Crypto, AI, and cyber cases are still legal cases — with newer facts.

The intake calls in this practice arrive with a strangely consistent set of openings. A detective called about wallet addresses tied to a fraud investigation. A federal agent left a card after asking about a token sale. The exchange froze an account after a subpoena. The corporate accounts-payable team wired $1.2M to what they believed was the CEO's instruction, and the cyber-insurance carrier just denied coverage. The deepfake video appeared on a competitor's social media. The AI-resume-screening tool the HR department deployed has produced six months of disparate-impact data. The decedent's NFT collection is locked behind a Ledger device whose PIN no one in the family knows.

Crypto, AI, and cyber facts are newer; many legal frameworks are familiar. Our work is legal representation: mapping facts to statutes, contracts, insurance policies, court remedies, preservation duties, and defense strategy. We do not replace police, private investigators, credit bureaus, accountants, or technical incident-response vendors.

Cryptocurrency criminal defense and disputes.

The cryptocurrency cases we handle most often fall into several groups:

Crypto-related criminal defense.

Crypto-related accusations may be investigated by local police, county prosecutors, the New Jersey Attorney General, federal agencies, or a joint task force. The fact pattern may involve alleged investment fraud, token-sale misrepresentations, account takeovers, SIM swaps, wallet-draining activity, ransomware payments, darknet-market transactions, money movement through mixers, or conversion of digital assets to fiat through exchange accounts.

The defense work starts early, before the client gives unnecessary statements or loses access to account records. We focus on:

• Wallet and account attribution. Whether the government can connect a wallet, exchange account, device, IP address, phone number, or recovery phrase to the accused person.
• Intent and knowledge. Whether the accused knew the source, purpose, or alleged fraudulent nature of a transaction.
• Chain-analysis evidence. Whether blockchain tracing actually supports the government's theory, or merely shows movement through addresses with uncertain attribution.
• Search warrants, subpoenas, and device extractions. Whether law enforcement obtained and searched phones, laptops, exchange records, cloud backups, or seed-phrase materials lawfully.
• Restitution and forfeiture exposure. Whether seized assets are traceable to alleged criminal conduct, and whether restitution calculations overstate the provable loss.

Common charge frameworks include New Jersey theft by deception, identity theft, computer-crime, money-laundering, and securities-law theories, plus federal wire fraud, money laundering, computer fraud, bank fraud, and forfeiture statutes. This is criminal-defense work first; the technology is the evidence layer.

Exchange-collapse creditor claims.

When a centralized crypto platform fails — FTX, Celsius, Voyager, BlockFi, Genesis, and several others in the 2022-2024 cycle — depositors become creditors in a bankruptcy or receivership proceeding. The threshold legal questions: was the depositor's crypto customer property (typically not part of the estate, subject to return) or property of the estate (subject to pro rata distribution to unsecured creditors)? The answer turns on the platform's terms of service, the segregation (or commingling) of customer assets, and applicable bankruptcy doctrine.

Three deadlines define the case:

• The bar date — the bankruptcy court's deadline for filing proofs of claim. Missing it forfeits the claim entirely. Bar dates are publicly noticed but easily missed by individual depositors.
• The opt-out deadline for any class action against officers, directors, promoters, or auditors. Class members who fail to opt out are bound by class settlements that may pay pennies on the dollar; opting out preserves the right to bring individual claims.
• The tax-loss question — crypto losses can have tax consequences, but tax analysis is handled by the client's CPA or tax counsel. We preserve the legal record and coordinate with tax professionals where the legal posture affects tax documentation.

Parallel civil claims against celebrity endorsers, auditors, law firms, or state-level promoters under the NJ Uniform Securities Law (N.J.S.A. 49:3-52source) may run alongside the bankruptcy where the facts support them. We coordinate across forums and track the claim, opt-out, and litigation deadlines.

Pig-butchering and romance-crypto scam response.

One major crypto-fraud category in FBI IC3 reporting is the long-form relationship-based crypto scam, colloquially called pig-butchering. Victims are cultivated through dating apps, professional-networking platforms, or social media; introduced to a supposed investment platform run by the scammer; allowed to make initial small withdrawals to build trust; then induced to deposit increasingly large amounts before the platform freezes withdrawals and disappears.

