Crypto Securities Law: What Every Investor Should Know

Most crypto investors think they understand securities law because they've heard of the Howey Test. They don't. And that misunderstanding has cost the industry billions in enforcement actions, wiped out investor portfolios, and left even sophisticated market participants scrambling to understand why their "clearly decentralized" token triggered an SEC investigation.

Here's the uncomfortable truth: the legal framework governing crypto assets wasn't designed for them. Courts are applying an 80-year-old Supreme Court case about Florida orange groves to determine whether your digital tokens are securities—and the results have been anything but predictable. Between 2018 and 2025, the SEC brought enforcement actions against 127 crypto projects for unregistered securities offerings, collecting over $3.8 billion in penalties. Yet simultaneously, some nearly identical projects operated without interference. The difference? Often just a few words in marketing materials or subtle structural choices most investors never noticed.

The Howey Test Decoded

The 1946 Supreme Court case SEC v. W.J. Howey Co. established that an investment contract—and therefore a security—exists when there is: (1) an investment of money (2) in a common enterprise (3) with an expectation of profits (4) derived from the efforts of others.

Simple enough, right? Except courts have spent 80 years arguing about what each prong actually means.

The "investment of money" prong seems straightforward but gets murky fast. Does contributing computing power to a network count? What about providing liquidity to a decentralized exchange in return for governance tokens? The Ninth Circuit's 2023 ruling in SEC v. Terraform Labs suggested that non-monetary contributions—including providing services or data—can satisfy this prong if they're made with the expectation of financial return. That interpretation alone encompasses 73% of DeFi protocols by one legal analysis.

The "common enterprise" requirement has split federal circuits for decades. The dominant "horizontal commonality" test requires pooling of funds from multiple investors—relatively easy to satisfy in most token offerings. But the Second and Seventh Circuits sometimes apply "vertical commonality," requiring the investors' fortunes to be tied to the promoter's efforts. This matters enormously: under horizontal commonality, nearly every token offering qualifies; under vertical commonality, truly decentralized protocols might escape classification.

"Expectation of profits" is where most projects stumble despite thinking they're safe. Courts look beyond token holder hopes to examine what the promoter promised or implied.

"Expectation of profits" is where most projects stumble despite thinking they're safe. Courts look beyond token holder hopes to examine what the promoter promised or implied. The Fifth Circuit's 2024 SEC v. Ripple Labs decision—which found that institutional XRP sales were securities but programmatic exchange sales were not—turned largely on this distinction. When Ripple directly sold to institutional buyers with explicit representations about the company's efforts to increase XRP's utility, that created an expectation of profits. When retail buyers purchased XRP on exchanges without direct communication from Ripple, no such expectation existed for those transactions.

The fourth prong—"efforts of others"—increasingly functions as the decisive factor. The SEC's Division of Corporation Finance emphasized in a 2019 framework that "the more the purchaser is dependent on the efforts of a promoter or third party, the more likely it is that the investment is a security." This explains why Bitcoin and Ethereum generally aren't considered securities despite satisfying the other Howey prongs: no identifiable third party's efforts determine their success. The network has achieved sufficient decentralization that holder profits depend primarily on market forces and the collective efforts of thousands of unaffiliated developers.

But here's where it gets tricky—and where most legal summaries stop too soon. Courts don't just mechanically apply these four prongs. They consider the "economic reality" of the transaction, looking at factors like:

• Marketing and promotional activities: Using language like "investment," "profit," "returns," or highlighting team credentials significantly increases securities classification risk
• Information asymmetry: When promoters possess material non-public information about the project's development, courts are more likely to find a security
• Active ongoing involvement: Continued development, treasury management, or protocol upgrades by identifiable teams suggests dependence on their efforts
• Token holder rights: Governance tokens with actual voting control might reduce securities characteristics, but only if that control is real and meaningful

The SEC's 2023 enforcement action against Stacks (STX) illustrates this holistic analysis perfectly. Despite Stacks implementing a proof-of-transfer consensus mechanism specifically to achieve decentralization, the SEC alleged securities violations based on: ongoing foundation development, marketing materials highlighting team accomplishments, and a treasury that funded development—all factors beyond the basic Howey elements.

