Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 1 of 21 PageID #: 1

IN THE UNITED STATES DISTRICT COURT

FOR THE EASTERN DISTRICT OF TEXAS
SHERMAN DIVISION

CAMERON JAMES, et al., §

Plaintiffs, §
§
vs. § CIVIL ACTION NO. 4:19-CV-801
§
§
JUSTIN E. VALO (a/k/a “JUSTIN §
VENDETTA” a/k/a “SUNEROK”); the § JURY TRIAL DEMANDED
VERGE CRYPTO-CURRENCY GENERAL §
PARTNERSHIP; and JOHN DOE #1, §
Defendants. §

COMPLAINT

TO THE HONORABLE UNITES STATES DISTRICT COURT JUDGE:

Plaintiffs Cameron James and the other plaintiffs identified below (the “Plaintiffs”) file

this, their Complaint against Justin E. Valo (“Valo”), the Verge Crypto-Currency General

Partnership (the “Partnership”), and John Doe #1 (“Doe”) (collectively the “Defendants”), and

in support thereof respectfully shows the Court the following:

I. SUMMARY OF ALLEGATIONS

1. This case arises out of the theft of Plaintiffs’ Verge (trading symbol ‘XVG’) virtual

currency (the “Verge Coins”), which were themselves unregistered securities, from a smart

phone “hot wallet” application called CoinPouch, that was developed and marketed by two

related Texas entities that are now in bankruptcy—Touch Titans, LLC, and Touch Titan Labs,

LLC (collectively, the “Touch Titans Entities”). Plaintiffs allege Defendant Valo, the Lead

Developer of Verge, and the Verge Crypto-Currency General Partnership, a common law general

partnership that formed to develop, market and benefit from the use of the Verge Coins

(collectively the “Partnership”), engaged in intentional, reckless or negligent acts leading to the

theft of their Verge Coins. On information and belief, the theft of Plaintiffs’ Verge Coins was

- 1-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 2 of 21 PageID #: 2

perpetrated by Defendant Doe, who gained unauthorized access to the protected computer on

which the private keys to Plaintiffs’ Verge Coins had been improperly captured and stored (the

“Hack”), thereby violating the Computer Fraud Abuse Act and committing conversion. In all,

approximately126,000,000 Verge Coins (the “Stolen Coins”) were taken in the Hack.

2. By conduct detailed in this Complaint, the Partnership violated Sections 5 and 12(a)

of the Securities Act of 1933 (the “Securities Act”) [15 U.S.C. §§ 77e and 77l(a)], and the

Computer Fraud and Abuse Act (“CFAA”) [18 U.S.C. § 1030] (collectively the “Federal

Claims”), in addition to other relevant Texas state law claims pleaded hereunder.

II. PARTIES

3. Plaintiffs Cameron James is an individual and citizen of the State of North Carolina

who may be contacted and served through the undersigned attorneys of record. Other Plaintiffs

listed in the Exhibit A are individuals who all lost Verge Coins they thought were stored on

CoinPouch as part of the Hack. They are citizens of various states or countries, and may be

contacted and served through the undersigned counsel for Plaintiffs.

4. Justin Valo (a/k/a Justin Vendetta, a/k/a Sunerok) (“Valo”) is a citizen of the State of

Florida who may be served with process at 16 NW 12TH PLACE, CAPE CORAL, FL 33993-

7726, or wherever he may be found.

5. The Verge Crypto-Currency General Partnership (the “Partnership”) is a common-

law general partnership of various persons listed in the Verge Black Paper who are engaged in

the development and marketing of the Verge Crypto-Currency (the “Verge Coins”). The

Partnership may be served through one its partners, Justin Valo, at 16 NW 12TH PLACE, CAPE

CORAL, FL 33993-7726, or wherever he may be found.

6. John Doe #1 is the owner of Verge account number

DM5Esw71BnTdJzX1FWpNLvdnrLuCS91v4N) (the “DM5 Account”), held on the Bitrex

exchange platform. The identity of John Doe #1 is currently unknown. However, on information

- 2-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 3 of 21 PageID #: 3

and belief, a substantial portion of the Verge Coins stolen in the Hack (as defined below) were

deposited into the DM5 Account shortly after the Hack.