We do not sell “crypto recovery” as a standalone promise. These cases are often difficult, and many funds are not practically recoverable. We are lawyers, not detectives or law enforcement. Where a legal response makes sense, our role may include:

1. Preservation and reporting guidance. We can help clients preserve records and decide whether an IC3 report, local police report, platform report, carrier notice, or regulatory complaint is appropriate. The investigation itself remains with law enforcement or qualified investigators.
2. Representation in identity-theft and platform communications. We can speak as counsel with platforms, financial institutions, insurers, creditors, and agencies where legal representation helps protect the client's position. We are not a credit-reporting agency or credit-repair company.
3. Outside forensic coordination. Where blockchain tracing, device review, or technical incident-response work is useful, that work is performed by qualified forensic or technical vendors. We use the results as potential evidence; we do not market tracing as a recovery guarantee.
4. Civil action against identifiable defendants. Conversion, unjust enrichment, fraud, constructive-trust, identity-theft, and related claims may be available where an identifiable defendant, reachable forum, and admissible proof exist.
5. Civil discovery and subpoenas. Where a court case or authorized discovery path exists, we can pursue subpoenas and discovery through the proper legal channels. We cannot use civil litigation to perform open-ended detective work.
6. Insurance and coverage claims. We can evaluate cyber, identity-theft, homeowner's, commercial-crime, or other coverage that may respond, and dispute improper denials where the policy and facts support it.

We coordinate with reputable vendors and pursue civil angles where the documentary case supports it. We do not tell victims that a blockchain trace, platform complaint, police report, or attorney letter means funds will be returned.

Wallet-theft response.

Wallet-theft matters fall into several categories: phishing-driven seed-phrase compromise, SIM-swap-driven account takeovers, exchange-account compromise, and physical-device thefts. The legal response is selective: reporting guidance, preservation of account records, vendor coordination where technical review is useful, and civil claims only where identifiable defendants and admissible proof exist.

Where SIM-swap is the attack vector, secondary civil claims against the mobile carrier for negligent account-security and against any cryptocurrency exchange that ignored its own multi-factor authentication policies may become viable. Carrier cases are document-heavy and turn on account-security records, training, prior compromise history, and the carrier's own procedures.

Smart-contract breach and DAO disputes.

A smart contract is, legally, a contract. The fact that it executes on a blockchain rather than on paper does not change its enforceability — what changes is the documentary case. Common smart-contract disputes:

• Function-coded versus parties-intended discrepancies. The code did one thing; the parties believed it would do another. Reformation, rescission, and misrepresentation claims become available.
• Bug-driven losses. A contract bug allowed an attacker to drain funds. Claims against the developer, auditor, and platform that hosted the contract.
• DAO governance disputes. Decentralized Autonomous Organizations may be treated as unincorporated associations or general partnerships under default state law, depending on structure and facts. That can create personal-liability risk for participants. Governance disputes (proposals defeated improperly, votes counted improperly, treasury misappropriation) are evaluated under partnership, contract, and unincorporated-association doctrines.
• NFT contract disputes. Royalty enforcement, derivative-work disputes, secondary-market transfer disputes, and platform takedowns of NFT collections.

The substantive contract-law framework is the same as business litigation; the technical evidence is novel. We integrate with developers and security auditors to develop the documentary case and bring it under conventional contract-law theories.

Cybersecurity and data-breach litigation.

Cybersecurity incidents produce litigation across three distinct phases:

Incident-response phase — the first 72 hours.

Immediately after a breach is detected, the legal questions are notification and preservation. The NJ Identity Theft Prevention Act, N.J.S.A. 56:8-161source et seq., requires businesses that have lost personal information of NJ residents to notify those residents and (in many cases) the New Jersey State Police and the Division of Consumer Affairs. The federal HIPAA breach-notification rule applies for protected health information. Industry-specific notification rules apply for financial-services data (Gramm-Leach-Bliley), educational records (FERPA), and other regulated categories.

Counsel during the incident-response phase can help with:

• Proper preservation of evidence under the attorney-client privilege (incident-response work performed under privileged direction stays privileged; work done independently does not).
• Timely notification — late notification produces both regulatory liability and private cause-of-action exposure.
• Coordination with cyber-insurance carriers under the policy's notice provisions.
• Documentation suitable for later litigation or regulatory review if the incident escalates.

