UDAAP in Crypto: Why State Attorneys General Are Your New Enforcement Risk

TL;DR:

• In April 2025, DOJ dismantled its National Cryptocurrency Enforcement Team (NCET) — the specialized federal unit behind major crypto fraud prosecutions
• State AGs filled the vacuum fast: New York extracted a $200 million settlement from Galaxy Digital in March 2025 under the Martin Act; California’s DFPI is using CCFPL UDAAP authority against crypto kiosk operators
• State UDAP laws are structurally more dangerous than federal enforcement: courts have held AGs don’t need to prove consumer harm, reliance, or defendant intent
• 40+ states have crypto legislation active in 2025-2026; California’s Digital Financial Assets Law creates new UDAAP exposure for unlicensed operators starting July 2026

On April 8, 2025, the Department of Justice announced it was disbanding its National Cryptocurrency Enforcement Team. The specialized unit that brought down BitMEX, prosecuted Bitzlato, and charged a parade of crypto fraud cases was folded into broader divisions with different priorities.

Crypto companies exhaled.

Too soon — again.

The federal enforcement pullback didn’t reduce consumer protection risk for crypto. It concentrated it in a different set of regulators who have fewer institutional constraints, broader legal authority in many cases, and a demonstrated appetite for aggressive enforcement. State attorneys general have been moving into the space for years, and the federal retreat in 2025 accelerated the shift dramatically.

Here’s what the enforcement landscape actually looks like, and what your consumer compliance program needs to have right now.

Why State AGs Are More Dangerous Than Federal Enforcers on UDAP

The instinct when federal enforcement softens is to relax. That instinct is wrong for crypto consumer protection, because state UDAP laws have structural advantages over federal UDAAP that make them potent enforcement tools.

No intent requirement. Federal UDAAP under Dodd-Frank requires proof that a practice is “unfair” — which in turn requires substantial consumer injury that isn’t reasonably avoidable. State UDAP laws in most jurisdictions have no such bar. New York’s Martin Act, California’s Unfair Competition Law, and similar statutes give AGs remedies even without proving the company intended to deceive or harm consumers.

No proof of harm required. Courts have held in multiple jurisdictions that state AGs bringing UDAP claims don’t need to establish actual consumer harm or consumer reliance on a misleading communication. A deceptive promotional statement is actionable even if the AG can’t point to a single consumer who was actually misled.

Nationwide scope, state-level standing. When the NY AG investigated Galaxy Digital, the investigation covered conduct affecting investors nationally — and resulted in a $200 million settlement. New York’s Martin Act is jurisdictionally broad enough that NYAG enforcement has national practical effect.

Consumer complaint-based trigger. State AGs have direct lines into consumer complaints. A pattern of complaints about undisclosed fees, misleading yield claims, or lost funds frequently triggers an investigation that federal regulators at scale might not prioritize. Your complaint handling process is, effectively, your first line of defense against state AG attention.

The 2025 Enforcement Cases That Define the Landscape

Galaxy Digital: $200 Million on Martin Act Fraud (March 2025)

In March 2025, Galaxy Digital Holdings entered into a $200 million assurance of discontinuance with the New York AG to resolve allegations involving the firm’s promotion of the Terra/Luna ecosystem from 2020 to 2022.

The core allegation: Galaxy and its CEO Michael Novogratz promoted Luna to investors — including through social media, public statements, and prominent marketing — while simultaneously and secretly selling off their Luna holdings at a profit. Galaxy realized hundreds of millions of dollars in gains while retail investors bought in on the strength of the promotion.

The legal hook was New York’s Martin Act: its prohibition on fraudulent practices in connection with securities and commodities, without requiring proof of intent to defraud. Galaxy neither admitted nor denied the allegations, but agreed to pay $200 million over three years, implement conflict-of-interest policies, and conduct legal analysis on future token deals.

The compliance lesson: If your firm promotes or recommends any digital asset while holding a position in that asset, your disclosure and conflict-of-interest framework needs to treat that as a material obligation — not a discretionary disclosure.

California DFPI: CCFPL UDAAP Authority Against Kiosk Operators (2025)

California’s Department of Financial Protection and Innovation has been using its authority under the California Consumer Financial Protection Law (CCFPL) — which includes UDAAP-equivalent authority — in connection with enforcement under the new Digital Financial Assets Law.

In October 2025, the DFPI ordered Coinhub to pay $675,000 in penalties (including $105,000 in restitution to California consumers) for violations including:

• Charging transaction fees exceeding the DFAL’s fee cap on more than 2,700 occasions
• Failing to provide required consumer disclosures before completing transactions (including digital-asset prices, total fees, and refund warnings)
• Processing transactions in excess of the $1,000 DFAL limit, including several exceeding $10,000

The DFPI’s enforcement actions note that consent orders typically include violations of the prohibition on unfair, deceptive, and abusive acts under the CCFPL — meaning DFPI enforcement is explicitly layering UDAAP authority on top of DFAL licensing violations.