III. JURISDICTION and VENUE

7. The Court has jurisdiction over this action under: (a) Sections 20(b), 20(d), and 22(a)

of the Securities Act [15 U.S.C. §§ 77t(b), 77t(d), and 77v(a)]; (b) 28 U.S.C. § 1331 (because

this action arises under the Exchange Act and Rule 10b 5(b) thereunder, as well as under the

CFAA); (c) 28 U.S.C. § 1337 (commerce regulation also provides grounds for federal

jurisdiction); and (d) 28 U.S.C. § 1367 which provides supplemental jurisdiction all state law

claims asserted, as they are so related that they form part of the same case or controversy under

Article III of the United States Constitution.

8. The Court has personal jurisdiction over Valo, the Partnership and Doe because: (a)

the Partnership regularly transacted business in Collin County, Texas; (b) Valo and the

Partnership are purposefully and intentionally availing themselves of the privileges of doing

business in the State of Texas, including in this District. Among other things, (i) Valo and the

Partnership engaged in extensive claims related contacts with the Touch Titans Entities in

connection with establishing the system architecture allowing for the support of Verge on

CoinPouch, and the claims in this action are related to claims brought by the Touch Titans

Trustee against Valo and the Partnership on behalf of the Touch Titans bankruptcy estates;1 (ii)

Valo and the Partnership have advertised, marketed, promoted, offered for sale, sold, distributed,

securities to potential customers and/or potential customers, including in this District, at least

through Verge’s principal web sites, https://vergecurrency.com,

https://twitter.com/vergecurrency, https://www.instagram.com/verge_currency/, and

https://www.facebook.com/VERGEcurrency/ (iii) Verge’s tortious acts giving rise to this lawsuit

and harm to the Plaintiffs have occurred and are occurring in the State of Texas, including in this

1
Christopher J. Moser, Trustee v. Justin E. Valo, et al., Case No. 19-04087 (Adversary), in the United States
Bankruptcy Court for the Eastern District of Texas, Sherman Division.

- 3-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 4 of 21 PageID #: 4

District, (iv) on information and belief, Verge acted with knowledge that its unauthorized use of

Plaintiffs’ rights would cause harm to Plaintiffs in the State of Texas and in this District, and (v)

Verge’s customers and/or potential customers reside in the State of Texas, including in this

District.

9. Venue is proper because certain of the transactions, acts, practices, and courses of

business occurred within this judicial district, and because a substantial part of the events or

omissions giving rise to the Texas state law claims occurred in this District.

IV. RELATED PERSONS AND ENTITIES

10. The Touch Titans Entities are Texas limited liability companies formed by Lawrence

K. Ballou (“Ballou”), the developer of the CoinPouch virtual currency wallet, and which were

owned at the time of the Hack by Ballou and his wife. The Touch Titans entities are currently in

Chapter 7 liquidation in the United States Bankruptcy Court for the Eastern District of Texas,

Sherman Division under Case No. 18-40344 In re Touch Titans, LLC (jointly administered).

While in operation, the Touch Titans Entities were mobile app development and design

companies specializing in mobile design software application and development across multiple

platforms, including Apple, Inc.’s iOS, Android, and Windows Phone operating systems.

V. STATEMENT OF FACTS

A. Verge Coins and the Verge Partnership:

11. The Partnership is in the business of developing, programming and marketing the use

of Verge Coins—a crypto-currency, or virtual currency that makes use of blockchain technology.

Like other crypto-currencies, Verge Coins depend on a combination of “private keys,” which are

supposed to be known only to the owner of the virtual currency, and “public keys” which are

visible in the public block chain ledger and used by the community for the virtual currency to

validate the authenticity of transactions. Access to the private key for a virtual currency allows

the person with that access to act as the owner of the virtual currency represented by that private

- 4-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 5 of 21 PageID #: 5

key.

12. There is a public market for Verge Coins, which trade on various virtual currency

exchange platforms under the symbol XVG. Verge Coins are so-called “privacy coins,” as they

are coded to be transferred in a manner that obscures the identity (internet protocol address) of

the parties. On or after June 15, 2016, the Partnership commenced offering Verge Coins to the

public in what amounted to a public initial coin offering (“ICO”). At present, there are

approximately 16 billion Verge Coins in circulation.

B. The Verge Coins sold to Plaintiffs are a Security:

13. The Verge Coins sold to Plaintiffs required the investment of money, in a common

enterprise, with an expectation of profits because:

(a) Plaintiffs were required to invest fiat money or exchange crypto-currency in order to

acquire the Verge Coins from Valo and the Partnership;

(b) Valo and the Partnership are not a private company and were accordingly responsible

for creating an ecosystem in which Verge Coins could be used, and then promoting and

developing Verge, without which, the Verge Coins would have no value;

(c) Plaintiffs had a reasonable expectation of profits from the purchase of the Verge

Coins and purchased the securities expecting that they would increase in value. Many

investors bought Verge in quantities that grossly exceeded the number of opportunities to

exchange the tokens for goods and services. These investors, including Plaintiffs, always

intended to be investment holdings, and purchased Verge as a security.

14. Valo and the Partnership were active participants and had an integral role in Verge’s

unregistered securities offering. Valo controlled Verge, was its public face, and Valo extensively

promoted the Verge Coins online and during in-person events. Valo has acknowledged in public

that he holds personal reserves of Verge Coins, which would necessarily increase in value as

more investors joined the scheme. The Partnership similarly hold reserves of the currency which

- 5-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 6 of 21 PageID #: 6

they expected to increase in value along with the currency. Plaintiffs relied on Valo.

15. By reason of the matters alleged herein, the investments offered by the Partnership

were securities within the meaning of Section 2(a)(1) of the Securities Act [15 U.S.C. §

77b(a)(1)] and Section 3(a)(10) of the Exchange Act [15 U.S.C. § 78c(a)(10)].

C. Valo and the Verge Defendants sold Verge to Plaintiffs by way of an unregistered
securities offering:

16. Verge Defendants were required to register the offering with the SEC. In an attempt

to avoid the federal registration requirements laws, Valo and the Partnership have recast the sale

of the purported Verge interests as sales of membership in a “volunteer community”. In reality,

the supposed “community” are in all material respects identical to the ownership attributes of

purchasing Verge Coins as securities and are securities within the meaning of the securities laws.

17. Notwithstanding this, the Partnership’s offer and sale of the Verge Coins were not

registered as required by the Securities Act.

D. The CoinPouch Application:

18. There are various mechanisms by which owners of virtual currencies can store their

private keys. However, these mechanisms generally fall into two broad categories: “hot” storage

and “cold” storage. Generally speaking, hot storage indicates that the owner’s private keys are

stored on an application on a computer (including a smart phone) which is connected to the

internet so that they may be more readily used or exchanged. Conversely, cold storage generally

refers to a crypto-currency wallet or storage mechanism that is not connected to the internet. Hot

storage mechanisms are more susceptible to hacking than cold storage mechanisms.

19. Ballou is the former President of the Touch Titans Entities, and along with his wife,

owned all membership units in the Touch Titans Entities. Ballou is the developer of CoinPouch,

an iOS-based crypto-currency hot wallet. CoinPouch was offered for download onto iPhones,

iPads and other devices running on the iOS operating system from Apple Corporation’s iTunes

“App Store”. Ballou claims to have originally developed and copyrighted the CoinPouch source

- 6-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 7 of 21 PageID #: 7

code in 2017. It was subsequently made it commercially available through the App Store during

that same year.

20. In developing CoinPouch, Ballou became aware that “private keys” should never be

stored on servers, but rather, should be held only in the owner’s hot wallet or in cold storage. In

the CoinPouch Terms of Service, which Ballou authored with the assistance of counsel, it was

affirmatively represented that Touch Titans Entities did not “store users’ private keys or

passwords.” Touch Titans Entities’ marketing materials for CoinPouch, as posted on the App

Store also stated:

Touch Titans Entities’ Privacy Policies, which Ballou authored with the assistance of counsel,

also assured those who used CoinPouch that “[w]e do not have access to your funds or private

keys,” and “[y]our private keys are securely encrypted to your device using native Apple best

practices.”

21. CoinPouch could not originally be used to store and transfer Verge Coins. In or

around August 2017, at Ballou’s direction, Touch Titans Entities conducted a public, virtual poll

of owners of several different brands virtual currencies to gauge their interest in being able to use

- 7-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 8 of 21 PageID #: 8

CoinPouch. Based on that poll and other factors, Touch Titans Entities determined that Verge

Coins should be supported on CoinPouch (the “Application”), and in early August 2017, reached

out to members of the Partnership to begin the process of making that support possible. Each of

the Plaintiffs downloaded the Application onto a protected computer and used it in connection

with the storage and transfer of their Verge Coins.

