This past year has seen an explosion of interest and investment in initial coin offerings (ICOs), a new method of raising capital in which startups issue digital tokens to investors, usually in exchange for virtual currency. According to Coinschedule, a website that tracks ICO statistics, there were 235 ICOs that raised over $3.7 billion in 2017. That represents a dramatic increase from 2016, in which there were only 46 ICOs that raised less than $100 million.

This rapid influx of capital, as well as the persistent hype of enormous profits available for the taking, has attracted fraudsters and scam artists to the ICO market. The promise of outsized returns has lured relatively unsophisticated investors, who are hoping to ride the surge of rising token values to turn a quick profit. These investors are easy prey for scammers, who can quickly draft a fraudulent “white paper” outlining a purported startup project, sprinkle it with impressive sounding tech jargon and buzz words like “blockchain,” and capitalize on the investors’ exuberant hopes for a large and speedy return on their investment to defraud them. At a conference in September 2017, SEC Co-Director of Enforcement Steven Peikin likened these fraudsters to “roaches” that “crawl out of the woodwork and try to scam money off of investors.”

As this comment suggests, regulators in the United States recognize the problem and have begun the process of regulating ICO markets and warning investors of the dangers that these investments pose. At the same time, U.S. regulators appear to recognize the potential benefits that ICOs present as a method of raising capital, including the increased access to capital that they provide to digital startup companies who can use them to raise money from a vast pool of retail investors at an early stage of development. The regulators’ dilemma, therefore, is to enact a regulatory framework for ICOs that is robust enough to protect investors against fraud and ensure transparency in the marketplace, but is not so onerous that it suffocates innovation and causes ICO issuers to abandon the U.S. market entirely.

The SEC was first to step into the regulatory breach by issuing the “DAO Report” in July 2017, which clearly announced to the market that tokens would be regulated as securities under existing federal securities laws if they qualified as an “investment contract” under the so-called “Howey test” set forth in SEC v. W.J. Howey Co., 328 U.S. 293 (1946). At the same time, it signaled that the SEC would proceed carefully and take a case-by-case approach to its enforcement efforts. The question after the release of the DAO Report was: Now that the SEC has stepped in, how exactly will it police the ICO marketplace?

Thanks to a series of enforcement actions that the SEC brought in the last two quarters of 2017, we now have some preliminary answers. The SEC appears to be pursuing a deliberately measured enforcement strategy by initially targeting ICOs that involved obviously fraudulent conduct or where the token was clearly marketed as a security. For the moment, the SEC is steering clear of more complicated ICOs where the Howey analysis is less clear. In other words, the SEC is going after the low-hanging fruit first—a trend that will likely continue in 2018.

It is more likely that the thornier securities law issues will be tackled initially by federal courts in connection with private securities lawsuits against ICO issuers, the very first of which were filed in the last few months of 2017. It is fair to assume that these lawsuits will only increase in 2018, and will further clarify the legal landscape in this area.

RECoin, PlexCoin, and Munchee: The SEC’s Opening Salvo

Having set the expectations of the market with the DAO Report, the SEC’s enforcement strategy began in earnest on Sept. 25, 2017, when it announced that it had created a new Cyber Unit that would focus on cyber-related misconduct, including ICO violations. The SEC followed its announcement a few days later by bringing its first enforcement action against two ICO issuers called RECoin Group Foundation (RECoin) and DRC World (DRC), as well as the man who allegedly controlled them both, Maksim Zaslavskiy. In December 2017, the SEC filed two additional enforcement actions against PlexCorps and its founder Dominic Lacroix, and against Munchee.

The RECoin case and the PlexCorps case were similar in that they both involved allegations of outright fraud. According to the SEC’s complaint, RECoin and DRC claimed that they would use the proceeds raised by the ICO to purchase, respectively, real estate and diamonds, which would back the tokens causing them to “grow” or “increase” in value over time. In fact, according to the SEC, Zaslavskiy never bought any real estate or diamonds, nor did he even develop a token that RECoin or DRC could provide to their investors. Similarly, the SEC alleged that PlexCorps made numerous misrepresentations in marketing the PlexCoin token. For example, the PlexCoin white paper promised investors returns of 1,354 percent in “29 days or less.” In fact, according to the SEC, PlexCoin was a fabrication and Lacroix and his girlfriend used the proceeds from the PlexCoin ICO for “extravagant personal expenditures.”

The Munchee case, which involved a company that created an iPhone app for people to review restaurant meals, was slightly different because it did not involve allegations of fraud. Instead, it was designed to put a shot across the bow of ICO issuers who market so-called “utility” tokens.

Since the release of the DAO Report, numerous ICO issuers have attempted to circumvent the application of the securities laws by claiming that their tokens are not securities because they are not investments that return a profit. Instead, they claim that the value of their tokens is derived solely from their “utility” on the platform for which they were designed. Munchee, for example, stated that restaurants that purchased its MUN token could later use the tokens to buy advertising on the Munchee “ecosystem.” The MUN white paper even claimed that Munchee had done a “Howey analysis” and concluded that “the sale of MUN utility tokens does not pose a significant risk of implicating the federal securities laws.” At the same time, Munchee touted the profit potential of MUN tokens, claiming that MUN tokens would increase in value and emphasizing that users would be able to trade them on a secondary market.

The SEC saw through this obvious fig leaf and obtained a cease-and-desist order against Munchee, which stated unequivocally that MUN tokens were securities despite Munchee’s efforts to label them as “utility” tokens. SEC Chairman Jay Clayton delivered this same message to the broader ICO market in a statement issued that same day: “[m]erely calling a token a ‘utility’ token or structuring it to provide some utility does not prevent the token from being a security.”

The Outlook for 2018

These three enforcement actions represent the SEC’s opening salvo in the ICO arena, and are entirely consistent with the measured, case-by-case approach signaled by the DAO Report. Each of these cases involved relatively straightforward applications of the Howey test, and two involved allegations of blatant fraud. They indicate that the SEC is serious about policing ICOs, but is deliberately trying not to overreach by diving into the middle of a complicated marketplace. For the time being, the SEC seems focused on quickly imposing a basic level of security and transparency in the ICO market by containing the worst actors and setting some clear boundaries around what constitutes a security.

What is the enforcement outlook for 2018? Already there are some trends to watch. First, the SEC is no longer the only agency regulating ICOs. In October 2017, the CFTC announced that tokens issued through ICOs may be considered commodities. State securities regulators have also thrown their hat into the ring. In the first week of January 2018, the Texas State Securities Board blocked a token sale by BitConnect on the grounds that it was marketing an unregistered security under Texas state law.

Second, private litigants have begun filing the first securities class actions lawsuits against ICO issuers. Already Tezos and GigaWatt, each of which had lucrative ICOs in 2017, have been sued by token holders for alleged securities law violations. These private suits are intriguing because the tokens that were marketed in these ICOs do not bear the same obvious hallmarks of securities as RECoin, PlexCoin and the MUN token, making the Howey analysis much more complex. It is therefore likely that the federal courts, and not the SEC, will take the lead in resolving the more difficult securities law questions surrounding ICOs in the coming year.

Whereas 2017 set some basic guardrails around the ICO market, 2018 will likely see an increase in regulatory activity by multiple agencies, and a deeper engagement with the difficult legal questions posed by ICOs.

Christian Everdell is a member of Cohen & Gresser’s white-collar defense group.