“OFAC sanctions liability is strict liability. If the exploiter who drained your protocol is later attributed to North Korea-linked actors --- as roughly two-thirds of H1 2026 hack losses were --- a negotiated "whitehat bounty" can itself be a prohibited transaction --- and OFAC's facilitator language reaches the lawyers, forensics firms, and insurers who structure it.”
On April 1, 2026, attackers drained roughly $285 million from Drift Protocol --- the second-largest crypto hack of the half-year, and one TRM Labs attributes to North Korea-linked actors.1 The class action that followed alleges that roughly $230 million of it moved as USDC, bridged from Solana to Ethereum over about eight hours, while the one company with a freeze button --- Circle, the USDC issuer --- did not press it.2 Those are the complaint’s allegations, not adjudicated facts. But the fact pattern is every founder’s next 72 hours.
If your protocol is the one that just got exploited, the decisions in front of you tonight are legal decisions wearing operational clothes. Whether to tweet a 10% “whitehat bounty” at the exploiter. Whether to bet on the stablecoin issuer freezing the funds. Whether to hire the forensics firm directly or through counsel. What to file, with whom, on what clock. What to say publicly. Each choice either preserves your position as a victim with live recovery options or starts converting you into an OFAC exposure and a civil defendant.
This playbook walks the first 72 hours in order, as of July 2026: the sanctions trap on bounty payments, the current state of the mixer law, the reporting matrix, the stablecoin-freeze fight now in litigation, realistic recovery mechanics, and your own defendant-side exposure.
Key Takeaways
- OFAC liability is strict liability. A negotiated bounty to an exploiter who is --- or is later attributed to be --- a sanctioned actor can itself be a sanctions violation, for the protocol and for the lawyers, forensics firms, and insurers who structure it.3
- Your reporting duties turn on what you are, not what you lost. Public companies face a four-business-day 8-K clock; registered advisers a 30-day Reg S-P clock; state breach statutes usually do not reach a bare fund theft with no personal information.456
- Do not count on the issuer freeze. Circle’s reported position is that it freezes USDC on legal process, not on a victim’s request --- the position now being tested in McCollum v. Circle. Engineer the lawful order instead: FBI referral, seizure warrant, TRO.2
- The mixer law flipped. Tornado Cash has not been OFAC-sanctioned since March 21, 2025 --- but other mixers remain designated, and the criminal money-transmission and AML track is very much alive.78
- Speed beats theory on recovery, and the odds are sobering. Freeze letters and John Doe process filed within days recover more than any cause of action filed later; of the Bybit hack’s roughly $1.4 billion (Bybit’s own accounting; Chainalysis records it at $1.5 billion), under 4% had been frozen two months on.9
What Must a Hacked Crypto Protocol Do in the First 72 Hours?
In the first 72 hours, a hacked protocol must contain and preserve, engage counsel before forensics, sanctions-screen every counterparty before any payment, triage four disclosure clocks, and move on recovery --- in that order, because each step forecloses the next.
Crypto incident response is the coordinated legal, forensic, and communications workstream that runs from exploit detection through containment, mandatory reporting, and asset recovery. More teams are running it than ever, with less money at stake per incident: TRM Labs counts $972 million stolen across 207 hacks in the first half of 2026 --- incident count up roughly 2.5x year over year while dollar losses fell 58% --- with a mean loss of $4.7 million but a median of only about $219,000.1
The median matters. The typical team facing this playbook is not a Bybit; it is a small protocol with no BigLaw retainer and about $219,000 gone. For 2025 context, Chainalysis put total stolen funds above $3.4 billion, dominated by the February 2025 Bybit hack it records at $1.5 billion.10
The sequence that works, hour by hour:
- Hours 0-6 --- contain and preserve. Pause what you can pause, secure the remaining keys and multisig, and preserve logs, transaction hashes, and wallet addresses as evidence.
- Hours 6-24 --- counsel first, then forensics through counsel. The Kovel privilege structure (explained below) has to be papered before the forensics firm starts writing things down. Run OFAC screening on every attacker address before anyone communicates an offer.
- Hours 24-48 --- insurer notice, law-enforcement liaison, freeze requests. Cyber and crime policies carry strict early-notice clauses; file the FBI IC3 complaint; send exchange freeze letters where funds are landing; start the law-enforcement referral that an issuer freeze ultimately requires.
- Hours 48-72 --- disclosure-clock triage and communications. Materiality analysis for any 8-K duty, Reg S-P and state-statute checks, and a public statement that says only what you have verified.
Can You Legally Pay the Hacker a Whitehat Bounty?
Sometimes --- but OFAC sanctions liability is strict liability, so a negotiated bounty to an exploiter who is, or is later attributed to be, a sanctioned actor can itself be a prohibited transaction, even if you did not know.
The strict-liability rule is not an aggressive reading; it is OFAC’s own stated position. The Treasury Department’s September 21, 2021 Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments warns that a person subject to U.S. jurisdiction can be held civilly liable for dealing with a sanctioned party even without knowing the counterparty was sanctioned, and OFAC’s Economic Sanctions Enforcement Guidelines codify that civil violations do not require knowledge or intent.311 The same advisory extends enforcement reach to facilitators --- in language reaching “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response” that negotiate or facilitate payments to sanctioned threat actors.3 Your lawyers, your forensics firm, and your insurer inherit the exposure with you.