E. Vulnerabilities in the System Architecture:

22. The system architecture for the Application varied materially from the architecture of

the other virtual currencies already supported by CoinPouch. The other currencies supported by

CoinPouch all used a BlockCypher API2 which allowed users to generate private keys and

execute transactions on the user’s device, and did not require the private keys to leave that

device. However, the Verge Coin programming was not compatible with / supported by

BlockCypher.

23. Confronted with this incompatibility, Ballou, Valo and the Partnership decided to use

a client/server model involving a full Verge Coin blockchain database (the “Verge Node”) on a

virtual private server hosted by Vultur for the Application. The system architecture for the

Application also involved an API hosted on a Heroku server that acted as an interface between

the Verge Coin owners using the Application (the “Users”) and the Verge Node. Ballou, Valo

and/or the Partnership intentionally, recklessly, or negligently designed this system architecture

such that all User private keys were captured and stored on the Verge Node, and to

surreptitiously require User transactions be executed on the Verge Node, rather than User private

keys being stored on, and transactions executed on, the User’s device.

24. Touch Titans Entities paid the hosting fees on both the Vultur and Heroku servers.

2
BlockCypher is a company that provides APIs (Application Programming Interfaces (“APIs”)) for
several different virtual currency blockchains. An API is an interface or communication protocol between
a client and a server intended to simplify the building of client-side software. BlockCypher APIs serve as
an interface layer for programmers building blockchain applications, such as virtual currencies.

- 8-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 9 of 21 PageID #: 9

Ballou was responsible for the CoinPouch code and programming the security of the Heroku

API. Valo and the Partnership were responsible for the programing and security of the Verge

Node. Both Ballou and Valo had administrative access to the Verge Node, but only Ballou had

administrative access to the Heroku API. The storage of User private keys on the Verge Node

was contrary to public statements made by the Touch Titans Entities (in their Terms of Service

and Privacy Policies), and by Valo and the Partnership.

25. Specifically, during the time when Touch Titans Entities were making their decision

on whether to support Verge Coins on CoinPouch, the Partnership represented that User private

keys would not be created or stored on remote servers. For example, on August 6, 2017, Valo

represented to Touch Titans Entities that the Partnership could create an instance of the Verge

Coin blockchain that did not require Users to create a login and password, and that would not

store or create User private keys. Similarly, on or about August 9, 2017, “CryptoRekt,” a

marketing officer of the Partnership, supplied the Verge Black Paper directly to Touch Titans

Entities. The Verge Black Paper indicated that the Verge system architecture for other hot

wallets did not share private keys or store them on any server. Similar misrepresentations were

made by Valo and the Partnership during the period of time that Valo and Ballou were creating

the system architecture for the Application.

26. The system architecture related to the Heroku API also appears to be a point of

vulnerability. Ballou was responsible for ensuring that security and authentication measures were

taken with respect to the API used for the Application. Ballou also failed to properly program

the Application API with the security and authentication protocols necessary to protect User

private keys. Ballou also failed to verify the security of the Verge Node, or that the system

architecture would not result in the storage of User private keys on the Verge Node in violation

of Touch Titans Entities’ Terms of Service and Privacy Policies.

27. By storing the Plaintiffs’ private keys, Valo and the Partnership violated 18 U.S.C. §

1030(a)(2)(C) by intentionally capturing and storing the Plaintiffs’ private keys on the Verge

- 9-
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 10 of 21 PageID #: 10

Node, Valo and the Partnership accessed the Plaintiffs’ protected computers without

authorization, and/or exceeded their authorization to access the Vultur server hosting the Verge

Node, and in so doing, obtained access to the Plaintiffs’ valuable private keys.

28. Further, Valo and the Partnership violated 18 U.S.C. § 1030(a)(5)(A) by intentionally

designing the Application’s System Architecture to capture and store the Plaintiffs’ private keys

on the Verge Node, Valo and the Partnership also knowingly, intentionally, and without

authorization caused the transmission of information, code or command to a protected computer

and caused damage to and/or loss of Plaintiffs of the private keys associated with their Verge

Coins.

