Author: Craig R. Heeren

Craig Heeren is a former federal prosecutor and seasoned trial lawyer who counsels clients in government and internal investigations as well as in cybersecurity response, national security inquiries and sanctions compliance. At the U.S. Attorney’s Office for the Eastern District of New York, Craig served in a number of leadership positions, including as deputy chief of the National Security and Cybercrime Section. He developed extensive relationships and experience with, among others, multiple U.S. Attorney’s Offices; the Department of Justice’s National Security Division, Computer Crimes Section, and Criminal Division; the Treasury Department’s Office of Foreign Assets Control (OFAC); and the Department of Commerce’s Bureau of Industry and Security (BIS). Craig advises clients on criminal, regulatory and complex civil matters related to cross-border regulations, trade secrets and intellectual property theft, cryptocurrency and artificial intelligence, anti-money laundering (AML) obligations, and securities regulations. He also works with clients to design, enhance and implement risk-based compliance programs and other policies.

Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services

Share

Introduction

On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision.  The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems.  As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.

Summary of the PayPal Enforcement Decision

The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500.  These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.

Continue reading “Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services”

Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft

Share

On February 3, 2025, the U.S. Attorney’s Office for the Eastern District of New York (EDNY) unsealed an indictment against Andean Medjedovic, a 22-year-old Canadian national, for allegedly stealing approximately $65 million in cryptocurrency from two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance.  Medjedovic is charged with wire fraud, violation of the Computer Fraud and Abuse Act (“CFAA”) for unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering and money laundering conspiracy.  This case highlights the growing risks and vulnerabilities in DeFi platforms, which remain attractive targets for sophisticated cybercriminals.

Understanding the Alleged Scheme

DeFi platforms like KyberSwap and Indexed Finance operate on blockchain networks and use “smart contracts” to manage user transactions.  These smart contracts facilitate automated cryptocurrency exchanges by maintaining liquidity pools, which are funded by investors.  The indictment alleges that Medjedovic, a Canadian national, manipulated these smart contracts to drain funds from these pools, defrauding investors in the process through two different exploits.

Continue reading “Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft”

©2025 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy