consumer.

As a crypto exchange holds cryptocurrency in an account (a wallet) on behalf of a customer or consumer. They then “transfer” that cryptocurrency from one “account” to another at the direction of the customer. That makes them a “financial institution” and makes the transfer an “electronic funds transfer” for which the consumer has no liability if the transfer is fraudulent or unauthorized.

That is, if (and this is a big if) cryptocurrency is a “fund,” since the statute only regulates the “transfer of funds.” If crypto is a commodity (like gold bullion, Dutch tulips in 1640, or beanie babies) and not a fund, then logic dictates that the Electronic Funds Transfer Act would not apply. Similarly, if crypto is a security, a commodity future, or something other than a “fund” the EFTA’s regulations might not apply.

A Matter of Definitions

In February of this year, a federal district court in New York addressed that very “fund” question. In Rider et al v. Uphold HQ Inc. et al, the court addressed whether cryptocurrency was a “fund” under the EFTA, and found that the ordinary dictionary definition of “funds” means a means of exchange that can be used to pay for goods and services. Therefore, according to this court, cryptocurrency is a fund, the exchange “transfers” funds, and is therefore a “financial institution” can be liable for the fraudulent transfer.

What’s An Account?

Recently, in Yuille v Uphold HQ,  another judge from the same court as Rider addressed a comparable issue—the theft of cryptocurrency from a cryptocurrency wallet and whether Regulation E extended protection, absolving consumers of liability. Diverging from the Rider case, Judge Lewis Liman ruled that Regulation E did not apply—not due to the absence of cryptocurrency as a “fund,” but due to the failure of a crypto wallet to meet the statutory definition of an “account,”  or more accurately, because the crypto wallet was not established as a “consumer” account rather than a non-consumer account. The statute defines an “account” as “a demand deposit, savings deposit, or other asset account . . . established primarily for personal, family, or household purposes.”

Here, the court looked to the motives of the cryptocurrency account holder in establishing the account. The Court noted that the account holder opened his account

  • “To hold [Bitcoin]”
  • “To sell and reduce to dollars and transfer dollars to his bank.”
  • “To trade crypto coins like those listed on Uphold.”

The judge found that, because the motive in investing in cryptocurrency was not for “personal, family or household purposes” but for “investment” or for a “profit motive” the crypto wallet was not an “account” entitled to protection.

Where Does This Leave an Individual with a Crypto Wallet?

Consumer or Investor?

Cryptocurrency is supposed to serve two purposes – to be a medium of exchange to buy goods and services (from groceries to housewares, etc.) and, at the same time to be an investment vehicle based on the speculative nature of the value of cryptocurrency. If we treat it as a medium of exchange, then losses might be protected under a law designed to protect ATM debit cards. However, this determination becomes a case-by-case affair, scrutinizing each consumer’s motive for acquiring or retaining cryptocurrency. A comprehensive assignment of risk of fraud for unauthorized transfers of cryptocurrency either by statute, regulation or agreement would help consumers and companies understand their risks and obligations.


While the status of cryptocurrency as a “fund” under the EFTA remains open to interpretation, a compelling argument can be made equating cryptocurrencies with funds, suggesting that financial institutions (brokers) rather than consumers should shoulder the risk of fraudulent transfers.

The difficulty with the most recent court decision is that it goes to the consumer’s motive for maintaining the crypto wallet, rather than their use of the wallet. For example, if a consumer kept “funds” on deposit in a savings account to pay consumer debt, but also was motivated by the fantastic .1% annual interest, would their “investment” objective outweigh the purpose of the account and cause them to have liability for fraudulent transactions? Similarly, for home businesses run out of a consumer’s personal account, does the fact that the bank account is used for both consumer and business purposes render it fair game for hackers?

The EFTA was introduced in the late 1970s, and it’s evident that times have since undergone significant transformations. Therefore, there is a clear need to update the statute in order to align with the dynamic shifts in our constantly evolving technological landscape.

For further questions or clarifications regarding the content of this article, please contact KJK Cyber Security & Data Breach attorney’s Mark Rasch (MDR@kjk.com; 301.547.6925) or Brett Krantz (BK@kjk.com; 216.736.7238).