F. A Secure, Alternative System Architecture was Available:

29. There were different designs Defendants could have used to construct a system

architecture that kept User private keys safe. With respect to the failure to properly secure the

API, Ballou could have coded the Application to: (a) generate Verge Coin public/private key

pairs on the User’s device; (b) receive the blockchain data from the Verge Node; (c) create

transactions using UTXOs3 stored on the User’s device; and (d) broadcasting those transactions

through an RPC4 call to the Verge Node without transmitting the User’s private keys (the

“Alternative API Architecture”). The Alternative API Architecture would have kept the User’s

private keys on their devices. Ballou failed to adopt these safer design alternatives.

30. With respect to the Vultur server hosting the Verge Node, controls could have been

put in place to harden the system infrastructure and limit access to private keys, such as: (a)

limiting the amount of User funds that were stored in a hot environment, and placing the balance

in a cold environment; and (b) using multiple signature requirements or features such as two-

3
“UTXO” stands for Unspent Transaction (TX) Output. This is basically the “change” or balance of
leftover crypto-currency a User would have after each transaction.
4
A Remote Procedure Call (“RPC”) is a protocol that one program can use to request a service from a
program located in another computer on a network without having to understand the network's details.

- 10 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 11 of 21 PageID #: 11

factor authentication (the “Alternative Server Architecture,” and together with the Alternative

API Architecture, the “Alternative Architecture”). Such measures would have served to limit

access to User private keys stored on the Verge Node, and mitigated the loss of User Verge

Coins from any hack that did occur. Valo and the Partnership failed to adopt these safer design

alternatives.

G. The Hack:

31. On or around November 9, 2017 an unknown CoinPouch User informed the Ballou

that his Verge Coins were missing from CoinPouch. Ballou put Valo on notice of this claim and

asked him to investigate. Valo initially reported that it did not appear that the Verge Node had

been hacked because of the levels of the Verge Coin balances on the Verge Node. However, after

additional Users began to report missing Verge Coins, additional investigation was undertaken

by Valo and Ballou and it was determined that the number of Verge Coins reflected on the Verge

Node had been falsified and did not match the public blockchain ledger for Verge.

32. This discovery led Touch Titans Entities, on November 21, 2017, to issue a press

release (the “First Press Release”) titled “Verge Specific Node wallets hacked”. In the First

Press Release, Touch Titans Entities first notified CoinPouch Users that their Verge Coins may

have been lost from CoinPouch. Touch Titans Entities also stated that they had notified the

authorities of the breach of security.

33. On November 22, 2017, Touch Titans Entities issued a further press release (the

“Second Press Release”). In the Second Press Release, Touch Titans Entities stated that they had

initiated an investigation of the Verge Specific Node and had also commissioned a forensic

computer analysis.

34. Notwithstanding the First and Second Press Releases, Touch Titans Entities never

publicly released any additional information regarding the loss of the Verge Coins from

CoinPouch after the Second Press Release on November 22, 2017, other than a November 27,

2017, notice to users that support for the Verge Coins on CoinPouch would be discontinued.

- 11 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 12 of 21 PageID #: 12

35. By reason of the Hack, CoinPouch Users lost in excess of 126,000,000 Verge Coins,

with an equivalent USD value of over $9 million as of January 22, 2018. These losses were

caused by the intentional conduct, recklessness, or negligence of Ballou, Valo, and the Verge

Partnership. The potential legal exposure associated with these claims forced the Touch Titans

Entities into bankruptcy, causing the loss of future profits to the Touch Titans Entities, to the

injury of its creditors.

36. On information and belief, the Hack began or around November 9, 2017, and over

approximately the next two to three weeks, the hacker proceeded to convert approximately

126,000,000 Verge Coins from the Verge Node with an equivalent USD value at the time of the

Hack of $750,000. On information and belief, the highest intermediate value of the Stolen Coins,

for which Defendants are liable, was $13,000,000. Plaintiffs reserve the right to claim the highest

value of the Stolen Coins between the date of the Hack and the trial of this action. On

information and belief, the Stolen Coins all were deposited into the DM5 Account belonging to

Doe shortly after the Hack. Subsequent to the Hack, Doe donated a substantial number of Verge

Coins back to the Partnership as part of a fundraising effort by the Partnership to promote

adoption of the Verge virtual currency.

