TL;DR: Three of the most documented cannabis lab fraud cases in U.S. history occurred in 2024–2026 — Viridis Laboratories in Michigan, Keystone Laboratories in New York, and MCR Labs in Massachusetts. Each involved sustained, deliberate manipulation of mold, potency, or pathogen test results. Processors who relied on passing COAs from these labs were exposed without knowing it. The structural lesson is not to find a better lab — it's that a passing COA has never been equivalent to a safe product, and the current enforcement wave makes that clearer than it has ever been.
Key Takeaways
- Michigan permanently banned Viridis Laboratories in August 2025 for a "sustained, deliberate pattern" of mold and potency fraud that drove competitors out of business
- New York's Keystone Laboratories scandal in March 2026 triggered 54+ lot recalls after false Aspergillus and heavy metal results were discovered; Lexachrom Analytics was fined up to $2 million
- Massachusetts sued MCR Labs in 2025 after the lab failed to report yeast and mold failures in over 7,000 samples; Assured Testing Labs was separately suspended for the same category of misconduct
- The enforcement pattern across three major markets in 18 months reflects systemic structural pressure — not isolated bad actors
- In-process contamination control eliminates the variable that lab fraud exploits: it removes the contamination before it reaches a lab that might not detect it honestly
Three Cases That Changed What a COA Is Worth
Michigan: Viridis Laboratories
Viridis Laboratories was one of Michigan's largest cannabis testing labs. In August 2025, the Michigan Cannabis Regulatory Agency (CRA) permanently banned Viridis from the state's cannabis testing program after an investigation found what the agency described as a "sustained, deliberate pattern" of mold and potency result manipulation.
The CRA's findings were specific: Viridis had systematically manipulated microbial and potency results to give clients passing outcomes they had not earned. Compliant competitors — who were accurately reporting failures — lost business to operators whose non-compliant product was passing through Viridis with fraudulent clean results. The fraud did not merely harm public health; it structurally distorted the Michigan market by creating a cost advantage for operators willing to use a fraudulent lab.
Viridis had been operating in Michigan for years. Its COAs were used by licensed operators to release product into retail channels. Dispensaries, processors, and consumers relied on those results.
New York: Keystone Laboratories and Lexachrom Analytics
In March 2026, New York's Office of Cannabis Management (OCM) triggered one of the largest cannabis recall actions in state history after discovering false test results from Keystone Laboratories and its affiliated entity Lexachrom Analytics. The recalls covered 54 or more distinct product lots involving false Aspergillus and heavy metal results.
The OCM levied fines of up to $2 million against Lexachrom and suspended Keystone's testing accreditation. The scale of the recall — affecting dozens of licensed operators who had done nothing wrong except use a lab that fraudulently cleared their product — illustrated how quickly a single compromised lab can contaminate an entire state's compliance record.
The Keystone case is particularly notable because Aspergillus — the pathogen most commonly associated with cannabis-related lung infections in immunocompromised patients — was among the results falsified. These are not abstract compliance failures. Products that failed Aspergillus testing were cleared for retail by a lab that falsified the result.
Massachusetts: MCR Labs and Assured Testing Labs
Massachusetts presented a variation on the same theme. In January 2025, MCR Labs filed suit against eight rival testing laboratories alleging systematic undercutting of standards — a lawsuit that exposed the competitive pressure structure that makes fraud rational for labs operating on thin margins in a crowded market.
Separately, Assured Testing Labs was suspended by the Massachusetts Cannabis Control Commission after investigators found the lab had failed to report yeast and mold failures across more than 7,000 samples. Processors whose product had been tested — and cleared — by Assured were operating with compliance documentation that did not reflect actual microbial status.
Why This Keeps Happening: The Structural Pressures Behind Lab Fraud
The Viridis, Keystone, and MCR/Assured cases are not coincidental. They reflect structural dynamics that create persistent incentives for testing fraud across state markets:
Race-to-the-Bottom Pricing
Cannabis testing is a high-fixed-cost, margin-compressed business. Labs must invest in equipment, staff, and accreditation to operate, but they compete for client volume primarily on price and turnaround time. In markets with a large number of accredited labs, the competitive pressure creates incentives to clear product that might otherwise fail — either by adjusting reporting thresholds, mishandling samples, or outright falsifying results.
Lab Shopping Creates Selection Pressure
Processors and cultivators know which labs are more likely to return passing results. Lab shopping — the practice of submitting samples to multiple labs and using the most favorable result — is documented across multiple state markets. Even without overt fraud, this creates selection pressure that rewards labs willing to push the boundaries of acceptable variation in reporting.
COA as a Compliance Theater Document
A COA (Certificate of Analysis) communicates the results of a specific analytical test on a specific sample at a specific moment. It says nothing about:
- Whether the sample submitted was representative of the full batch
- Whether the lab that produced it was operating with integrity
- Whether the product was re-contaminated between testing and retail
- Whether the testing methodology was sensitive enough to detect the hazard
For processors, this means that a passing COA represents one data point from a system under structural pressure — not a guarantee of product safety. The Viridis, Keystone, and Assured cases confirmed that the data point itself can be fabricated.
What Processors Who Used These Labs Now Face
Operators who used Viridis, Keystone, or Assured as their testing lab during the relevant periods face several categories of exposure:
Retroactive recall liability. New York's 54-lot recall required affected operators to pull product from retail and initiate recall procedures — even though those operators had a passing COA for every product involved. The COA did not protect them from the recall obligation. Processors are responsible for the safety of their product regardless of what a third-party lab certified.