Now the crypto-specific application, which no authority squarely holds and which we present as this firm’s analysis: attribution is retroactive, and strict liability has no knowledge element. North Korea’s Lazarus Group has been on the SDN List since September 2019, and once an exploiter is designated --- or attributed to a designated group --- the exploiter’s wallet is the exploiter’s own blocked property interest.12 TRM attributes roughly $643 million, about 66% of all H1 2026 hack losses, to DPRK-linked actors.1 In practice, attribution of a major exploit to a DPRK-linked group often follows within days. So the bounty you tweet at an unattributed exploiter tonight can turn out to have been a completed prohibited transaction the moment you paid it --- you just learn that on Thursday, when the attribution report publishes. One precision point that matters: OFAC’s 50 Percent Rule blocks entities owned 50% or more, in the aggregate, by blocked persons --- it speaks to ownership, not control --- so the analysis runs through the SDN’s own property interest in its wallet, not through ownership aggregation.13
Screen before you pay. Attribution is retroactive, and strict liability does not care what you knew.
None of this makes every bounty illegal, and saying so would overstate the law. The mitigation posture that OFAC’s own enforcement guidelines reward: SDN and 50 Percent Rule screening on every counterparty address before any offer, documented attribution diligence, and self-initiated, complete, and ongoing cooperation with law enforcement --- which the 2021 advisory treats as a significant mitigating factor.311 If the incident later draws an agency letter, that record is also the spine of the defense; see our guide to SEC crypto enforcement defense.
If you are considering any negotiated payment to an exploiter --- screen every address first, paper the diligence, and loop in law enforcement before the offer goes out, because you cannot un-pay a designated actor.
Is Tornado Cash Still Sanctioned in 2026 --- and Does Mixer Routing Still Create Exposure?
No --- OFAC delisted Tornado Cash on March 21, 2025, after the Fifth Circuit’s Van Loon ruling, and no re-designation has followed. But mixer exposure survives: other mixers remain designated, and the developers’ criminal exposure outlived the delisting.
A mixer (or tumbler) is a service or smart contract that pools and re-routes crypto deposits to break the on-chain link between source and destination addresses. When your stolen funds route through one --- and in a DPRK-attributed exploit they will --- the legal significance changed materially between 2022 and today. In Van Loon v. Department of the Treasury, the Fifth Circuit held in November 2024 that Tornado Cash’s immutable smart contracts are not “property” of a foreign national or entity under IEEPA, so OFAC exceeded its statutory authority in sanctioning them.14 OFAC removed Tornado Cash from the SDN List on March 21, 2025, and as of July 2026 has not re-designated it.7
The criminal track is separate, and it did not close. Roman Storm, a Tornado Cash developer, was convicted on August 6, 2025 in the Southern District of New York of one count of conspiracy to operate an unlicensed money-transmitting business under 18 U.S.C. Section 1960, with the jury deadlocked on the money-laundering and sanctions-conspiracy counts.8 That conviction is not final: Storm’s Rule 29 motion for judgment of acquittal was argued before Judge Failla on April 9, 2026 and remained undecided as of mid-2026, and the government has proposed an October 2026 retrial on the deadlocked counts. So developer-liability conclusions in this space rest on the government’s surviving Section 1960 theory --- itself under acquittal challenge --- not on settled law. Two more reasons mixer routing is not safe: OFAC’s designations of other mixers, including Blender.io (2022) and Sinbad.io (2023), were never disturbed, and FinCEN’s October 2023 proposed rule would designate convertible-virtual-currency mixing a primary money-laundering concern under Section 311 of the USA PATRIOT Act, 31 U.S.C. Section 5318A.15 Roman Semenov, Storm’s co-founder, is reported to remain individually designated under the DPRK program --- the delisted-mixer, still-listed-developer nuance most summaries miss.16
| Mixer exposure | 2022-2024 (what most articles still say) | As of July 2026 (current law) |
|---|---|---|
| OFAC status of Tornado Cash | Sanctioned (August 2022 designation) | Delisted March 21, 2025; no re-designation7 |
| Sanctionability of immutable contracts | Assumed | Rejected --- not IEEPA “property” (Van Loon, 5th Cir. 2024)14 |
| Other mixers | Blender.io, Sinbad.io designated | Still designated15 |
| Developer criminal exposure | Charges pending | Section 1960 conviction (Aug. 6, 2025), non-final; Rule 29 sub judice; retrial sought on deadlocked counts8 |
| AML posture | FinCEN Section 311 mixing NPRM proposed (Oct. 2023) | NPRM outstanding; mixing remains a flagged typology15 |
The 2025 enforcement retreat never reached the theories that matter here. As of July 17, 2026, nine of the twelve registration-theory matters in Astraea Counsel’s 18-action crypto enforcement tracker (2024-2026) ended in dismissal or a closed investigation with zero monetary recovery --- while not one of the six fraud-, AML-, or sanctions-theory matters was dropped.17 The theories that reach a hacked protocol’s conduct --- fraud, money transmission, money laundering --- are exactly the ones that never moved.
Mixer routing is evidence and exposure to manage, not a dead end: it is not per-se sanctioned, and it is not per-se safe.
Which Reports Must You File After a Crypto Hack, and on What Clocks?
It depends on what you are, not what you lost: public companies face a four-business-day 8-K clock, registered advisers a 30-day Reg S-P clock, state breach statutes turn on personal-information exposure, and SAR duties attach only to BSA institutions.