37. On or around November 9, 2017 an unknown CoinPouch User informed the Debtors

that his Verge Coins were missing from CoinPouch. Ballou put Valo on notice of this claim and

asked him to investigate. Valo initially reported that it did not appear that the Verge Node had

been hacked because of the levels of the Verge Coin balances on the Verge Node. However,

after additional Users began to report missing Verge Coins, additional investigation was

undertaken by Valo and Ballou and it was determined that the number of Verge Coins reflected

on the Verge Node had been falsified and did not match the public blockchain ledger for Verge.

38. This notification triggered an investigation by Ballou, and on November 21, 2017,

Ballou issued a press release (the “First Press Release”) titled “Verge Specific Node wallets

hacked”. In the First Press Release, Ballou first notified CoinPouch Users that their Verge Coins

- 12 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 13 of 21 PageID #: 13

may have been lost from CoinPouch. Ballou also stated that they had notified the authorities of

the breach of security.

39. On November 22, 2017, Ballou issued a further press release (the “Second Press

Release. In the Second Press Release, Ballou stated that they had initiated an investigation of the

Verge Specific Node and had also commissioned a forensic computer analysis.

40. On November 27, 2017, the Touch Titans Entities issued version 1.0.6 of CoinPouch

and removed support for Verge XVG. On February 22, 2018, Ballou filed voluntary bankruptcy

petitions in respect of the Touch Titans Entities under Chapter 11 of the Bankruptcy Code, 11

U.S.C. § 101 et seq. (the “Bankruptcy Cases”).

41. On information and belief, Doe perpetrated the Hack, and by so doing violated 18

U.S.C. § 1030(a)(4). Specifically, by accessing the Heroku server hosting the API, and/or the

Vultur server hosting the Verge Node without authorization, falsifying the Plaintiffs’ account

balances, and siphoning off their Verge Coins, the Doe Defendant knowingly and without

authorization accessed a protected computer with the intent to defraud and obtained Plaintiffs’

valuable private keys.

VI. CAUSES OF ACTION

First Claim
Violation of Section 5(a) and 5(c) of the Securities Act
(Against Valo and the Partnership)

42. Plaintiffs incorporate the foregoing paragraphs as though fully set forth herein.

43. By virtue of the foregoing, the Partnership:

(a) without a registration statement in effect as to that security, directly and indirectly,

made use of the means and instruments of transportation or communications in interstate

commerce and of the mails to sell securities through the use of means of a prospectus;

and

- 13 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 14 of 21 PageID #: 14

(b) made use of the means and instruments of transportation or communication in

interstate commerce and of the mails to sell securities through the means of a prospectus,

securities as to which no registration statement had been filed.

44. By reason of the actions alleged herein, Defendants, directly or indirectly violated

Sections 5(a) and 5(c) of the Securities Act [15 U.S.C. §§ 77e(a) and e(c)].

Second Claim
Violation of the Computer Fraud Abuse Act
(Against All Defendants)

45. Plaintiffs incorporate the foregoing paragraphs as if fully set forth herein.

46. Each of the Plaintiffs downloaded the Application onto a “computer” as defined in 18

U.S.C. § 1030(e)(1). The Vultur server on which the Verge Note resided, and the Heroku server

on which the Application API resided are also “computers” under the CFAA. Each of these

computers was a “protected computer” connected to the internet and used in or affecting

interstate or foreign commerce or communication.

47. The identified Defendants violated the following provisions of the CFAA:

(a) 18 U.S.C. § 1030(a)(2)(C): by intentionally designing the Application’s System

Architecture to capture and store the Plaintiffs’ private keys on the Verge Node, Valo and

the Partnership accessed the Plaintiffs’ protected computers without authorization, and/or

exceeded their authorization to access the Vultur server hosting the Verge Node, and in

so doing, obtained access to the Plaintiffs’ valuable private keys;

(b) 18 U.S.C. § 1030(a)(5)(A): by intentionally designing the Application’s System

Architecture to capture and store the Plaintiffs’ private keys on the Verge Node, Valo and

the Partnership also knowingly, intentionally, and without authorization caused the

transmission of information, code or command to a protected computer and caused

damage to and/or loss of Plaintiffs of the private keys associated with their Verge Coins;

and

- 14 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 15 of 21 PageID #: 15

(c) 18 U.S.C. § 1030(a)(4): on information and belief, by accessing the Heroku server

hosting the API, and/or the Vultur server hosting the Verge Node without authorization,

falsifying the Plaintiffs’ account balances, and siphoning off their Verge Coins, the Doe

Defendant knowingly and without authorization accessed a protected computer with the

intent to defraud and obtained Plaintiffs’ valuable private keys.