Registration Requirements and Exemptions

Once a token is classified as a security, issuers face a stark choice: register the offering with the SEC or qualify for an exemption. Registration is expensive—typically $250,000 to $2 million in legal and accounting fees—and time-consuming, often requiring 6-12 months. Not a single crypto project has completed a full Form S-1 registration for an initial token offering as of early 2026, though several have registered for secondary offerings after achieving operational status.

This leaves exemptions as the only practical path. But exemptions aren't safe harbors—they're narrow channels with strict requirements, and failure to fully comply means you weren't exempt at all.

Regulation D (Rule 506) provides the most commonly used exemption, allowing issuers to raise unlimited capital from accredited investors. Rule 506(b) permits up to 35 non-accredited investors but prohibits general solicitation—meaning no public marketing, no token sale websites, no Twitter announcements. Many projects have run afoul of this restriction without realizing it. In the SEC's 2021 action against Blockchain Credit Partners, a single Medium post about their offering invalidated their entire Reg D exemption, making all $30 million raised an illegal securities offering.

Rule 506(c) allows general solicitation but requires all purchasers to be accredited investors—and the issuer must take "reasonable steps" to verify accreditation status. Simply having investors check a box claiming accredited status isn't sufficient. The SEC's 2020 guidance suggests reviewing tax returns, W-2s, bank statements, or obtaining written confirmation from attorneys or CPAs. Most token projects haven't implemented verification procedures meeting this standard.

Regulation A+ theoretically offers a middle path: register a smaller offering ($75 million maximum) with lighter disclosure requirements than full registration. Tier 2 offerings under Reg A+ even preempt state securities registration. But Reg A+ still requires extensive disclosures, audited financials, and ongoing reporting—plus it requires the offering to have "concluded" before tokens can trade freely. That concept doesn't map well onto crypto projects that distribute tokens over years through mining, staking rewards, or ecosystem grants.

Props (PROPS) attempted a Reg A+ token offering in 2019, spending over $1 million on legal and accounting costs before ultimately abandoning the approach due to regulatory uncertainty about whether tokens could be distributed to app users as originally intended. The project eventually settled with the SEC in 2022, paying a $500,000 penalty and agreeing to disable token functionality—effectively killing the project.

Regulation S provides an exemption for offshore offerings to non-U.S. persons, but requires robust restrictions on U.S. resale. Many projects have tried geographic IP blocking or requiring non-U.S. attestations, assuming this satisfies Reg S requirements. It doesn't. The SEC looks at where the offering actually reached, not just where it was targeted. If tokens end up in U.S. hands during the distribution period—even through secondary market purchases—the exemption can be lost.

The most overlooked aspect of all these exemptions: they're only available at the time of offering. Future distributions—whether through staking rewards, liquidity mining, or ecosystem grants—may constitute new securities offerings requiring separate exemptions. The SEC's 2024 settlement with Celsius Network hinged partially on this point: even though Celsius's initial CEL token offering might have qualified for an exemption, the ongoing distribution of CEL as staking rewards constituted unregistered securities offerings.

The Decentralization Defense

"If the network on which the token functions is sufficiently decentralized—where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts—the assets may not represent an investment contract." — Director Hinman, 2018

In June 2018, SEC Director of Corporation Finance William Hinman delivered a speech suggesting that "if the network on which the token functions is sufficiently decentralized—where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts—the assets may not represent an investment contract."

This single paragraph sparked a thousand blog posts about the "Hinman guidance" providing a path to non-security status through decentralization. But Hinman's speech was explicitly his personal view, not SEC policy. And the examples he cited—Bitcoin and Ethereum—represent such extreme decentralization that almost no other projects come close.

