The Warning Years — When the SEC Had No Rulebook for Crypto (2017–2024)

From the DAO Report to the Coinbase Catch-22 — how nine years of enforcement without rules accidentally built every intellectual ingredient for Release 33-11412.

The previous posts in this series explained what Release 33-11412 does — the five categories, the separation doctrine, the technical rulings. This post asks a different question: how did we get here?

On March 17, 2026, the SEC published the first Commission-level framework classifying crypto assets into five categories. For the first time in nine years, the industry had something resembling an official rulebook.

But rulebooks don’t appear out of thin air. Release 33-11412 is the product of a nine-year intellectual genealogy: from the first cautious warnings of 2017, through a chaotic era of enforcement-without-rules, to the political earthquake of 2025 that finally forced a paradigm shift. To understand what the Release means, you need to understand how we got here.

This post covers the first half of that story — the years when the SEC tried to regulate crypto without ever writing the rules.

Chapter 1: The Warning Years (2017–2018)

The ICO Gold Rush

In 2017, the crypto industry discovered a new way to raise money. Initial Coin Offerings — ICOs — let anyone with a whitepaper and a smart contract raise millions in hours. The numbers were staggering: 875 projects raised roughly $4.9 billion in 2017. By 2018, the frenzy had doubled — over 1,250 ICOs pulled in $7.8 billion, with $6.3 billion raised in the first quarter alone.

Most of these projects promised revolutionary technology. Many delivered nothing. The SEC was watching, and in the summer of 2017, it fired the first shot.

The DAO Report: “Yes, Howey Applies Here”

In July 2017, the SEC published what would become known as the DAO Report (Release No. 34-81207). The DAO — short for “Decentralized Autonomous Organization” — had been an Ethereum-based investment fund that raised $150 million before a hacker drained a third of the funds in 2016. The SEC investigated and concluded: DAO tokens were securities under the Howey Test.

The significance wasn’t the conclusion itself — it was the principle behind it. The SEC declared that it would judge crypto assets by their economic substance, not their technological form. A token on a blockchain is still an investment contract if people buy it expecting profit from someone else’s efforts.

The SEC chose not to bring enforcement charges. The DAO Report was a warning, not a punishment. But the warning was unmistakable: the 1933 Securities Act applies to the blockchain.

This principle — substance over form, economic reality over technological packaging — would become the foundation of Release 33-11412’s five-category classification system eight years later. The DAO Report planted the first seed.

Munchee and Clayton: The December One-Two Punch

On December 11, 2017, the SEC delivered two messages simultaneously.

First, the Munchee Order. Munchee was a food review app that tried to raise $15 million through an ICO. The company marketed its MUN token as a “utility token” — meant for use within the app, not as an investment. The SEC disagreed. It didn’t matter that MUN had a potential use case; what mattered was that Munchee marketed the token’s potential for price appreciation, and buyers purchased it expecting profits. Munchee shut down the offering within hours and refunded all investors.

The message: calling your token a “utility token” doesn’t make it one.

The same day, SEC Chairman Jay Clayton published a statement with a line that would echo across the industry: “I believe every ICO I’ve seen is a security.” He urged market participants and their lawyers to take securities law compliance seriously.

In the span of six months — from the DAO Report in July to Clayton’s statement in December — the SEC had drawn a clear line. What it hadn’t done was tell the industry exactly where that line was.

Hinman’s Speech: A Concept Born Without a Foundation

In June 2018, William Hinman, Director of the SEC’s Division of Corporation Finance, gave a speech at the Yahoo Finance All Market Summit with an academic-sounding title: “Digital Asset Transactions: When Howey Met Gary (Plastic).”

The speech introduced a concept that would haunt the industry for years: “sufficiently decentralized.”

Hinman’s argument: if a blockchain network becomes sufficiently decentralized, then buyers of its token are no longer relying on the efforts of a central team. At that point, the Howey Test’s fourth prong — “efforts of others” — falls away, and the token stops being a security. He applied this reasoning to Bitcoin and Ethereum, declaring that neither was a security in its current state.

The concept was intuitive. It was also, according to the SEC’s own staff, legally groundless.

The Hinman Emails: Internal Revolt

In 2023, a federal court ordered the release of internal SEC emails from the period when Hinman prepared his speech. The documents — 63 emails and 52 unique drafts — revealed something remarkable: significant internal opposition within the SEC itself.