The matrix below --- the Astraea 72-Hour Exposure Matrix --- maps each attack type to its reporting duties, sanctions risk, recovery paths, and the characteristic 72-hour mistake. Dated statistics carry their source in-cell; rows without a published H1-2026 figure reflect practice observation and say so.
<a id="exposure-matrix"></a>
| Attack type | Incident profile (dated where data exist) | Reporting duties triggered | OFAC / sanctions risk | Primary recovery paths | The 72-hour trap |
|---|---|---|---|---|---|
| Infrastructure / key compromise (incl. DPRK) | ~15% of H1 2026 incidents but ~76% of dollar losses (TRM, July 2026)1; private-key compromise was 43.8% of funds stolen in 2024 (Chainalysis, Jan. 2025)18 | 8-K Item 1.05 if public and material; Reg S-P if registered adviser; Cal. Civ. Code Section 1798.82 usually NOT triggered by bare key theft (no PII) | HIGHEST --- DPRK attribution often follows within days; any bounty or negotiation is strict-liability exposure | Law-enforcement-routed issuer freeze (USDC) + exchange freeze letters + tracing affidavits within days; expect low recovery once DPRK-linked funds move | Offering a bounty before attribution --- retroactive Lazarus attribution converts it into a prohibited dealing |
| Smart-contract logic exploit (unattributed) | Majority of incident count; median loss ~$219K (TRM, July 2026)1 | Same materiality analysis; usually no PII, so no state breach notice | MODERATE --- screen every negotiation address against the SDN List before contact | Whitehat negotiation viable IF screened; on-chain monitoring for exchange deposits, then freeze letter + John Doe subpoena | Public root-cause speculation that becomes the negligence complaint’s Exhibit A |
| Phishing / social-engineering wallet drain | $366.3M across 63 incidents in H1 2026, per an aggregator tally (0xTeam/CryptoRank, July 2026)19 | Materiality analysis; state breach statutes IF credentials/PII taken; Reg S-P if adviser customer data touched | Varies with attribution; screening still mandatory | Exchange freeze letters + KYC John Doe subpoenas; identity often reachable because funds hit custodial off-ramps | Treating it as a user problem --- drained team wallets and signer credentials are protocol incidents |
| Stablecoin-heavy drain (USDC/USDT proceeds) | Drift (Apr. 1, 2026): complaint alleges ~$230M in USDC bridged Solana-to-Ethereum over ~8 hours (allegations, unadjudicated)2 | Same materiality analysis; issuer relationship may add contractual notice terms | Varies with attribution; screening still mandatory before any negotiated return | Issuer freeze --- but expect Circle’s legal-process-only posture; obtain the lawful order (seizure warrant / TRO), do not just send a letter | Assuming the issuer will freeze on your email while the funds bridge out (the McCollum fact pattern) |
| Ransomware / extortion with data exfiltration | Extortion overlay on custodial or corporate systems (no clean H1-2026 protocol-sector share published; practice observation) | 8-K Item 1.05 (public); state breach statutes (PII taken); SAR if BSA institution; possible Reg S-P | HIGH --- the OFAC ransomware advisory is directly on point; facilitators (counsel, IR firm, insurer) share exposure3 | Payment rarely recovers data; law-enforcement coordination is an OFAC mitigating factor | The attacker weaponizing your own disclosure clock mid-negotiation |
| Insider / rogue multisig signer | Governance-layer compromise (no published incident-share statistic; practice observation) | Materiality analysis; possible Reg S-P; contractual and DAO-constitution notice duties | LOW on sanctions; HIGH on fiduciary exposure | CFAA civil claim; conversion / constructive trust; identity known, so direct suit + asset freeze | Calling it a “hack” publicly when it is an insider event --- misstatements compound fiduciary claims |
Walking the clocks. The SEC clocks --- the 8-K trigger and the advisers’ Reg S-P notice duty --- get their own section below. The state-law analysis is the one founders most often get backwards, so state it precisely: under California Civil Code Section 1798.82, notice runs to California residents whose unencrypted “personal information” was acquired --- defined as name plus a data element, or a username or email address with a password or security answer --- and the statute now carries a 30-day notification clock.6 The counterintuitive consequence: a stolen signing key triggers consumer notice only if statutory “personal information” was also acquired --- a bare protocol-fund theft with no resident PII does not, by itself, require breach notice.
Suspicious-activity reports are narrower still: the SAR duty under 31 C.F.R. Section 1022.320 attaches to money services businesses and other BSA financial institutions --- reported thresholds of $2,000 for MSBs --- and a pure DeFi protocol is usually not an MSB, though an affiliated custodial or exchange entity may be.20 File the FBI IC3 complaint regardless: it costs nothing, creates the official record, and opens the seizure path. The IC3 logged $9.3 billion in crypto-related fraud losses in 2024, up 66% year over year, across roughly 150,000 complaints.21
For protocols with an EU nexus, DORA’s ICT-incident reporting regime and MiCA can impose parallel European clocks --- run that analysis separately.22
Derivatives-touching protocols should also check the CFTC’s posture in our CFTC crypto enforcement tracker.
If you are triaging disclosure duties tonight --- classify yourself first (public company, adviser, BSA institution, none of the above), because the classification, not the loss size, dictates every clock you are on.
Does a Protocol Exploit Trigger the SEC’s Four-Business-Day 8-K Clock?
Only if you are an SEC reporting company and the incident is material --- the four business days run from your materiality determination, not from the hack. As of July 2026, Item 1.05 remains in force despite a pending industry rescission petition.
