What Missouri Is Actually Demanding — And Why the Numbers Matter
Missouri Attorney General Andrew Bailey isn’t pursuing a niche crypto enforcement action. The lawsuit against CoinFlip invokes the Missouri Merchandising Practices Act — the same broad consumer protection statute used to go after deceptive car dealers and predatory lenders. That framing matters. It signals that state regulators don’t need new crypto-specific laws to come after ATM operators. The existing consumer protection toolkit is sufficient.
The numbers in the complaint tell a specific story. The AG’s office is seeking civil penalties of $1,000 per violation across the past five years, with total exposure capped at $1,826,000. CoinFlip operates 136 kiosks in Missouri alone. Spread that maximum penalty figure across five years of transactions at 136 machines, and the per-machine deterrent effect looks thin. If even a fraction of victims lost thousands of dollars each — a common pattern in crypto ATM fraud, where scammers instruct targets to deposit cash — the penalty ceiling could fall well short of actual consumer losses. The restitution demand addresses that gap in part, but restitution requires identifying and compensating individual victims, which is rarely straightforward.
The injunction demand is the sharpest tool in the complaint. The AG isn’t asking CoinFlip to clean up its practices or post better disclosures. The office is asking a court to ban CoinFlip from operating in Missouri entirely. That’s a full operational shutdown for a company with 136 active kiosks in the state. If a court grants that relief, it creates a precedent other state attorneys general can point to when drafting their own complaints against competing operators. A declaratory judgment that these practices violate standard consumer protection law — combined with an injunction shutting down operations — hands other states a ready-made legal template. The case stops being one company’s problem and becomes the industry’s problem.
The Scale Most People Are Missing: 4,000+ Machines Nationwide
CoinFlip runs 136 crypto kiosks in Missouri alone. Across the United States, that number climbs to 4,229 machines — a sprawling physical network that transforms Missouri Attorney General Andrew Bailey’s lawsuit from a regional enforcement action into a stress test for the entire industry. Any legal standard the Missouri courts apply to CoinFlip’s fee disclosures, fraud warnings, or consumer protections doesn’t stop at the state line. It travels with every machine.
The geography of where those machines sit matters as much as the count. Crypto ATMs cluster in convenience stores, gas stations, and check-cashing outlets in lower-income neighborhoods — locations that put the technology directly in front of people with fewer financial resources and less familiarity with cryptocurrency’s irreversible transactions. Regulators across multiple states have documented the same pattern: scammers instruct victims by phone to walk to a nearby crypto kiosk and deposit cash, often framing the request as an emergency or government debt. The machines’ physical accessibility in these communities is precisely what makes them attractive to fraudsters and, critics argue, what makes operator negligence so consequential.
The volume of machines creates a compliance problem that critics say the industry has exploited rather than solved. Monitoring transaction patterns, flagging suspicious deposits, and enforcing consumer disclosures across thousands of kiosks spread across dozens of states demands infrastructure and investment that many operators have resisted building. The result is a gap between how large these companies have grown and how accountable their individual machines actually are. CoinFlip’s nationwide footprint didn’t emerge quietly — the company advertised those 4,229 locations as a competitive advantage. Missouri’s lawsuit now treats that scale as evidence of proportionally larger harm. If the practices alleged in the complaint occurred across even a fraction of those machines, the consumer impact dwarfs what the civil penalties in a single state can address.
The Missing Context: CoinFlip Is Not Alone — The Whole Industry Is Under Pressure
Most coverage treats the Missouri lawsuit as a CoinFlip problem. It isn’t. Bitcoin Depot, the largest crypto ATM operator in the United States, warned investors about mounting lawsuit risks and regulatory exposure before filing for bankruptcy — a direct signal that the legal pressure bearing down on CoinFlip is an industry condition, not a company-specific failure. When the sector’s biggest player cites regulatory action as a material business risk on its way into bankruptcy court, the industry has a systemic problem.
The crypto ATM sector built its business model inside a regulatory gray zone. Anti-money-laundering rules technically applied to kiosk operators for years, but enforcement was scattered and inconsistent enough that companies could scale aggressively without building serious compliance infrastructure. CoinFlip now operates 4,229 kiosks across the United States, including 136 in Missouri alone. That growth happened while states and municipalities were still figuring out what to do with the technology. That window is closing. Missouri’s action is part of a wave — multiple states and local governments have passed laws and ordinances restricting or outright banning crypto ATMs in recent months.
The restitution demand in the Missouri case deserves particular attention. The Attorney General’s office is seeking actual money back for consumers, not just civil penalties against the company. The lawsuit asks for up to $1,826,000 in civil penalties at $1,000 per violation over five years, and it demands consumer restitution on top of that. Restitution is rare in crypto enforcement. Most regulatory actions result in fines that go to the government while victims recover nothing. If Missouri secures restitution here, it creates a legal template — one that plaintiffs’ attorneys and other state AGs will study and replicate. For an industry that has largely treated consumer losses from kiosk-enabled scams as an externality, that template represents a structural threat far more consequential than any single penalty.
