Judge Rejects Changes to ‘Dealer Rule’

This week, ISMG compiled notable cybersecurity developments affecting digital assets, including a legal decision against a broadened definition of “dealer” by U.S. courts, a harmful Python library update responsible for credential theft, and the ongoing utilization of Tether by drug cartels for laundering activities. Additional stories highlight regulatory actions on digital payment applications while Uniswap announces an extensive bug bounty, and Meta intensifies efforts against pig butchering scams.

See Also: OnDemand | 2024 Phishing Insights: Understanding Risks from 11.9 Million User Behaviors

A significant ruling from a U.S. District Court has challenged the Securities and Exchange Commission (SEC) by striking down an amendment that broadened the definition of a “dealer.”

Judge Reed O’Connor of Texas concluded that the new “Dealer Rule” diverged from the intent of the Securities Exchange Act of 1934 after hearing arguments on November 14. Originally instituted following a 3-2 vote from SEC commissioners in February, the amendments included entities potentially influencing market liquidity as dealers.

This legal decision stems from concerns raised by various crypto industry organizations, including the Blockchain Association, who contended that the updated guidelines could impose undue regulations on digital asset platforms, necessitating compliance with securities laws while also mandating registration with the SEC.

DeFi proponents expressed apprehension regarding compliance challenges due to the vague nature of the rule’s language. They cautioned that the definition could inadvertently encompass traders and participants in decentralized finance who designed their systems to operate without traditional dealer intermediaries.

This ruling follows recent announcements from SEC Chair Gary Gensler regarding his upcoming departure, triggering expectations of regulatory changes in the crypto landscape under the incoming administration.

Security analysts are cautioning users about a harmful update to the Python library aiocpa, commonly utilized for operations involving Crypto Pay APIs. This update, distributed via the Python Package Index (PyPI), was reportedly embedded with harmful code.

Thanks to a security researcher from ReversingLabs, it was discovered that the malicious code, obscured within the package, was designed to exfiltrate sensitive credentials to a designated Telegram bot, collecting information such as tokens and API secrets related to crypto payment activity.

The compromised versions of aiocpa were released on November 20, with the initial harmful update appearing in version 0.1.13. The Python Software Foundation has since removed the repository from PyPI. However, the source code has been confirmed to remain clean on GitHub.

Users of affected versions are advised to review their integration of the library and consider removing it. Users should also be aware that the module may appear as cryptopay, which differs from the legitimate PyPI package of the same name.

The U.S. Consumer Financial Protection Bureau (CFPB) has solidified a new regulatory framework that acknowledges the supervisory role of the agency over significant nonbank entities while deliberately excluding cryptocurrency transactions from this oversight.

This new guideline targets firms managing over 50 million annual transactions in U.S. dollar-denominated payments, and notably excludes Bitcoin and stablecoins, scaling back its reach. The CFPB’s adjustment aims to address stipulations from both the crypto industry and Republican lawmakers regarding perceived ambiguities in how the previous proposal would engage with digital assets.

Newly unsealed court documents reveal an extensive money laundering operation allegedly linked to Mexican and Colombian drug trafficking organizations that have leveraged Tether to transfer extensive illicit funds through various front companies and cryptocurrency transactions.