Form 8-K Item 1.05, adopted July 26, 2023 with a December 18, 2023 compliance date, requires a reporting company to disclose a material cybersecurity incident within four business days of determining the incident is material --- describing its nature, scope, timing, and material impact --- with Regulation S-K Item 106 carrying the companion periodic disclosures.4 The Division of Corporation Finance’s May 21, 2024 statement (Director Erik Gerding) told companies not to file non-material or undetermined incidents under Item 1.05, routing voluntary disclosure to Item 8.01 instead --- which makes the materiality determination itself the legally significant act in your first 72 hours.23 The deregulatory wave has not touched this rule: the SEC withdrew its outstanding proposed cyber rulemakings --- including the adviser and broker-dealer cybersecurity risk-management proposals --- on June 12, 2025 while leaving Item 1.05 intact, and the five-association rescission petition (SIFMA, ABA, BPI, ICBA, IIB; SEC File petn4-856, submitted late May 2025) plus a January 2026 Reg S-K comment sweep remain pending without Commission action.2425
The uncomfortable insight: your disclosure clock is attacker leverage. In a widely reported November 2023 episode, the AlphV/BlackCat ransomware crew filed an SEC complaint against its own victim, MeridianLink, for not disclosing the breach --- weaponizing the disclosure regime mid-extortion.26 Assume the attacker reads the SEC rulebook too, and sequence your materiality analysis so a mid-negotiation regulatory complaint finds you already in compliance.
The other SEC clock belongs to registered investment advisers and broker-dealers: the May 16, 2024 amendments to Regulation S-P require covered institutions to notify affected customers of a breach of sensitive customer information as soon as practicable, and no later than 30 days after becoming aware of it --- and the compliance date for smaller entities landed June 3, 2026, so as of this summer every registered adviser is on that hook, not just the large firms that came online December 3, 2025.5 A crypto fund adviser whose hack touched investor records now owes customer notice on a federal clock even where no state statute is triggered.
Start the materiality analysis in hour one and timestamp the determination --- for a reporting company (or its acquirer, custodian, or listed partner), the four business days run from that moment, and regulators will ask for it.
Will Circle Freeze the Stolen USDC --- and Can You Sue If It Doesn’t?
Do not count on it. Circle’s reported position is that it freezes USDC only on a court order or equivalent legal directive --- the position now on trial in McCollum v. Circle.
The complaint in that case, a proposed class action in the District of Massachusetts arising from the Drift exploit, alleges that attackers spent roughly eight hours bridging about $230 million of stolen Solana-based USDC to Ethereum through Circle’s Cross-Chain Transfer Protocol, that Circle had the technical and contractual authority to freeze the funds in transit, that it had frozen USDC wallets before, and that it did not act --- pleaded as negligence and aiding and abetting conversion.2 Every one of those statements is an allegation, not a finding; Circle has not been adjudicated to have done anything wrong, and this firm is not involved in the case. But the mid-incident lesson does not depend on the outcome: for eight alleged hours, the only party with a freeze button was one no victim controlled.
A stablecoin freeze is the issuer’s exercise of a smart-contract blocklist function that prevents specified addresses from transferring the token --- a power centralized issuers hold even when the stolen asset sits in a hacker’s wallet. What triggers it is the contested question. Press coverage characterizes Circle’s freeze policy as court-order-only, but Circle has never published a first-person statement of the policy, and its own documented conduct complicates the paraphrase: in August 2022 it froze Tornado Cash-linked USDC addresses immediately on the OFAC designation, no court order in sight. The accurate general statement is that Circle acts on legal process --- sanctions listings and court orders --- rather than on a victim’s request, and it has frozen without a prior court order where a government act supplied the trigger.
The GENIUS Act (Pub. L. No. 119-27, signed July 18, 2025) sharpens the structure without resolving it. The Act requires permitted payment stablecoin issuers to have the technical capability to seize, freeze, or burn payment stablecoins and to comply with lawful orders --- and in our reading, that arms the freeze lever while reserving the trigger for courts and agencies: it mandates the capability to freeze on lawful order, not a freestanding duty to freeze at a private victim’s request.27 McCollum tests whether tort law fills that gap. A proposed FinCEN/OFAC rule published April 10, 2026 would layer formal sanctions-compliance program requirements onto permitted issuers, keeping issuer freeze mechanics squarely in regulatory play.28
The practical move for the 72-hour window follows directly, and it is the opposite of what most teams do: do not spend day one begging the issuer by email. Engineer the lawful order the issuer says it needs --- the FBI/IC3 referral that opens a seizure-warrant path, or a temporary restraining order freezing the identified addresses. You are not asking Circle for a favor; you are manufacturing the legal trigger its stated posture responds to. For what the Act requires of issuers themselves, see the GENIUS Act stablecoin compliance roadmap.
The bare email to the issuer is the move the McCollum plaintiffs allege did not work; the seizure warrant or TRO is the trigger Circle’s stated posture actually answers.
What Are Your Realistic Options for Recovering Stolen Crypto?