The compliance lesson: Fee transparency is a core UDAAP risk in crypto. Every fee charged — transaction fees, network fees, spread, custodial fees — needs to be disclosed clearly before the transaction completes. The California model is increasingly the national template.

New York’s Expanding Enforcement Infrastructure (2026)

Beyond individual enforcement actions, New York is building the legislative infrastructure for sustained crypto consumer protection enforcement:

• Proposed CRYPTO Act: Would create criminal penalties for operating a virtual currency business without a license, graduating from Class A misdemeanor to Class C felony based on transaction volume
• BitLicense expansion: Ongoing tightening of DFS licensing requirements for crypto exchanges operating in New York
• NYAG investigation activity: Attorney General James has publicly committed to prioritizing crypto fraud investigations and urged Congress to pass comprehensive federal legislation

Even absent new legislation, the Martin Act gives the NYAG broad jurisdiction that has already produced nine-figure enforcement outcomes.

The State Enforcement Map: Where the Risk Is Concentrated

The risk isn’t just in the states with the most legislative activity. Courts have held that state UDAP laws apply whenever the deceptive practice is directed at residents of the state — meaning a crypto company with customers across the country faces potential exposure to 40+ state UDAP frameworks simultaneously.

What State AGs Are Actually Targeting: The Compliance Checklist

Understanding the enforcement pattern gives you a roadmap for remediation. The cases break down into four recurring violation categories.

1. Undisclosed Conflicts of Interest in Promotions

Pattern: Company promotes a digital asset while holding a significant position — without disclosing the position.

UDAP hook: Material omission that would be considered deceptive to a reasonable consumer. The Martin Act in New York explicitly covers this. Most state fraud statutes cover material omissions.

Compliance response:

• Implement a conflicts of interest policy that covers all public communications about digital assets
• Require disclosure of any firm position when promoting a specific asset
• Document review and approval of promotional materials, including social media
• Track token positions and tie them to promotional activity review

2. Fee Transparency Failures

Pattern: Transaction fees, spreads, network fees, or custodial fees are not clearly disclosed before the transaction completes.

UDAP hook: Charging consumers more than disclosed, or failing to disclose material terms before a consumer commits.

Compliance response:

• Audit every fee in your product: what is it, when is it charged, is it disclosed before commitment?
• Apply the California DFAL standard as your baseline: prices, total fees, and refund warnings required before completion
• Test your disclosure flow as a new consumer would experience it — what does the fee disclosure screen actually show?
• Review your Terms of Service and transaction flow for gap between disclosed and actual fees

3. Misleading Yield or Return Claims

Pattern: Platform advertises interest rates, yields, or “guaranteed returns” on crypto deposits that are not adequately qualified or that cannot be delivered.

UDAP hook: Deceptive or misleading material claims about investment performance.

Compliance response:

• Apply securities law advertising standards to any return-related claims
• Ensure yield rates are qualified with risk disclosures, variability information, and terms
• Review all marketing materials, website content, and email campaigns for unqualified return claims
• Document the process for approving and updating promotional content as rates change

4. Unlicensed Operations and Required Registration Gaps

Pattern: Crypto exchange, lending platform, or kiosk operator fails to obtain required state licenses — and state AG uses UDAP authority alongside licensing violation.

UDAP hook: Operating without required license is itself treated as an unfair practice in many states; the DFPI’s enforcement actions explicitly combine DFAL violations with CCFPL UDAAP findings.

Compliance response:

• Conduct a state-by-state licensing analysis for your product types and customer footprint
• For California-exposed businesses: evaluate your July 2026 DFAL compliance readiness now
• For New York: verify your BitLicense status relative to your product scope
• Build a regulatory change management process to catch new licensing requirements before they take effect

The GENIUS Act Question: Does Federal Legislation Change State Exposure?

The GENIUS Act — which would create a federal regulatory framework for payment stablecoins — has been in Congress for over a year and moves toward passage in fits and starts. A question that comes up frequently: if the GENIUS Act passes, does federal preemption neutralize state UDAP risk?

The short answer is no, and here’s why that matters for your compliance planning:

UDAP laws are not preempted by regulatory licensing. The existence of a federal regulatory framework for stablecoins would create licensing and prudential requirements. It would not preempt state consumer protection laws that apply to how those stablecoins are sold, promoted, and serviced. State AGs’ authority to pursue deceptive practices in consumer communications survives federal banking preemption in virtually all precedent.

State AGs have sued federally regulated entities. New York’s Martin Act was applied to Galaxy Digital, which operates under federal oversight. California’s DFPI uses its CCFPL UDAAP authority against entities regardless of their federal regulatory status.

Federal licensing creates a floor, not a ceiling. Passing GENIUS Act compliance and satisfying California’s DFAL licensing requirements are separate compliance obligations. Meeting one doesn’t satisfy the other.