Data-breach plaintiff-side litigation.

Individuals whose personal information was exposed in a breach have multiple potential claims:

• NJ Identity Theft Prevention Act (N.J.S.A. 56:8-161source et seq.) — private right of action where the business's notification was untimely or its security practices were inadequate.
• NJ Consumer Fraud Act (N.J.S.A. 56:8-1source et seq.) — applies where the business misrepresented its data-security practices in any consumer-facing communication (privacy policies, terms of service, marketing materials). The CFA provides mandatory treble damages and attorneys' fees under N.J.S.A. 56:8-19source.
• New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.source) — effective January 15, 2025. Creates substantive obligations around data collection, use, and disclosure, enforced exclusively by the New Jersey Attorney General through the Division of Consumer Affairs. It does not create a private right of action; for the first 18 months after the effective date, the Division must provide notice and an opportunity to cure where it deems cure possible before bringing an enforcement action.
• Common-law negligence where the business failed to implement reasonable security controls.
• Breach of contract against businesses whose customer agreements promised data-security standards that were not met.
• Federal claims under the Fair Credit Reporting Act (15 U.S.C. § 1681), the Stored Communications Act (18 U.S.C. § 2701), and (for healthcare data) HIPAA-derived state common-law claims.

Class-action posture is common in large breaches. Individual cases proceed where damages are concrete and substantial — actual identity theft, fraudulent charges, credit-monitoring costs, time lost to remediation, and emotional-distress damages in egregious cases.

Cyber-insurance bad-faith and coverage litigation.

Cyber-insurance coverage denials have produced a substantial litigation surface. Common denial grounds and the defense responses:

• 'Voluntary parting' exclusion in BEC (business email compromise) claims. Carriers may argue the insured voluntarily transferred funds. The response depends on policy wording and the fraud-induced-transfer facts.
• Application misrepresentation. Carrier voids coverage based on alleged misstatements about security controls in the policy application. NJ contract interpretation requires materiality and inaccurate representation; some defenses fail on close reading.
• Late notice. Carrier argues the insured failed to provide timely notice. NJ late-notice law is fact-specific and often turns on actual prejudice.
• Sub-limit and self-insured-retention disputes — often resolvable through coverage litigation rather than denying coverage outright.
• War-exclusion or nation-state-actor exclusions — increasingly invoked in ransomware cases. New Jersey's Merck v. ACE Americansource decision is a major New Jersey authority on applying war exclusions to cyber incidents.

Bad-faith claims under NJ insurance law produce consequential and (in egregious cases) punitive damages. We pull the policy at the consultation, evaluate each denial ground, and pursue the coverage litigation where the documentary case supports it.

AI-related civil claims.

AI systems can produce legal claims across conventional frameworks. The active fact patterns in current NJ practice include:

AI-driven employment, lending, and housing discrimination.

Organizations increasingly use AI-driven decision tools — resume screening, video-interview analysis, housing-screening, credit-scoring, and risk assessment. The NJ Law Against Discrimination (N.J.S.A. 10:5-12source) prohibits discrimination on the basis of race, national origin, gender, age, disability, and other protected characteristics — and the prohibition applies to facially neutral practices that produce disparate impact, including algorithmic outputs.

AI-bias claims usually require disparate-impact statistical analysis: comparing protected-class outcomes against expected baseline rates. Where the documentary case supports it, the AI vendor and the deploying employer or landlord may both face claims. New York City's bias-audit law (Local Law 144) and other emerging frameworks signal a national direction; NJ exposure can arise under existing LAD precedent even without an AI-specific statute.

Deepfake defamation, false light, and revenge pornography.

AI-generated images, videos, and voice clones can create defamation and privacy claims under existing NJ frameworks:

• Defamation — false factual statements published of and concerning the plaintiff that produce reputational harm. One-year statute of limitations under N.J.S.A. 2A:14-3source. Deepfake videos depicting false conduct meet the elements directly.
• False-light invasion of privacy — NJ common-law tort. Publication of material that places the plaintiff in a false light, where the publication is highly offensive to a reasonable person.
• Right of publicity — unauthorized commercial use of name, likeness, or voice. NJ recognizes a common-law right of publicity; commercial deepfakes face exposure here.
• Non-consensual sexual imagery (including AI-generated) — content-specific statutory remedies and platform-notice obligations exist for this kind of harm. The work that targets this fact pattern specifically is housed at our dedicated content-creator practice, where the framework can be addressed with the audience-appropriate care and context.
• Intentional infliction of emotional distress — viable where the deepfake conduct meets the high IIED threshold (extreme and outrageous conduct, intent or recklessness, severe emotional distress).