Speed beats theory: emergency exchange freeze letters, John Doe subpoenas for KYC identity, and tracing affidavits filed within days recover more than any cause of action filed later. Set expectations honestly --- most DPRK-taken funds are never recovered.
| Recovery path | Speed | What it gets you | Prerequisites | Cost profile |
|---|---|---|---|---|
| Exchange freeze letter | Hours-days | Administrative hold on funds hitting a custodial exchange | Tracing to a deposit address; exchange with a compliance desk | Low |
| Issuer freeze via law enforcement (USDC) | Days | Blocklisting of identified addresses | The lawful order: IC3 referral, seizure warrant, or TRO | Low-moderate |
| John Doe subpoena / expedited discovery | Days-weeks | KYC identity behind the deposit address | A filed civil action; court order for early discovery | Moderate |
| Civil suit (conversion, unjust enrichment, constructive trust) + asset freeze | Weeks | Judgment, tracing remedies, TRO over traced assets | Identifiable defendant or Doe pleading; tracing evidence | High |
| CFAA civil claim, 18 U.S.C. Section 1030(g)29 | Weeks | Federal question jurisdiction; compensatory damages | Qualifying loss (reported $5,000 statutory threshold) | High |
| FBI/IC3 seizure | Weeks-months | Government seizure and eventual return of forfeited funds | IC3 complaint; traceable funds at a cooperative venue | Low to file |
| MLAT / cross-border process | Months-years | Foreign-held evidence and assets | Government-to-government request; patience | High, slow |
The U.S. courts will move fast when you bring them tracing evidence fast. In Astrove v. Doe, No. 9:22-cv-80614 (S.D. Fla. 2022), a theft victim filed against an unidentified defendant on April 20, 2022, and the court entered a temporary restraining order freezing the assets two days later --- roughly $1.4 million in stolen crypto had been traced to an exchange, the court authorized expedited discovery to identify the anonymous defendant, and the claims included constructive trust.30 That is the template: trace, file against Doe, freeze, then unmask through the exchange’s KYC file. English law supplies the doctrinal confirmation with an honest warning attached: in D’Aloia v. Persons Unknown [2024] EWHC 2342 (Ch) (12 September 2024), the High Court held that USDT is a distinct form of property capable of being traced --- and the claim against the exchange still failed because the claimant’s tracing evidence did not carry his funds to the identified wallet.31 Doctrine was not the problem; evidence was. Persuasive authority only in a U.S. court, but the operational lesson is jurisdiction-proof.
Now the honest odds. Two months after the February 2025 Bybit hack --- $1.5 billion per Chainalysis; $1.4 billion by Bybit’s own accounting --- Bybit CEO Ben Zhou put the split at roughly 68.6% still traceable, about 27.6% gone dark (roughly $386 million), and only about 3.8% actually frozen.9 That is the best-resourced victim in the industry’s history, moving immediately, against DPRK-grade laundering --- and two months in, it had frozen under 4%. Your median $219,000 exploit will not beat that ratio on a passive strategy, which is why the table above is ordered by speed. And one warning the FBI thought worth its own 2025 alert: fictitious “crypto recovery law firm” operations now target hack victims for a second round of theft.32 Verify any firm’s bar admission, and treat guaranteed-recovery promises as the tell --- no honest lawyer makes them. When the counterparty holding your assets fails outright, the fight moves to a different forum; see what FTX taught creditors about recovering assets in crypto bankruptcy.
If recovery matters to you --- spend the first 72 hours on freeze letters, the IC3 referral, and preserved tracing evidence, because every recovery path in the table gets weaker by the day and none of them improves with a better legal theory later.
Can the Protocol Itself Be Sued After the Hack?
Yes --- and so can your infrastructure. The first major class action after 2026’s biggest hacks named Circle, the stablecoin issuer, not the hacked protocol; protocol-side negligence, multisig-fiduciary, and DAO-oversight theories are circulating but remain untested.
The defendant-selection lesson in McCollum is the insight: plaintiffs went first for the deep pocket with the freeze button.2 But the statistic that should worry protocol teams is the one from the Exposure Matrix above --- infrastructure and key-management failures were roughly 15% of H1 2026 incidents and roughly 76% of dollar losses.1 Key management is a controllable failure, and a controllable failure that causes the loss is exactly what a negligence plaintiff pleads. Commentary after Drift made the plaintiff-side framing explicit --- an April 2026 Forbes piece argued the hack proved DeFi’s decentralization promise “is still a fiction,” which is another way of saying someone identifiable was in control.33
The protocol-side theories are, for now, this firm’s forward-looking analysis rather than holdings --- no court has yet imposed them, and precision requires saying so. Three are circulating: ordinary negligence against the protocol team for key-management and upgrade-governance failures; fiduciary theories against multisig signers who control user funds; and an imported Caremark theory against DAO stewards. A Caremark claim is a Delaware oversight-liability theory holding directors personally liable for failing to implement or monitor reporting systems34 --- the open question is whether tokenholders can import it against DAO stewards and multisig signers; the doctrine’s current shape is mapped in our analysis of Caremark oversight duties.
Whichever theory arrives, its evidence is being written now. Every 72-hour choice --- the bounty tweet, the “funds are safe” post, the un-privileged forensics report --- is the discovery record in the later suit. The plaintiffs sued the issuer first; the protocol’s own record decides whether it is next. And the private bar is not waiting for regulators --- the McCollum posture is precisely private crypto litigation when the SEC won’t act.
If your protocol holds user funds behind a multisig --- assume a plaintiff’s lawyer will one day narrate your first 72 hours to a jury, and generate the record you would want read aloud.
How Do You Keep the Forensic Investigation Privileged?
Engage forensics through counsel, scoped to legal advice --- the Kovel structure. Privilege turns on the primary-purpose test: a report that would exist anyway in the ordinary course of business is usually discoverable, however it was papered.
