May 2, 2022

PRESS RELEASE: Victims of $55 Million Dollar Crypto Hack Fight Back With Novel Lawsuit Against bZx DAO And Partners

SAN DIEGO, CA—Fourteen victims of a November 2021 hack of the DeFi platform known as bZx have filed a first-of-its-kind lawsuit in federal court seeking return of their funds. The lawsuit is believed to be the first ever to attempt to hold a DAO, its founders, and its investors liable in court for return of funds lost in a hack. Gerstein Harrow LLP, whose attorneys have developed the nation’s first crypto consumer protection practice, represents the plaintiffs.

The hack occurred on November 5, 2021, when a developer for the bZx protocol fell for a common phishing attack. According to bZx’s own analysis, the hackers used that phishing attack to obtain key passphrases for user wallets that then permitted the hackers to drain approximately $55 million from wallets. The theft was possible only because the protocol had not yet implemented security measures that its operators knew were reasonably necessary to protect its users’ funds. The protocol issued additional governance tokens (BZRX) to users who had that currency stolen, but other users—whose losses total about $35 million—were left with an essentially useless debt token.

The plaintiffs contend that the bZx DAO and several investor-partners were negligent in permitting the attack to happen, and they must compensate the plaintiffs. The lawsuit contends that, far from providing protection, the novel DAO structure—where there is no formal corporation—just means that everyone involved in the DAO’s governance is a general partner in the venture, and so is subject to unlimited liability. This is the second case brought by Gerstein Harrow to test this theory. The first case ever to articulate this theory in federal court, Kent v. PoolTogether, Inc. in the federal district court in Brooklyn, is currently being briefed by Gerstein Harrow.

“Those who form DAOs apparently believe that they can use the word ‘decentralized’ to evade corporate and individual responsibility,” said Jason Harrow, partner, Gerstein Harrow LLP. “The opposite is true: without the protection of a corporation or limited liability company, everyone involved in a DAO’s governance is liable for the protocol’s negligence and illegality.”

The case is Sarcuni v. bZx DAO, filed in the Southern District of California, docket number forthcoming. For updates, see gerstein-harrow.com.

Case documents