AI vendor liability and customer claims.

Businesses deploying AI systems may face downstream liability claims from customers, employees, or third parties harmed by AI errors. The legal frameworks:

• Breach of contract by customers whose own customers were harmed by AI hallucinations or errors.
• NJ Consumer Fraud Act where AI output misled consumers in connection with a sale.
• Product-liability theory under the NJ Product Liability Act (N.J.S.A. 2A:58C-1source) — where the AI system can be characterized as a defective product. Application to AI as a "product" is unsettled and case-specific.
• Negligent misrepresentation where AI-generated outputs were presented as factually authoritative.
• Indemnification disputes between AI vendors and their customers — typically resolved under the vendor agreement's specific indemnification, limitation-of-liability, and warranty clauses. Vendor agreements vary wildly on AI-specific indemnification; we read them carefully at the consultation.

LLM, RAG, and AI-vendor contracts.

A growing share of AI legal work is contract review before deployment: LLM subscriptions, retrieval-augmented generation (RAG) systems connected to company knowledge bases, AI customer-support tools, AI sales tools, AI coding tools, and AI screening tools. These agreements deserve a different read than ordinary SaaS terms because the operational risk is tied to data ingestion, output reliance, and vendor control.

• Data use and training rights. Whether prompts, documents, embeddings, outputs, logs, or user feedback can be used to train or improve the vendor's models.
• Confidentiality and privilege. Whether uploaded contracts, personnel files, medical records, client files, source code, or litigation materials are protected, segregated, and excluded from model training.
• RAG source control. Who controls the retrieval corpus, how stale documents are removed, how permissions are enforced, and how the system logs which source documents supported an answer.
• Output reliance. Whether the vendor disclaims accuracy; whether the customer must keep a human-review loop; whether the tool may be used for employment, lending, housing, healthcare, or legal decisions.
• Indemnity and limitation of liability. Whether the vendor covers third-party claims arising from model output, data breach, alleged infringement, privacy violations, or discrimination claims; and whether the liability cap is meaningful compared with the deployment risk.
• Audit, logs, and preservation. Whether the business can preserve prompts, outputs, source citations, confidence scores, user actions, and admin changes if a dispute or regulator inquiry arises.

We review these agreements as contracts and risk-allocation documents. We do not advise on model architecture, fine-tuning strategy, prompt-engineering design, or technical security implementation; those are coordinated with technical vendors where needed.

Drones, robots, and autonomous AI agents.

Drones, autonomous robots, and AI agents acting on principals' behalf are deployed widely in NJ today and produce a distinct set of legal questions:

• Commercial drone operations — FAA Part 107 Remote Pilot certification; FAA Remote ID compliance under 14 C.F.R. Part 89; commercial drone aviation insurance; client-service contracts; subcontractor agreements; LAANC airspace authorizations.
• Drone civil incidents — trespass to land from low-altitude overflights; nuisance from persistent operations; NJ privacy torts (intrusion upon seclusion, public disclosure, false light) applied to drone surveillance; negligence in operations producing property damage or injury; product-liability claims against drone manufacturers.
• NJ drone criminal liability under N.J.S.A. 2C:40-28source — fourth-degree crime for correctional-facility overflight and contraband delivery; disorderly-persons offenses for reckless operation, operating under influence, and obstructing first responders. Federal exposure under 49 U.S.C. § 46307source for FAA flight-restriction violations.
• Robots and autonomous systems — industrial robots, delivery robots, autonomous excavators, autonomous lawn equipment, autonomous security systems. Product liability under the NJ Products Liability Act, N.J.S.A. 2A:58C-1 et seq.source (design defect, manufacturing defect, failure to warn); operator/owner negligence; respondeat superior; software-supplier liability typically as component of product-liability claim.
• Autonomous vehicles — New Jersey has no comprehensive AV operating statute yet, so AV incidents are handled under existing product liability, motor-vehicle negligence, fleet-operator liability, and insurance-coverage analysis.
• Autonomous AI agents transacting on principals' behalf — Restatement (Third) of Agency principles applied to AI; actual vs. apparent authority analysis; authorization-scope drafting (transaction limits, vendor whitelists, time windows, approval-loop triggers); counterparty verification; UCC and electronic-transactions frameworks (federal E-SIGN, NJ UETA, UCC § 2-204); handling of unauthorized AI conduct under ratification doctrine.