The Director of Trading and Markets warned that the speech’s approach might “lead to greater confusion on what is a security.” The head of the Office of General Counsel raised concerns about the disconnect between Hinman’s analysis and established Howey factors. Staff members identified three fundamental problems:

First, “sufficiently decentralized” was divorced from the Howey factors — the concept appeared nowhere in existing case law. Second, if decentralized tokens escaped securities classification, they fell into a regulatory gap with no alternative oversight. Third, the entire analysis lacked any basis in law.

Hinman delivered the speech anyway, prefacing it with a disclaimer that it represented his personal views, not the SEC’s official position. That disclaimer would later backfire spectacularly: in the Ripple lawsuit, the defense argued that the SEC had built its enforcement strategy on a standard that wasn’t even its own official policy.

For the next seven years, an informal concept from a personal speech — opposed by the agency’s own lawyers — functioned as the market’s primary guide for determining whether a token was a security.

The legal basis was absent. But the intuition — that a token’s securities status could change over time as the network matured — would survive. Refined beyond recognition, it would reemerge eight years later as the Release’s Separation doctrine: the formal mechanism by which an investment contract can dissolve when the issuer’s essential managerial efforts cease.

Chapter 2: Enforcement Without a Framework (2019–2024)

The 2019 Framework: A Blunt Instrument

In April 2019, the SEC’s FinHub published a “Framework for ‘Investment Contract’ Analysis of Digital Assets.” It was staff guidance — non-binding and below Commission level — but it was the only analytical tool the SEC offered. For the next seven years, this would be it.

The Framework provided a list of factors for evaluating whether a digital asset constituted an investment contract. The problem was that the list was non-exhaustive and unweighted. In practice, virtually any token could be argued to satisfy enough factors to qualify as a security. The industry’s complaint was simple: the Framework told you what questions to ask, but not how to weigh the answers.

The same day, the SEC issued its first-ever No-Action Letter for a crypto asset — to TurnKey Jet, a prepaid jet charter service. It would remain one of the very few such letters in the crypto space.

The 2019 Framework’s failure would prove, by exhaustion, a critical negative lesson: open-ended factor tests don’t scale. Seven years of confusion would become the strongest argument for what the Release ultimately delivered — a structural classification system with named categories and defined boundaries, replacing “weigh all the circumstances” with “if it fits this category, here’s the answer.”

Telegram and Kik: The Enforcement Template

Even as the Framework was published, the SEC was building its case law the old-fashioned way — through lawsuits.

In October 2019, the SEC obtained an emergency restraining order against Telegram, which had raised $1.7 billion from sophisticated investors to fund the development of its TON blockchain and the GRAM token. The court’s ruling was devastating: it treated the private sale, the planned token distribution, and the expected secondary market resale as parts of a single, integrated scheme — an unregistered public offering of securities. Telegram returned $1.22 billion to investors and paid an $18.5 million fine.

Around the same time, the SEC won summary judgment against Kik Interactive, which had raised $100 million through sales of its Kin token. The court ruled that Kik’s private SAFT sale and public token distribution were a single integrated offering — a pattern that would recur in future cases.

These early cases established the template: the SEC would use litigation, not rulemaking, to define the boundaries of crypto regulation.

The 2022 Crypto Winter: Fuel for Enforcement

Then the market imploded.

In May 2022, the algorithmic stablecoin TerraUSD lost its dollar peg. Its companion token Luna, once valued at $119, fell to near zero. The collapse erased $45 billion in value within a week and triggered a chain reaction: Celsius Network froze withdrawals, Three Arrows Capital went bankrupt, and the contagion spread across the industry. Bitcoin fell from $47,000 to below $16,000.

Six months later, FTX — the third-largest crypto exchange — filed for bankruptcy. Its founder Sam Bankman-Fried was later sentenced to 25 years in prison.

For the SEC, the catastrophe validated its approach. If the industry wouldn’t register voluntarily, enforcement would compel compliance.

The Gensler Campaign: Enforcement at Scale

Gary Gensler became SEC Chairman in April 2021 with a clear philosophy: existing securities laws already applied to crypto, and no new rules were needed. His now-famous position: the industry should simply “come in and register.”

The enforcement numbers told the story. In 2021, Gensler’s first year, the SEC brought 20 crypto-related enforcement actions. In 2022, that jumped to 30 — a 50% increase. In 2023, it hit 46 — a record high and more than double the 2021 figure. Investor complaints about crypto submitted to the SEC surged from 820 in 2019 to over 5,300 in 2023.

Three cases defined the era.