A Kovel engagement is the retention of a non-lawyer expert by counsel --- not by the client --- so the expert’s work is performed to assist the lawyer in giving legal advice and can fall within the attorney-client privilege, a doctrine the Second Circuit established in United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).35 Courts scrutinize the substance, not the paperwork: in the Capital One data-breach litigation, the court ordered production of a Mandiant incident-response report despite its engagement through outside counsel, because the work was materially the same as what the pre-existing business relationship would have produced anyway.36 The structuring that survives that test: counsel signs the engagement, the scope recites legal advice in anticipation of litigation, the incident report is separated from the remediation workstream, distribution is controlled to a legal-advice audience, and the invoices do not read like routine security services.37
Calibration matters: the Kovel structure is a strong best practice, not a guarantee, and calling it mandatory would overstate the law --- courts apply the primary-purpose test fact-specifically, and a well-papered engagement can still lose on substance. But an un-papered one almost always does.
If the forensics firm has not started yet --- route the engagement through counsel today, because privilege is decided by how the work begins, not how it is labeled later.
What Should You Say Publicly in the First 72 Hours?
Say what you verified, on advice of counsel, and nothing more. Premature statements about cause, loss size, “funds are safe,” or decentralization become admissions on negligence, materiality, and fiduciary exposure --- and can start disclosure clocks.
| Say | Never say (in the first 72 hours) |
|---|---|
| An incident occurred and is confirmed | The root cause --- before forensics concludes |
| An investigation is underway with outside counsel and forensics engaged | A dollar figure --- before reconciliation is complete |
| Law enforcement has been notified | ”All funds are safe” --- the phrase that headlines the complaint if any turn out not to be |
| A channel exists for affected users | Decentralization claims that contradict your multisig reality |
| A follow-up timing commitment you can keep | Anything about the exploiter’s identity before attribution |
Each “never” column entry maps to a section above. The root-cause speculation is the negligence complaint’s Exhibit A. The dollar figure feeds the materiality analysis whether you intended it to or not --- a public loss estimate is evidence you had determined the incident’s significance, and the four-business-day clock runs from the materiality determination. The “funds are safe” post is the misstatement claim. And the audience is not just your users: as the MeridianLink episode showed, the attacker reads your statements and your filings, and can weaponize both mid-negotiation.26 Remember which enforcement theories survived the 2025 retreat --- fraud and misstatement, not registration. Your public statements are the surface those theories attach to.
If you are drafting the incident tweet right now --- have counsel read it against the disclosure clocks and the negligence theories first, because it is the cheapest document you will ever put in front of a jury.
The 72-Hour Recap
Contain and preserve. Counsel before forensics, and forensics through counsel. Screen every address before any offer, because OFAC liability is strict and attribution is retroactive. Classify yourself --- public company, adviser, BSA institution --- and run the clocks that classification triggers. Engineer the lawful order for the issuer freeze instead of emailing for a favor. Send the freeze letters and file the IC3 complaint while the funds are still traceable. Say only what you verified. The Exposure Matrix above compresses the whole sequence into one table; it is written to be used at hour zero, not after.
Astraea Counsel advises protocols, funds, and digital-asset companies on incident response, sanctions exposure, and regulatory strategy --- including in the hours when these decisions cannot wait for a memo. If your protocol is mid-incident, the highest-value step is getting counsel into the sequence before the first payment, filing, or public statement, not after.
Related Resources
- Crypto Enforcement Tracker (2024-2026): SEC and CFTC Actions and the Atkins Reversal
- SEC Crypto Enforcement Defense: Responding to a Wells Notice
- When the SEC Won’t Act: Crypto Private Litigation Risk
- GENIUS Act Stablecoin Compliance Roadmap
- Recovering Assets in Crypto Bankruptcy: FTX Lessons
- Caremark Duties in the Age of Managed Agents
This article provides general information for educational purposes only and does not constitute legal advice. Digital-asset and cybersecurity regulation is evolving rapidly, and several matters discussed --- including United States v. Storm and McCollum v. Circle --- are pending and unresolved. Consult qualified legal counsel for advice on your specific situation. Attorney Advertising.