48. Each of the foregoing violations of the CFAA caused Plaintiffs to suffer loss during

the period from on or about November 9, 2017 to November 9, 2018 aggregating at least $5,000

in value, and caused damage affecting 10 or more protected computers during that time period.

49. Due to Defendants’ violations of the CFAA, Plaintiffs have suffered actual, and

consequential damages and loss of data, including but not limited to the loss of their Verge Coins

and the ability to profit from the sale or exchange of their Verge Coins after the date of the Hack.

Third Claim
Conversion
(Against John Doe #1)

50. Plaintiffs incorporate the foregoing paragraphs as though fully set forth herein.

51. Doe is the owner of the DM5 Account.

52. Plaintiffs are the lawful owners with right to possession of the Stolen Coins.

53. Doe has no right, title, or interest to the rights of the Stolen Coins and Doe’s

continued possession of the same constitutes an unlawful, ongoing conversion of Plaintiffs’

personal property.

54. As a result of the Defendants' ongoing conversion, Plaintiffs has suffered actual and

economic damages.

55. Furthermore, the Defendants' ongoing conversion constitutes an act of malice for

which Plaintiffs are entitled to recover exemplary damages.

- 15 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 16 of 21 PageID #: 16

Fourth Claim
Unjust Enrichment
(Against John Doe #1 and the Partnership)

56. Plaintiffs incorporate the foregoing paragraphs as though fully set forth herein.

57. Doe is the owner of the DM5 Account, and subsequent to the Hack, transferred a

substantial number of the Stolen Coins to the Partnership.

58. Plaintiffs are the lawful owners with right to possession of the Stolen Coins.

59. Doe and the Partnership have no right, title, or interest to the rights in the Stolen Coins,

and have been unjustly enriched by their receipt of same.

60. Plaintiffs seek disgorgement of the Stolen Coins from Doe and the Partnership.

Fifth Claim—Product Liability

(Against Valo and the Partnership)

61. Plaintiffs incorporate the foregoing paragraphs as though fully set forth herein.

62. The Application was a product.

63. The Application was defectively designed so as to render it unreasonably dangerous.

Specifically, the Application was designed to capture and store Users’ private keys on the Verge

Node, and the API for the Application failed to have adequate security (the “Defects”).

64. The Defects were a producing cause of the injuries to the Plaintiffs, as they resulted in

security vulnerabilities leading to the Hack and the theft of Plaintiffs’ Verge Coins they believed

to be securely stored on CoinPouch.

65. As alleged above, a safer alternative design for the Application existed in the form of

the Alternative Architecture.

Actual Damages

66. As a result of Defendants’ wrongful conduct pleaded above, Plaintiffs have suffered

losses that were proximately caused by the wrongful conduct of the Defendants as pleaded

- 16 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 17 of 21 PageID #: 17

herein. Defendants’ conduct has caused Plaintiffs substantial harm and they are entitled to actual

damages and/or equitable relief. Plaintiffs are also entitled to special damages. Defendants are

jointly and severally liable for the injuries caused to the Plaintiffs.

67. By reason of the matters alleged herein, Plaintiffs are entitled to special damages

over and above actual damages.

68. Further, Plaintiffs are entitled to pre-judgment and post-judgment interest on their

damages.

Exemplary Damages

69. Plaintiffs incorporate all of the preceding paragraphs as if fully set forth herein.

70. In addition to actual and special damages, Plaintiffs are entitled to recover exemplary

or punitive damages. Defendants conduct was done knowingly, with actual awareness, malice

and intent, and/or with such an entire want of care as to indicate that the acts and omissions in

question were the result of conscious indifference to the rights and welfare of Plaintiff.

71. The wrongs done by the Defendants were malicious and were done with reckless

disregard and outrageous indifference to the welfare of Plaintiffs and warrant the imposition of

exemplary damages.

VII. ATTORNEYS’ FEES

72. Plaintiffs are entitled to recover their reasonable and necessary attorneys’ fees, expert

witness fees, cost for copies of depositions, and court costs by the terms of the Notes, and under

the Securities Act.

VIII. DISCOVERY RULE

73. Plaintiffs did not discover, and could not in the exercise of reasonable diligence

discovered, the Hack or their loss until November 21, 2017, at the very earliest. As such, the

statute of limitations on any cause of action to which the discovery rule applies is tolled.