Metrc and documentation gaps. In states using Metrc for track-and-trace, product released on fraudulent COAs creates a chain-of-custody record that now needs to be reconciled. Regulators investigating the fraud are examining Metrc records, and operators whose documentation shows product release based on flagged lab results are in a difficult position.
Reputational and civil exposure. Dispensary partners and institutional buyers who received product through fraudulent COAs have standing to pursue claims against operators for misrepresentation of compliance status — regardless of whether the operator knew the COA was fraudulent. "We relied on a certified lab" is a mitigating factor in regulatory proceedings, but it does not eliminate civil exposure.
Future enforcement trajectory. The OCM's $2 million fine in the Keystone case and the CRA's permanent ban of Viridis signal that regulators are escalating enforcement against labs — and will use recall actions and license investigations to trace accountability up the supply chain to operators who benefited from fraudulent results.
The Only Defense: Eliminating the Contamination Before It Reaches the Lab
The structural implication of the lab fraud crisis is not that you need to find a trustworthy lab — though that matters. It is that the compliance model built around COA results is fundamentally fragile. A passing COA from a compromised lab is worse than a failing COA from an honest one: it creates documented liability where the operator believed they had documented protection.
In-process contamination control addresses this at the source. A processor who uses a validated decontamination step — VHP sterilization validated against ISO 22441:2022 — before submitting product for testing is not dependent on the lab detecting contamination that has already been eliminated. Their exposure to lab fraud is structurally reduced because the contamination isn't there to be hidden or missed.
This is the distinction between reactive compliance (submit product, hope for a clean result, trust the COA) and in-process control (eliminate contamination during production, submit product that has been treated, use the COA to confirm what you already know).
In-process VHP treatment creates a decontamination record that exists independently of the COA. That record — batch logs, cycle parameters, biological indicator results, deviation documentation — provides a second evidentiary track that a fraudulent or negligent COA cannot invalidate. If a processor's product is later implicated in a recall investigation, the in-process treatment record demonstrates that the processor exercised due care regardless of what any third-party lab reported.
State Regulatory Responses and What's Coming
The wave of enforcement actions in 2024–2026 has accelerated regulatory responses across multiple state markets:
Michigan has implemented enhanced lab auditing requirements and is expanding real-time proficiency testing obligations for accredited labs in the wake of the Viridis ban.
New York has begun publishing COA discrepancy data and is developing a cross-lab comparison protocol to identify statistical outliers that indicate result manipulation — similar to proficiency testing approaches used in pharmaceutical lab oversight.
Massachusetts has increased Cannabis Control Commission oversight of lab accreditation and is evaluating mandatory blind proficiency testing requirements that would make it harder for labs to return anomalous results without triggering audit review.
The direction is clear: regulators are moving toward a testing infrastructure where fraudulent results are harder to sustain and easier to detect retrospectively. For processors, this means two things. First, the labs most likely to survive the regulatory tightening are those already operating with full integrity — which reduces the advantage of lab shopping. Second, operators who can document in-process contamination control will have an evidentiary record that supplements COA results, not one that depends on them.
Frequently Asked Questions
How can I tell if my testing lab is operating with integrity?
The most reliable signals are accreditation status through your state's cannabis regulatory agency, participation in blind proficiency testing programs, and a history of consistent results under audit. You can also request documentation of the lab's internal QC procedures, including how they handle sample replication and analyst result verification. Labs that cannot produce this documentation on request are a risk. State cannabis regulatory agency websites typically maintain accredited lab lists with current status; always verify before engaging a new lab.
Does a recall affect operators if the lab fraud wasn't their fault?
Yes. Recall obligations attach to the product and the operator of record, not to the lab that certified it. Operators retain responsibility for the safety of their released product regardless of what a third-party COA states. The fraud creates a strong mitigation argument in regulatory proceedings, but it does not eliminate the recall obligation or civil exposure to downstream buyers.
What documentation should processors keep to protect themselves from lab fraud exposure?
At minimum: the original COA for every tested batch, the Metrc transfer record documenting which lab received which sample, internal batch records showing product status at the time of sampling, and any in-process treatment records (including decontamination cycle logs if VHP is in use). If in-process decontamination is part of your workflow, that documentation becomes your primary defense record — it shows the product was treated before the lab ever saw it.
Does in-process VHP treatment guarantee a passing COA?
No. VHP treatment eliminates viable microbial contamination but does not guarantee that a sample will pass every test category (pesticides, heavy metals, residual solvents). However, for the categories most commonly implicated in lab fraud — yeast, mold, Aspergillus, and other microbial contaminants — a processor who has run a validated VHP cycle has an independent decontamination record that supports the COA result, rather than depending on it.
How does this connect to the broader trend in state testing mandates?
The lab fraud crisis and the expansion of state testing mandates are two sides of the same compliance pressure. As Minnesota, New York, Maine, and other states expand required testing categories, the pool of product being submitted to labs increases — and so does the volume of tests labs must process. That pressure can either drive better infrastructure or create more fraud. Processors who build in-process controls are less exposed to both outcomes. See our analysis of new state testing mandates in 2025–2026 for the specific compliance changes affecting MN, NY, and ME operators.
Primary sources: Michigan CRA Viridis ban (August 2025); New York OCM Keystone recall (March 2026); Massachusetts CCC Assured Testing Labs suspension (2025); MCR Labs litigation coverage: Boston Globe (January 2025).