Footnotes
-
TRM Labs, “H1 2026 Crypto Hacks Reach Record High as Losses Fall Below $1 Billion” (July 2026), available at https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion. Reports $972 million stolen across 207 incidents in H1 2026; DPRK-linked actors ~$643 million (~66% of losses); infrastructure attacks ~15% of incidents and ~76% of losses; Drift Protocol ~$285 million (Apr. 1, 2026, DPRK-attributed); mean loss $4.7 million, median ~$219,000. Re-verify each figure against the live report at press; The Block/PeckShield report a lower ”>$750M” YTD tally under a different methodology. ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
McCollum v. Circle Internet Group, Inc., No. 1:26-cv-11733 (D. Mass., filed Apr. 14, 2026), Dkt. 1 (complaint), available at https://storage.courtlistener.com/recap/gov.uscourts.mad.299014/gov.uscourts.mad.299014.1.0.pdf. Allegations as reported in Liam Kelly, “Drift user sues Circle for inaction in biggest hack of 2026,” DL News (Apr. 2026), available at https://www.dlnews.com/articles/regulation/drift-user-sues-circle-for-inaction-in-biggest-hack-of-2026/. All characterizations are the complaint’s allegations, not adjudicated facts. ↩ ↩2 ↩3 ↩4 ↩5
-
U.S. Department of the Treasury, Office of Foreign Assets Control, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (Sept. 21, 2021), available at https://ofac.treasury.gov/media/912981/download. ↩ ↩2 ↩3 ↩4 ↩5
-
Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216, 34-97989, 88 Fed. Reg. 51,896 (Aug. 4, 2023) (adopted July 26, 2023; effective Sept. 5, 2023; Form 8-K Item 1.05 compliance date Dec. 18, 2023; Regulation S-K Item 106), compliance guide available at https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/cybersecurity-risk-management-strategy-governance-incident-disclosure. ↩ ↩2
-
Securities and Exchange Commission, Regulation S-P amendments (adopted May 16, 2024) (30-day customer notification; compliance dates Dec. 3, 2025 for larger entities and June 3, 2026 for smaller entities); see FINRA, “SEC Regulation S-P Compliance Date Reminder” (Nov. 2025), available at https://www.finra.org/rules-guidance/guidance/sec-regulation-s-p-compliance-date-reminder-20251114. ↩ ↩2
-
Cal. Civ. Code Section 1798.82, available at https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82. ↩ ↩2
-
U.S. Department of the Treasury, “Tornado Cash Delisting” (Mar. 21, 2025), available at https://home.treasury.gov/news/press-releases/sb0057. ↩ ↩2 ↩3
-
United States v. Storm, No. 1:23-cr-00430 (S.D.N.Y.); U.S. Attorney’s Office, S.D.N.Y., Press Release No. 25-179, “Founder Of Tornado Cash Crypto Mixing Service Convicted Of Knowingly Transmitting Criminal Proceeds” (Aug. 6, 2025) (conviction on one count of conspiracy to operate an unlicensed money transmitting business), available at https://www.justice.gov/usao-sdny/pr/founder-tornado-cash-crypto-mixing-service-convicted-knowingly-transmitting-criminal; jury deadlock on the money-laundering and sanctions-conspiracy counts per CoinDesk, “Roman Storm Guilty of Unlicensed Money Transmitting Conspiracy in Partial Verdict” (Aug. 6, 2025), available at https://www.coindesk.com/policy/2025/08/06/roman-storm-guilty-of-unlicensed-money-transmitting-conspiracy-in-partial-verdict. Rule 29 posture per contemporaneous reporting, Crypto Valley Journal (Apr. 9, 2026), and the S.D.N.Y. docket through June 16, 2026 (Dkt. 230, 242, 295). ↩ ↩2 ↩3
-
Omkar Godbole, “Over $380M Worth of Crypto Stolen During Bybit’s $1.4B Hack Has ‘Gone Dark,’” CoinDesk (Apr. 21, 2025) (Ben Zhou figures: ~68.57% traceable,
27.59% gone dark ($386 million), ~3.84% frozen), available at https://www.coindesk.com/markets/2025/04/21/over-usd380m-worth-of-crypto-stolen-during-bybit-s-usd1-4b-hack-has-gone-dark. ↩ ↩2 -
Chainalysis, “Crypto Hacking Stolen Funds 2026 Update” (2026), available at https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/. Reports over $3.4 billion stolen in 2025; the Bybit hack (Feb. 21, 2025) at $1.5 billion; personal-wallet compromises
20% of 2025 stolen value ($713 million). ↩ -
OFAC Economic Sanctions Enforcement Guidelines, 31 C.F.R. Part 501, Appendix A, available at https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/part-501/appendix-Appendix%20A%20to%20Part%20501. ↩ ↩2
-
U.S. Department of the Treasury, “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups” (Sept. 2019) (designating Lazarus Group), available at https://home.treasury.gov/news/press-releases/sm774. ↩
-
OFAC, Frequently Asked Question 398 (Entities Owned by Blocked Persons (50 Percent Rule); FAQ date released Aug. 11, 2020), available at https://ofac.treasury.gov/faqs/398. ↩
-
Van Loon v. Department of the Treasury, No. 23-50669 (5th Cir. Nov. 26, 2024), available at https://www.ca5.uscourts.gov/opinions/pub/23/23-50669-CV0.pdf. ↩ ↩2
-
U.S. Department of the Treasury, “U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats” (Blender.io designation) (May 6, 2022), available at https://home.treasury.gov/news/press-releases/jy0768; U.S. Department of the Treasury, “Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency” (Sinbad.io designation) (Nov. 29, 2023), available at https://home.treasury.gov/news/press-releases/jy1933; Financial Crimes Enforcement Network, Proposal of Special Measure Regarding Convertible Virtual Currency Mixing as a Class of Transactions of Primary Money Laundering Concern, 88 Fed. Reg. 72,701 (Oct. 23, 2023) (confirm no final rule at press). ↩ ↩2 ↩3
-
OFAC Specially Designated Nationals List, Roman Semenov (designated Aug. 2023, DPRK-related program), searchable at https://sanctionssearch.ofac.treas.gov (confirm current listing status at press). ↩
-