- 17 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 18 of 21 PageID #: 18

IX. CONDITIONS PRECEDENT

74. All conditions precedent to each and every cause of action set forth above have

occurred, been met, been waived, or otherwise been satisfied.

X. DEMAND FOR JURY TRIAL

75. Plaintiffs demand trial by jury.

XI. PRAYER FOR RELIEF

WHEREFORE, Plaintiffs respectfully request that the Court enter a judgment finding

for Plaintiffs on their causes of action alleged herein, and awarding Plaintiffs:

(a) Disgorgement of the profits from the sale of the securities to Plaintiffs.

(b) Actual, consequential, special, and exemplary damages.

(c) Equitable relief to which Plaintiffs may be entitled, including, but not limited to

rescission, restitution, and disgorgement of any unjust enrichment of Defendants;

(d) Reasonable and necessary attorney’s fees and court costs.

(e) Interest at the highest lawful to the date of judgment, and post judgment interest

from the date of judgment until the judgment is paid.

(f) Granting such further or other relief as this Court may deem just and proper.

DATED: November 4, 2019.

- 18 -
Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 19 of 21 PageID #: 19

Respectfully submitted,

GLAST, PHILLIPS & MURRAY, P.C.

/s/ David W. Dodge

DAVID W. DODGE
TEXAS STATE BAR NO. 24002000
[email protected]
MATTHEW E. FURSE
TEXAS STATE BAR NO. 24105032
[email protected]
14801 Quorum Dr., Ste. 500
Dallas, Texas 75254
Tel. (972) 419-8300
Fax. (972) 419-8329

ATTORNEYS FOR PLAINTIFFS

- 19 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 20 of 21 PageID #: 20

EXHBIT “A” TO COMPLAINT – LIST OF PLAINTIFFS

No. Name Country City and State
1 Cameron James USA Lewisville, NC

2 Nicholas Daniel Baney USA Indialantic, FL

3 Sandip Chizar Canada Coquitlam, BC

4 Bjorn Jagt The Netherlands Almelo

5 David Quintanilla II USA Spring, TX

6 Larry Huynh USA USA

7 Joseph Ronald Beimel USA Kersey, PA

8 Adam Bonola Australia Australia

9 Ben Funnell UK Eastleigh, Hampshire

10 Marco van Wissing The Netherlands Gennep

11 Mustafa Al-Ayoubi Canada London, Ontario

12 Dindo San Diego Oliveros Philippines Rosa Laguna

13 Ryan Stratton Conway USA Kilmarnock, VA

14 Wojciech Piotr Pawlowski The Netherlands Amsterdam

15 Nathan Stuart Benn Australia Brighton East

16 Ramprasad Veeranan Baskaran Australia Gaythorne

17 John Shard Australia Arana Hills

18 Steven Carstens USA USA

19 Vincent Leonard Hink The Netherlands Derkinderenstraat

20 Michael Anthony Archuleta USA El Paso, TX

- 20 -
 Case 4:19-cv-00801 Document 1 Filed 11/04/19 Page 21 of 21 PageID #: 21

21 Dominik Andrzej Marchlewski Spain

22 Jeroen van Ede The Netherlands

23 Stephen Mark Thomas Australia Applecross, Perth

24 Kee Jun Shan Malaysia Ulu Tiram Johor

25 Klaus Steinbach Germany Frankfurt am Main

26 Salma Ahmed UK

27 Bryan Daniel Levi USA Vernon, PA

28 Sameer Ghani USA Houston, TX

29 Tobias Anton Egger Austria Gerlos

30 Ryan Reynolds

31 Daniel Tiernan Crompton UK Riccall, Yorkshire

32 Ehab Elsayed The Netherlands Amsterdam

33 Freek Jan Etiënne Caron The Netherlands Wurtemberglaan

34 W. Ryan Bailey Canada Toronto, Ontario

35 Gretchen Marie Sonne USA Bensalem, PA

36 Sergio Fernández Cara Spain Spain

37 Daniel Takacs Hungary

38 Buckley Weglarz USA Tampa FL

39 Dominic Leon van Elzelingen The Netherlands Gravenpolder

40 Martijn Hurkmans The Netherlands Dalemstraat

DATED: November 4, 2019.

- 21 -