Build your compliance program for the multi-regulator environment — because that’s what you’re operating in.

Building the Compliance Response: A Practical Roadmap

30 Days: Audit and Inventory

1. Fee disclosure audit: Walk through your transaction flow as a consumer. Document every fee charged and whether it’s disclosed before commitment. Flag any gap.
2. Promotional materials review: Pull all active marketing, social media, and website content that references returns, yields, or product benefits. Flag any unqualified claims.
3. Conflicts of interest inventory: Identify all digital assets your firm holds, manages, or has financial exposure to. Map against all public communications promoting or referencing those assets.
4. Consumer complaint analysis: Pull three months of complaints. What are the top categories? Undisclosed fees, misleading claims, and “I lost money” are warning patterns.

60 Days: Remediation

5. Update fee disclosures in transaction flows to meet California DFAL standards as a baseline
6. Implement promotional review workflow: No public communication about a digital asset ships without compliance sign-off; add a standard conflicts disclosure requirement
7. Draft conflicts of interest policy covering all firm communications about digital assets
8. Close licensing gaps: If your state licensing analysis identifies gaps, start the application process — timelines for state licenses are often 6-12 months

90 Days: Systemic Controls

9. Consumer complaint management process: If you don’t have a formal complaint management program, build one. State AGs monitor complaint databases; a documented, responsive process reduces your profile
10. Ongoing promotional monitoring: Build a periodic review cadence for website and marketing content, not just pre-launch review
11. Regulatory change monitoring: Assign ownership of tracking state-level crypto legislation and enforcement trends — especially California (July 2026 DFAL), Illinois (rules forthcoming), and New York (CRYPTO Act developments)

So What? The Enforcement Risk Is Real and Growing

The federal pullback on crypto enforcement wasn’t a gift to the industry. It shifted enforcement to state AGs who operate under legal frameworks with fewer proof requirements, broader remedial authority, and direct consumer complaint intake.

The Galaxy Digital settlement — $200 million for promotional conduct that predated most current crypto compliance frameworks — signals where state enforcement is willing to go. The California DFPI enforcement pattern signals the same thing at the product-level: fee transparency, disclosure completeness, and UDAAP compliance are not optional elements of a crypto consumer protection program.

The compliance work isn’t novel. It’s the same fair and transparent disclosure framework that applies to any consumer financial product. The difference for crypto is that the regulatory enforcement infrastructure has caught up with the consumer protection obligations — even if the federal story seems quieter than it used to be.

Launching or assessing a crypto or stablecoin product? The New Product Risk Assessment includes a worked stablecoin risk assessment covering regulatory, compliance, and consumer protection risks — with a pre-launch checklist of 60+ items to verify before go-live.

Related reading:

• Reg E Is Coming to Crypto: Your Roadmap to EFTA Compliance
• Fair Lending Compliance in 2026: State AG Enforcement Is Filling the Federal Void
• UDAAP Risk Assessment: How to Evaluate Products Before the Examiner Does

Frequently Asked Questions

Do state UDAP laws apply to crypto companies? Yes. State Unfair, Deceptive, or Abusive Acts or Practices laws apply broadly to businesses operating in the state, including crypto exchanges, lending platforms, and kiosk operators. Courts have held that state AGs bringing UDAP claims don’t have to prove actual harm to consumers, reliance on communications, or knowledge or intent — making them among the most powerful consumer protection tools available.

What is New York’s Martin Act and why does it matter for crypto? New York’s Martin Act is the state’s securities law giving the NY AG broad authority to investigate and prosecute fraud in securities and commodities, including digital assets. It doesn’t require proof of intent to defraud, and the AG can pursue both civil and criminal remedies. The $200M Galaxy Digital settlement (March 2025) was brought under the Martin Act.

What happened with federal crypto enforcement in 2025? On April 8, 2025, the DOJ announced it was disbanding its National Cryptocurrency Enforcement Team, shifting focus to terrorism financing and state-sponsored actors rather than broad consumer protection enforcement. This created a significant vacuum that state AGs moved quickly to fill.

What violations are state AGs targeting in crypto consumer cases? The most common enforcement targets include: misleading promotions without disclosing conflicts of interest (NY Martin Act), undisclosed fees on crypto transactions (CA DFAL/CCFPL UDAAP), failure to provide required consumer disclosures, unlicensed operations, and deceptive marketing of yield products.

How should crypto compliance teams prepare for state AG enforcement? Start with a promotional review, document your conflicts of interest policy, audit fee disclosures, review California DFAL compliance readiness for July 2026, and build a consumer complaint management process — state AGs frequently initiate investigations based on consumer complaint patterns.

Does the GENIUS Act eliminate state enforcement authority over stablecoins? No. Even if the GENIUS Act passes, it creates a federal licensing framework but does not preempt state consumer protection and UDAP laws. State AGs retain authority to pursue deceptive or unfair practices even for federally licensed stablecoin issuers.