Astraea Counsel analysis of the 18 SEC, CFTC, and DOJ matters compiled in the firm’s Crypto Enforcement Tracker (2024-2026), as of July 17, 2026, available at https://astraea.law/insights/crypto-enforcement-tracker-2026. Re-verify the 9-of-12 and 6-of-6 counts against the live tracker at publication. ↩
-
Chainalysis, “2025 Crypto Crime Report: Introduction” (Jan. 15, 2025) (“Private key compromises accounted for the largest share (43.8%) of stolen crypto in 2024”; $2.2 billion total stolen in 2024), available at https://www.chainalysis.com/blog/2025-crypto-crime-report-introduction/. ↩
-
0xTeam / CryptoRank, “H1 2026 Hacks Report” (July 8, 2026) (aggregator estimate: phishing $366.3 million across 63 incidents in H1 2026), available at https://0xteam.space/blog/h1-2026-hacks-report. Aggregator data; cross-check against a Chainalysis or PeckShield primary before relying. ↩
-
31 C.F.R. Section 1022.320 (suspicious-activity reporting by money services businesses); Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FIN-2021-A004 (Nov. 8, 2021), available at https://www.fincen.gov/system/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf. ↩
-
Federal Bureau of Investigation, Internet Crime Complaint Center, 2024 Internet Crime Report (2025) (~$9.3 billion in cryptocurrency-related fraud losses, up 66% year over year, ~150,000 complaints), available at https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf. ↩
-
Regulation (EU) 2022/2554 (Digital Operational Resilience Act) (ICT-incident reporting); Regulation (EU) 2023/1114 (Markets in Crypto-Assets), available at https://eur-lex.europa.eu (exact reporting clocks omitted pending verification). ↩
-
Erik Gerding, Director, Division of Corporation Finance, Securities and Exchange Commission, “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents” (May 21, 2024), available at https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-incidents-05212024. ↩
-
Securities and Exchange Commission, Withdrawal of Proposed Regulatory Actions, 90 Fed. Reg. 25,531 (June 17, 2025) (notice dated June 12, 2025, withdrawing, among others, the investment-adviser and broker-dealer cybersecurity risk-management rule proposals), available at https://www.federalregister.gov/documents/2025/06/17/2025-11110/withdrawal-of-proposed-regulatory-actions; see also Inside Cybersecurity, “SEC withdraws three proposed cyber rulemakings, keeps finalized incident disclosure” (June 2025), available at https://insidecybersecurity.com/daily-news/sec-withdraws-three-proposed-cyber-rulemakings-keeps-finalized-incident-disclosure. ↩
-
SIFMA, American Bankers Association, Bank Policy Institute, Independent Community Bankers of America, and Institute of International Bankers, Joint Petition for Rulemaking to Amend the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules, SEC File petn4-856 (May 2025), available at https://www.sec.gov/rules-regulations/2025/05/joint-petition-rulemaking-amend-sec-cybersecurity-risk-management-strategy-governance-incident. ↩
-
Contemporaneous reporting on the AlphV/BlackCat SEC complaint against MeridianLink (Nov. 2023) (confirm every detail against primary reporting before publication, or cut per plan ledger item 7). ↩ ↩2
-
GENIUS Act, Pub. L. No. 119-27, Secs. 2(a)(16), 4(a)(6)(B), 139 Stat. 419, 421, 430 (signed July 18, 2025), available at https://www.govinfo.gov/content/pkg/PLAW-119publ27/html/PLAW-119publ27.htm. ↩
-
Financial Crimes Enforcement Network and Office of Foreign Assets Control, Permitted Payment Stablecoin Issuer Anti-Money Laundering/Countering the Financing of Terrorism and Sanctions Compliance Program Requirements (proposed rule), 91 Fed. Reg. (Apr. 10, 2026) (Doc. 2026-06963), available at https://www.federalregister.gov/documents/2026/04/10/2026-06963/permitted-payment-stablecoin-issuer-anti-money-launderingcountering-the-financing-of-terrorism. ↩
-
18 U.S.C. Section 1030(g) (Computer Fraud and Abuse Act, civil action) (confirm current civil-standing scope and loss-threshold application at cite-check). ↩
-
Astrove v. Doe, No. 9:22-cv-80614-RAR (S.D. Fla. filed Apr. 20, 2022; temporary restraining order entered Apr. 22, 2022) (docket details per secondary sources; confirm the order text and reporter citation before relying). ↩
-
D’Aloia v. Persons Unknown & Others [2024] EWHC 2342 (Ch) (12 September 2024), available at https://knyvet.bailii.org/ew/cases/EWHC/Ch/2024/2342.html. ↩
-
Federal Bureau of Investigation, alert on fictitious law firms targeting cryptocurrency scam victims while offering to recover funds (2025), available at https://www.fbi.gov/investigate/cyber/alerts/2025/fictitious-law-firms-targeting-cryptocurrency-scam-victims-combine-multiple-exploitation-tactics-while-offering-to-recover-funds. ↩
-
Jemma Green, “$285 Million Hack Proved DeFi’s Decentralization Promise Is Still A Fiction,” Forbes (Apr. 11, 2026), available at https://www.forbes.com/sites/jemmagreen/2026/04/11/285m-hack-proved-defis-decentralisation-promise-is-still-a-fiction/ (commentary, not authority). ↩
-
In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). ↩
-
United States v. Kovel, 296 F.2d 918 (2d Cir. 1961). ↩
-
In re Capital One Consumer Data Security Breach Litigation, No. 1:19-md-02915 (E.D. Va. May 26, 2020) (Dkt. 490) (order compelling production of Mandiant incident-response report), available at https://storage.courtlistener.com/recap/gov.uscourts.vaed.456165/gov.uscourts.vaed.456165.490.0.pdf. ↩
-
See Debevoise & Plimpton, Data Blog, “Protecting Privilege in Incident Response: Litigation Lessons” (Sept. 15, 2025), available at https://www.debevoisedatablog.com/2025/09/15/protecting-privilege-in-incident-response-litigation-lessons/. ↩