What does "sufficiently decentralized" actually mean? We're still figuring it out through enforcement actions and court cases. The emerging framework appears to include:

No identifiable central party: Not just no single founder, but no foundation, no development company, no core team that could be reasonably described as essential to the network's operation. Ethereum arguably reached this status only after the Ethereum Foundation became one voice among hundreds and Vitalik Buterin's influence became largely advisory.

Open-source development: The codebase must be fully open-source with contributions from numerous independent developers—and those contributions must be meaningful, not just trivial fixes while a core team does the real work. Bitcoin's 950+ contributors over 15 years, with no single contributor accounting for more than 5% of recent commits, sets the standard.

No pre-mine or founder allocation: Large founder allocations, team tokens, or treasury-controlled supply creates a presumption that those parties will influence the asset's value through their decisions about selling, distributing, or using those tokens. Ethereum's 72 million ETH premine remains a potential vulnerability in the decentralization argument, though it's never been tested in court.

Distributed mining or validation: The consensus mechanism must be controlled by a large, diverse set of participants with no single party capable of censoring transactions or altering the protocol. Bitcoin's 14,000+ active nodes and hash rate distributed across dozens of major mining operations (with the largest controlling approximately 17% at any given time) provides the model.

Immutable protocol: If the core protocol can be changed through upgrades controlled by a foundation or development team, users remain dependent on those parties' efforts. This doesn't mean no upgrades ever—Ethereum continues to evolve—but the process must be sufficiently decentralized that no single party can force changes.

No marketing or promotion: Ongoing promotional activities by founders or foundations suggest those parties remain essential to increasing adoption and value—precisely the "efforts of others" Howey prohibits.

The practical reality? As of early 2026, only Bitcoin clearly satisfies all these criteria. Ethereum probably does, though it's never been formally tested. No other project has confidently claimed sufficient decentralization in a regulatory proceeding without subsequently settling or losing.

The 2025 case SEC v. LBRY Inc. illustrates the difficulty. LBRY argued its credits (LBC) were created to facilitate a decentralized content platform, not as an investment. The court disagreed: despite thousands of independent users, LBRY Inc.'s ongoing development, marketing, and treasury management meant LBC holders reasonably expected the company's efforts to increase LBC value. LBRY was ordered to pay a $125,000 penalty and ceased operations.

Secondary Market Considerations

Most legal discussions focus on initial token offerings. But the securities analysis doesn't stop at launch—ongoing activities can transform a non-security into a security, or vice versa.

The SEC's 2020 Framework for "Investment Contract" Analysis of Digital Assets explicitly states that "the analysis of whether something is an investment contract is flexible" and "the same digital asset may be offered and sold as an investment contract at one point in time but not at another." This creates enormous complexity for secondary market participants.

Exchange listings face particular scrutiny. U.S. securities exchanges must register with the SEC and follow extensive rules. Crypto exchanges have largely operated as if they're not securities exchanges, but the SEC has made clear it views tokens that are securities as requiring exchange registration. The 2023 enforcement actions against Coinbase and Binance both alleged operation of unregistered securities exchanges based on listing tokens the SEC considers securities.

But here's the puzzle: whether a token is a security can depend on how it's being sold. The Fifth Circuit's Ripple decision found that XRP sales to institutional buyers were securities, but sales on exchanges to retail buyers were not—because retail buyers weren't exposed to Ripple's direct marketing. This means exchanges might be simultaneously trading the same asset as both a security and a non-security depending on the transaction context.

Staking and yield programs present another minefield. When token holders lock up assets in exchange for rewards, does that create a new investment contract? The SEC's 2022 guidance on crypto staking suggests "yes" when:

• The staking provider or issuer operates the validation infrastructure
• Rewards come from protocol inflation controlled by the issuer
• Marketing materials emphasize investment returns from staking

Under this framework, centralized staking-as-a-service might always involve securities transactions, even if the underlying token isn't a security. Coinbase's February 2023 decision to discontinue retail staking services followed SEC pressure based precisely on this reasoning.