Full depth at our drones, robots & autonomous systems page — including Part 107 business infrastructure, commercial drone services contracts, drone-criminal defense framework, and AI-agent contract-formation analysis.

White-collar criminal defense in crypto and AI contexts.

Cryptocurrency and AI-related conduct can produce white-collar criminal exposure under both state and federal law:

• Securities fraud — state under N.J.S.A. 49:3-52source (NJ Uniform Securities Law); federal under Securities Exchange Act § 10(b). Whether a particular token is a security under the Howey test, SEC v. W.J. Howey Co.source, is fact-intensive and case-specific.
• Money laundering — state under N.J.S.A. 2C:21-25source; federal under 18 U.S.C. § 1956source. Mixer use, structuring through multiple wallets, and conversion to fiat through nominees can become part of the government's theory.
• Wire fraud — federal under 18 U.S.C. § 1343source. Broadly charged in alleged crypto-related fraud schemes that use interstate wires.
• Bank fraud and Bank Secrecy Act theories — federal exposure where the conduct involved federally insured financial institutions or alleged unlicensed money-transmitter activity.
• Identity theft and computer fraud — NJ N.J.S.A. 2C:21-17source and the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030source.

The white-collar defense framework is built out at our white-collar criminal defense page — including the pre-indictment investigation phase where most case-defining decisions are made.

Digital-asset estate planning under RUFADAA.

Digital assets do not pass at death the way bank accounts and real estate do. The New Jersey Revised Uniform Fiduciary Access to Digital Assets Act, codified at N.J.S.A. 3B:14-61.1 et seq.source (3B:14-61.1 through 3B:14-61.18), gives executors, trustees, and agents under power of attorney access to digital assets — but only where the user explicitly authorized it in the will, trust, or POA and did not direct otherwise through the platform's online tool.

A coordinated digital-asset estate plan covers:

1. Explicit RUFADAA authorization in the will, trust, and durable power of attorney — specifying which categories of digital assets the fiduciary may access (content of electronic communications, catalogues of communications, other digital assets) and any limitations.
2. Platform-specific designations — Google Inactive Account Manager, Apple Legacy Contact, Coinbase Beneficiary designations, Facebook Legacy Contact, and similar tools. These platform tools override the will or POA per N.J.S.A. 3B:14-61.12source; configuring them correctly is essential.
3. Crypto key-management succession. For self-custodied crypto (hardware wallets, software wallets, paper backups), the fiduciary's access depends entirely on whether the keys are recoverable. Multi-signature wallets, Shamir's Secret Sharing schemes, institutional custodial arrangements with succession procedures, and (in some cases) physical division of seed phrases across trusted family members each address this differently. The right approach depends on the asset value, the family structure, and the security threat model.
4. NFT and IP-rights provisions. NFTs are typically a token plus a license to associated content; the estate plan should address both the token transfer and the underlying licensed-content rights.
5. Trust structuring for high-value digital assets — including specific provisions for revocable and irrevocable trust ownership of crypto, NFTs, and other digital assets, coordinated with tax counsel or the client's CPA where tax analysis is needed.

This work is coordinated with our broader Estate Planning practice. Where digital-asset value is substantial, the digital-asset planning is typically the focal point of the broader estate plan; where it is incidental, it can be folded into a more conventional estate plan with a few targeted provisions.

How fees work.

This practice is primarily hourly-retainer work. Civil litigation and white-collar defense are too variable to flat-fee. We engage at hourly rates disclosed in the engagement letter, with a retainer covering initial work and replenishing monthly. For digital-asset estate planning components, flat-fee pricing is sometimes appropriate where the scope can be defined at the consultation. We do not market generalized crypto-recovery promises; where a narrow civil-recovery path is supportable, fee structure is quoted case by case in writing.