Ripple (filed December 2020). The SEC accused Ripple Labs of conducting a $1.3 billion unregistered securities offering through sales of XRP. In July 2023, Judge Analisa Torres delivered a split decision that sent shockwaves through the industry: institutional sales of XRP were securities transactions, but programmatic sales on exchanges were not. The reasoning — that exchange buyers didn’t purchase directly from Ripple and therefore didn’t rely on Ripple’s efforts — drew, for the first time in case law, the distinction that the Release would later elevate to a governing principle: the asset is not the security; the transaction is. The same XRP token produced opposite legal conclusions depending on the context of the sale.

Coinbase (filed June 2023). The SEC sued the largest U.S. crypto exchange for operating as an unregistered exchange, broker, and clearing agency. The complaint named 13 tokens — including SOL, ADA, and MATIC — as securities. The irony was sharp: Coinbase had gone public through an SEC-approved IPO just two years earlier.

Binance (filed June 2023). The SEC brought 13 charges against the world’s largest crypto exchange, its U.S. affiliate, and CEO Changpeng Zhao. It was the most comprehensive crypto enforcement action ever filed.

The Catch-22

The industry’s frustration crystallized around a single contradiction.

In July 2022, Coinbase filed a formal petition with the SEC requesting crypto-specific rulemaking. Under the Administrative Procedure Act, the SEC was obligated to respond within “a reasonable time.” Months passed. Coinbase eventually sued the SEC in the Third Circuit Court of Appeals to force a response.

In December 2023, the SEC denied the petition. In its filing, Coinbase captured the absurdity in a single sentence: the agency insists firms comply with its regulations, but refuses to conduct the rulemaking needed to establish regulations by which firms feasibly could do so.

The industry’s rallying cry became: Register where? Under what rules?

The Dissenting Voice

Not everyone at the SEC agreed with the enforcement-first approach.

Commissioner Hester Peirce — nicknamed “Crypto Mom” by the industry — had been advocating for a different path since 2020. Her Token Safe Harbor proposal offered crypto projects a three-year grace period to develop their networks before facing securities regulation, with disclosure requirements (a “Plan of Development”) and a clear exit ramp — either demonstrate decentralization or register as a security.

The Commission never adopted the proposal. But Peirce’s critique of her own agency was pointed: the SEC had “not created an environment within which good activity can flourish.” She dissented against enforcement actions targeting NFT issuers, questioned the application of securities law to collectibles and memberships, and consistently argued that the agency was using litigation as a substitute for policy.

In January 2025, Peirce would be named to lead the newly created Crypto Task Force. Her years of internal dissent were about to become official policy.

FIT21: Congress Steps In

By 2024, even Congress had lost patience.

The Financial Innovation and Technology for the 21st Century Act — FIT21 — passed the House in May 2024 with a bipartisan vote of 279 to 136. It proposed dividing crypto oversight between the SEC and CFTC, creating clear categories for digital assets, and establishing a decentralization test (the “20% Rule”) for determining when a token transitions from SEC to CFTC jurisdiction.

FIT21 died in the Senate. But its DNA would survive. The classification framework, the dual-regulator structure, the decentralization threshold — all of these would reappear, refined and strengthened, in the 119th Congress’s CLARITY Act and, ultimately, in Release 33-11412 itself.

Bridge: The Raw Materials Were Already on the Table

Look back at the wreckage of 2017–2024, and something surprising emerges. Beneath the chaos — the contradictory speeches, the unworkable guidance, the lawsuits that answered nothing — the intellectual raw materials for a comprehensive framework had been accumulating, one hard lesson at a time.

The DAO Report established that economic substance, not technological form, determines securities status. Hinman’s flawed speech — for all its legal deficiencies — planted the idea that securities status could be dynamic, not permanent. The 2019 Framework’s seven-year failure proved that open-ended factor tests cannot substitute for structural classification. And Torres, ruling on Ripple, separated the asset from the transaction — the conceptual breakthrough that the Release would build its entire architecture upon.

By the end of 2024, every intellectual ingredient for Release 33-11412 already existed. What was missing wasn’t the ideas. It was the institutional will to assemble them. An enforcement-first SEC had no incentive to write clear rules — clear rules would constrain the very discretion that made enforcement-first possible.

Then, on January 20, 2025, that calculus changed overnight. But the framework that emerged wasn’t invented in 2025. It was harvested — from nine years of courtroom battles, failed guidance, and hard-won judicial precedent.

That harvest — and the remarkable speed with which it happened — is the subject of Part 2b.

This is Part 2a of “The New Crypto Rulebook” series. For the five-category framework itself, see Post 1c: Inside the Release — The Five Categories. For what comes next, continue to Part 2b: The Great Pivot.