Why State AGs Are Stepping In Where Federal Regulators Have Been Slow
Federal crypto regulation remains a three-way standoff. The SEC claims jurisdiction over crypto securities. The CFTC claims jurisdiction over crypto commodities. FinCEN oversees anti-money laundering compliance. None of them has produced a clear, unified framework for crypto ATM operators — and that vacuum is exactly where state attorneys general are walking in.
Missouri’s lawsuit against CoinFlip bypasses the entire “is crypto a security?” debate by leaning on the Missouri Merchandising Practices Act, a decades-old consumer protection statute built to address deceptive trade practices in any industry. The AG’s office doesn’t need to classify Bitcoin as a security or a commodity. It only needs to demonstrate that consumers were misled or inadequately protected. That’s a significantly lower legal bar, and it’s one that prosecutors in any state can clear using laws already on the books.
The Missouri AG is seeking civil penalties of $1,000 per violation over the past five years — up to $1,826,000 — plus restitution to consumers and an outright injunction barring CoinFlip from operating its 136 Missouri kiosks. Those numbers matter less than the precedent. Any state AG with a consumer protection statute, which is all 50 of them, now has a visible blueprint for targeting crypto ATM operators without waiting for Congress or federal agencies to act.
That blueprint is already spreading. Bitcoin Depot, CoinFlip, and other ATM operators have faced a wave of actions from state authorities and municipalities in recent months, ranging from new operating restrictions to outright bans. Each action is being crafted under local statutes, which means the rules differ by jurisdiction.
For crypto ATM companies, that fragmentation is the real threat. Complying with a single federal standard — even a strict one — would be operationally manageable. Complying with 50 different state regimes, each with its own disclosure requirements, fee caps, fraud prevention mandates, and penalty structures, is a logistical and legal nightmare. The industry may eventually lobby for federal preemption just to escape the patchwork. Until then, every state AG who files a lawsuit makes that patchwork one square larger.
What This Means for Ordinary People Who Encounter These Machines
Crypto ATM scams follow a near-identical script every time. A victim receives a call from someone claiming to be from the IRS, the Social Security Administration, or a local utility company. The caller insists there is an urgent debt, a warrant, or a shutoff pending — and that the only acceptable payment method is a crypto kiosk. The victim walks up to a machine, feeds in cash, and the transaction executes. Once it does, the money is functionally gone. Cryptocurrency payments do not reverse the way a credit card charge can.
Missouri’s lawsuit against CoinFlip argues the company had tools available to interrupt this chain of events and chose not to deploy them adequately. The AG’s office is not just alleging that scams happened near CoinFlip machines — it is arguing the company failed to implement the warnings and transaction monitoring that could have flagged suspicious activity before cash became irretrievable crypto. That is a duty-of-care argument, and it carries serious weight. CoinFlip operates 136 kiosks in Missouri alone and more than 4,200 across the United States, so the scale of potential exposure is significant.
The restitution demand is the element that matters most to victims. Missouri’s AG office is asking the court to award money back directly to consumers harmed by these transactions. Scam victims almost never recover funds lost through crypto ATMs — the decentralized, pseudonymous nature of blockchain transfers makes tracing and clawing back funds exceptionally difficult. If Missouri secures actual restitution payments, it becomes one of the first successful consumer recovery outcomes tied specifically to a crypto ATM operator. That outcome would give other state attorneys general a working legal template to pursue similar claims against operators nationwide.
The practical takeaway for anyone who encounters one of these machines: no legitimate government agency, utility company, or business will ever instruct you to pay a debt through a crypto kiosk. That instruction, in every case, is the scam itself.
What Happens Next — And What to Watch For
CoinFlip will fight the Missouri injunction hard. Losing it means pulling 136 revenue-generating machines from a single state — and with 4,229 kiosks operating across the U.S., Missouri alone represents more than 3% of the company’s entire domestic network. That’s not a rounding error. But the financial hit from Missouri pales against the precedent risk. If Missouri’s Attorney General wins using the state’s Merchandising Practices Act as the legal weapon, that playbook is immediately available to every other state AG in the country.
That’s the real threat. State attorneys general share strategies, and the Merchandising Practices Act framework — broad consumer protection statutes that most states have in some form — is a replicable template. States with dense concentrations of crypto kiosks are the obvious next targets. A successful Missouri judgment doesn’t just punish CoinFlip; it hands other regulators a tested, court-validated blueprint.
The timing compounds the pressure. Bitcoin Depot, one of the largest crypto ATM operators in the United States, filed for bankruptcy after spending years warning investors that lawsuits and regulatory crackdowns were existential risks to the business model. Those warnings proved accurate. Two of the industry’s most prominent players are now either in bankruptcy court or facing a state-level shutdown order — within the same news cycle.
Operators and investors still treating this as isolated legal turbulence are reading the situation wrong. The crypto ATM industry built its growth on regulatory ambiguity, high transaction fees, and underbanked customer bases with limited alternatives. Regulators have spent years watching fraud complaints pile up, and they are now acting with specific legal tools rather than vague warnings. The Missouri suit, Bitcoin Depot’s collapse, and the wave of municipal ordinances restricting kiosk placement all point in the same direction.
This is a structural inflection point. The boom years for crypto ATM operators — easy placement, minimal oversight, double-digit fee margins — are over. What comes next is contraction, consolidation, and a compliance cost burden that will eliminate the thinnest-margin operators first.