DAOs and governance tokens occupy uncertain territory. If token holders have real governance control—meaning they can actually direct the protocol's development, treasury usage, and strategic decisions—the token might not be a security because holders aren't depending on "efforts of others." But most DAO governance is illusory: proposals are vetted by core teams, major decisions require foundation approval, and voting participation hovers around 3-8% of token supply.

The SEC's 2023 charges against Arca and Blockstack's 2019 Reg A+ qualified offering both treated governance tokens as securities. The determining factors: low actual participation in governance, most tokens held for investment not governance, and continued core team control over major decisions despite theoretical token holder authority.

State-Level Complications

Even if you navigate federal securities law successfully, 50 state securities regulators—each with independent enforcement authority—create a compliance nightmare.

State registration requirements aren't automatically preempted by federal exemptions. While Reg A+ Tier 2 and Rule 506(b) preempt state registration, they don't preempt state anti-fraud enforcement. And Rule 506(c) offerings, despite being federal covered securities, still require notice filings in most states—each with separate filing fees ($100-$1,000 per state) and timing requirements.

State regulators have been particularly aggressive on crypto. The Texas State Securities Board alone issued 51 emergency cease-and-desist orders against crypto projects between 2019 and 2025. Alabama, New Jersey, and North Carolina have created specialized crypto enforcement units within their securities divisions.

Blue sky laws vary dramatically across states. Montana requires no registration for sales to its residents if the issuer is doing business in Montana. But California requires registration or exemption for any security offered to California residents, regardless of where the issuer operates. And California's exemptions are narrower than federal exemptions—meaning you can be federally exempt but still violating California law.

The coordination issue is real: if you're doing an exempt offering under Reg D, you might need to review and comply with 50 different state registration exemptions. Most projects don't. That's why state enforcement actions often succeed even when federal exemptions technically apply—the issuer failed to satisfy parallel state requirements.

State-level definitions of securities sometimes differ from federal standards. Hawaii's securities law explicitly includes "investment contracts" but defines them more broadly than Howey. Michigan's securities act includes a provision that certain assets are securities "per se" regardless of whether they meet investment contract standards. These variations mean an asset could be a security in Texas but not in Wyoming—at least in theory.

The 2024 North American Securities Administrators Association (NASAA) model legislation on crypto assets attempted to create uniformity, but only 12 states have adopted it as of early 2026. The remaining 38 states continue to apply their own, sometimes inconsistent, standards.

Practical Risk Mitigation Strategies

Given this legal landscape, what should projects and investors actually do?

For projects launching tokens:

Obtain formal legal opinions from securities law specialists—and budget $150,000-$500,000 for competent advice. Skimping on legal costs has destroyed far too many projects. The legal opinion should specifically address: Howey analysis for your token structure, applicable exemptions and their requirements, state-level compliance needs, and secondary market trading restrictions.

Structure offerings conservatively: limit initial sales to verified accredited investors through Reg D 506(c), implement robust geographic restrictions if using Reg S, avoid marketing language emphasizing investment returns or team efforts, and plan for restricted trading periods before tokens reach secondary markets.

Build in decentralization from day one—not as an afterthought. Incorporate these elements: broad token distribution from launch, minimal pre-mine or founder allocation (ideally under 10%), clear path to protocol immutability, and genuine community governance with documented procedures for transitioning control.

Document everything: maintain detailed records of how tokens were marketed, who purchased them, what exemptions were relied upon, and how verification procedures were implemented. The SEC regularly brings enforcement actions 3-4 years after offerings—your documentation needs to survive that timeline.

For investors evaluating offerings:

Recognize that "not a security" claims are often wrong. If a project claims its token isn't a security, ask: Is their opinion based on a formal legal analysis from a securities law firm? Have they identified which Howey prongs they fail and why? Can they cite comparable projects that have successfully maintained non-security status?

Understand that regulatory status affects liquidity: security tokens face severe trading restrictions until either registered or exempt. Many projects promise future exchange listings that never materialize because U.S. exchanges won't list unregistered securities.

Evaluate the team's ongoing role