Early steps in a crypto / cyber / AI incident.

1. Preserve the evidence — including state-of-the-system records.

Screenshots, transaction hashes, wallet addresses, email headers, server logs, system images. The blockchain data is permanent but linkage data (which wallet belongs to whom) is not; exchange logs, KYC records, and IP-attribution data have retention windows. Contact counsel promptly about preservation and whether litigation-hold letters should issue.

2. If you are the victim, consider IC3 and local reporting.

For crypto theft, scam, or identity-theft victims, an FBI Internet Crime Complaint Center report and local law-enforcement report can create a record and may support law-enforcement requests to exchanges or platforms. We can help clients think through reporting and speak as counsel where appropriate, but we do not perform police investigations or promise that a report will lead to recovery. If you are accused of wrongdoing, speak with counsel before contacting investigators or making statements.

3. Notify the cyber-insurance carrier — under the policy's notice provisions.

For business cyber incidents, the cyber-insurance policy typically requires notice within a specific window (often 30-60 days from incident, sometimes shorter). Late notice produces coverage-denial risk. We coordinate the notice and the carrier's incident-response panel-counsel selection at the consultation.

4. For data breaches affecting NJ residents — calendar the notification deadline.

The NJ Identity Theft Prevention Act requires notification of affected NJ residents "without unreasonable delay." For breaches affecting more than 500 NJ residents, notification to the New Jersey State Police and the Division of Consumer Affairs is also required. Notification timing and form is regulated; defective notification produces both regulatory and private-action exposure.

5. Use chain-analysis carefully.

Chain-analysis tracing can be useful in victim-side civil work and in defense work, but it has limits. It may show movement between addresses; it may not prove who controlled those addresses or what a person knew. Reputable forensic vendors can help where the amount at issue and litigation posture justify the expense. Our role is to evaluate how that evidence fits into a legal claim or defense.

6. Document the affected parties and the timeline.

Who knew what, when. Who was notified internally. Who was authorized to act. Who actually acted. The timeline drives the case strategy — and the timeline is reconstructed from contemporaneous documents, not from later memory.

And the one thing not to do — don't post about it publicly.

Social-media posts about the incident, breach, scam, or claim become evidence and can complicate the case. The carrier may read them. Opposing counsel may read them. A prosecutor may read them. Keep the incident, the response, and the legal strategy among the people who need to know.

Why this practice exists at Simon Law Group.

The traditional categories — civil litigation, estate planning, white-collar defense, business law — handle the underlying legal frameworks fluently. Modern matters increasingly benefit from counsel who can read the technology: who can look at a Solidity smart contract and ask whether the function the parties intended is the function the code executed; who can read an exchange's terms of service alongside its bankruptcy filings and assess whether customer assets may be estate property; who can review a cyber-insurance policy's exclusions against the actual incident facts; who can evaluate an AI vendor agreement's indemnification clause in light of the specific harm the AI produced; who understands what RUFADAA can and cannot accomplish for a Ledger device with a forgotten PIN.

The fact patterns are novel. Much of the law is already there. The work is the application.

Frequently asked questions

Consult

Request a Case Evaluation

Answer a few questions and choose how you want the firm to follow up. Your request goes straight to our intake team for prompt, personal review.

Consultation request. There is no charge to send this form or to talk through your situation.

First Name *

Last Name *

Phone *

Email *

Address

Use your mailing address. It helps intake route the request and prepare conflict review.

Street Address *

Apartment, Suite, or Unit

City *

State *

ZIP Code *

How can we help? *

If your issue is tied to a court date, deadline, or safety concern, include that timing in the first sentence.

Preferred follow-up * Phone call Text me Email

I agree to receive text messages from Simon Law Group about my request. Consent is optional, and message frequency may vary. Reply STOP to opt out. See the SMS terms. I understand that submitting this form is governed by the Terms of Service and Legal Disclaimer, does not create an attorney-client relationship, and should not include confidential documents before the firm confirms it can discuss my matter.

Website (leave blank)

Submit Case Evaluation

Sending this form does not create an attorney-client relationship. Please do not include confidential documents here.