Verge token hack lawsuit says creators in project “black paper” are general partnership and that is Not a Good Thing

Quick Take

  • James et al. v. Valo et al., E.D. Texas (4:19-cv-801, 11/4/2019)
  • New lawsuit in Texas federal court alleges violations of Securities Act, Computer Fraud and Abuse Act and common law claims in connection with hack leading to loss of millions of dollars in verge tokens,
  • Plaintiffs say that Verge creators and people listed in project “black paper” are part of common law general partnership

Link to Complaint 

Of all the things I’d like to be a part of, a common law general partnership is nowhere on the list. These nifty default organizational structures are what you get when you go into business with a bunch of people, hoping to make a buck (or a token) and don’t bother to attend to corporate formalities — because blockchain, man, or because you just didn’t bother. One of the problems with a common law general partnership is that you can end up jointly and severally liable for the stupid things your erstwhile and unintended partners do. Sounds like fun!

I’ve been waiting for a couple of years now for someone to file a lawsuit involving a crypto project where they argued that the so-called “ecosystem” is a general partnership and this seems to have finally happened. I refer to a new lawsuit involving the Verge cryptocurrency says specifically that “The Verge Crypto-Currency General Partnership (the “Partnership”) is a “common-law general partnership” of various persons listed in the Verge Black Paper who are engaged in the development and marketing of the Verge Crypto-Currency (the “Verge Coins”). The Partnership may be served through one its partners, Justin Valo, at [his street address], or wherever he may be found.”

Valo is one of the defendants as well, and was according to the Complaint one of the project’s prime movers. But interestingly, at least to me, given the general partnership allegation, if you were listed in the Black Paper, you could be in for an interesting ride, at least in theory.

This lawsuit weighs in at 21 pages and we have to slog through to page 11 before we finally get to the hack that seems to be the thing that got the lawsuit off the ground. Before we get there, the Complaint provides some background on the parties involved. A guy named Lawrence Ballou allegedly developed something called the CoinPouch virtual currency wallet and a bunch of LLCs that the complaint refers to as “The Touch Titan Entities”, which are in bankruptcy (the liquidation kind) in Texas bankruptcy court. The “Verge partnership”:

is in the business of developing, programming and marketing the use of Verge Coins — a crypto-currency, or virtual currency that makes use of blockchain technology. Like other crypto-currencies, Verge Coins depend on a combination of “private keys,” which are supposed to be known only to the owner of the virtual currency, and “public keys” which are visible in the public block chain ledger and used by the community for the virtual currency to validate the authenticity of transactions.

The Complaint says that Verge Coins were an unregistered security when sold to the plaintiffs, running through the Howey Test for allegations regarding the same. A John Doe defendant with an account at Bittrex allegedly stole a bunch of ‘em.

So, Ballou and “the Partnership” allegedly knew that the only safe way to store keys was on user devices and this is how CoinPouch was advertised — as a way to natively store keys on user devices. But the Verge Coin programming allegedly wouldn’t let Verge work this way so

[c]onfronted with this incompatibility, Ballou, Valo and the Partnership decided to use a client/server model involving a full Verge Coin blockchain database (the “Verge Node”) on a virtual private server hosted by Vultur for the Application ... The system architecture for the Application also involved an API hosted on a Heroku server that acted as an interface between the Verge Coin owners using the Application (the “Users”) and the Verge Node. Ballou, Valo and/or the Partnership intentionally, recklessly, or negligently designed this system architecture such that all User private keys were captured and stored on the Verge Node, and to surreptitiously require User transactions be executed on the Verge Node, rather than User private keys being stored on, and transactions executed on, the User’s device.

This design choice turns out, according to plaintiffs to have been a mistake and allegedly led to coins being swiped from plaintiffs' CoinPouch wallets.

The lawsuit includes a bunch of causes of action. Count I is for violation of the securities act for selling an unregistered security. Seems like this one might be time-barred, as (as far as I can tell) the sales happened more than a year ago. Count II is for violation of the Computer Fraud and Abuse Act. Of the alleged claims are interesting pleading, as they don’t allege unauthorized access but, rather, bad design that permitted someone else to authorize a system without access.

There’s a third CFAA allegation that might make it past a motion to dismiss, though, which is that “on information and belief, by accessing the Heroku server hosting the API, and/or the Vultur server hosting the Verge Node without authorization, falsifying the Plaintiffs’ account balances, and siphoning off their Verge Coins, the Doe Defendant knowingly and without authorization accessed a protected computer with the intent to defraud and obtained Plaintiffs’ valuable private keys.” (Information and belief means something like — and don’t @ me with civ pro corrections people — “we don’t actually know for sure, based on facts that we are aware of, but we’re making a guess based on circumstances “). There’s a third count for “conversion” against the John Doe defendant who allegedly took the crypto. This part of the lawsuit gives the plaintiffs the basis to serve a subpoena on Bittrex, where John Doe who allegedly stole the tokens sent ’em after the theft so maybe they can find out how did it. There’s a fourth count for “unjust enrichment” against John Does and the partnership and a fifth count for products liability.

The products liability claim is kinda interesting too. There’s a legal doctrine known as the economic loss doctrine that says (and I generalize) that a plaintiff can’t make products liability claim against a manufacturer for a product that destroys only harms itself, without causing damage to a person or other property. Your remedy in the no “other damage” context is a breach of contract claim. I’m not sure the products liability claim will work where the alleged loss is theft of private keys — there hasn’t actually been damage to a person or third party property. It’s also not entirely clear that a piece of software is a product for purposes of this sort of claim. This will be some interesting briefing, assuming anyone enters an appearance on behalf of the defendants.

Anyway -- there you have it, one day you're an ecosystem play, the next day you're an implied common law general partnership.


© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Stephen Palley is a partner in Washington, D.C. office of the Anderson Kill law firm, where he is a member of the firm's nationally recognized insurance recovery practice and chair's the firm's Technology, Media and Distributed Systems practice group. The opinions expressed are his alone, not those of past, present of future clients or employers, and are not intended as legal advice.