In October 2019, unidentified hackers infiltrated a Canadian insurance company by installing the malware BitPaymer, which encrypted the firm's information and IT systems. The hackers demanded a ransom of $1.2 million be compensated in Bitcoin (BTC) in exchange for the decryption software needed for the firm to recover access to its own systems.
The firm's United Kingdom-based insurance company -- known just as AA -- organized to pay the BTC ransom, and the firm's systems were straight up and running in a few days. Meanwhile, AA began the process of seeking legal avenues to recover the BTC acquired from the hackers. It participated the blockchain investigations firm Chainalysis, whose investigations revealed that 96 of the 109.25 BTC paid had been transferred to a wallet connected to the Bitfinex exchange.
So far, this story is (unfortunately) far from unusual. Bitcoin accounts for the great majority of ransomware obligations due to its anonymity, accessibility (which makes it easier for victims to pay the ransom) and verifiability of trades (allowing criminals to confirm once payment was made).
Having tracked the stolen BTC to Bitfinex's platform -- and together with the identity of these hackers still unfamiliar -- AA started its lawsuit against Bitfinex in December 2019. Again, this isn't unusual: U.K. courts have a wide assortment of remedies at their disposal to help victims of fraud in trying to recover their resources. In instances where banks, banks or other intermediaries may find themselves receiving or holding misappropriated or stolen assets, victims of fraud are able to rely on:
Norwich Pharmacal orders, which need a third party to disclose specific information to the applicant that will assist in recovery efforts. Within this context, the information are the identity of the wallet holder to which the BTC was tracked, and/or details of any other transactions involving the BTC since receipt from the wallet linked with the exchange.
Freezing orders that prevent suspect fraudsters from dealing with some of the resources until further notice. An exchange advised of a freezing order relating to a customer must take action to freeze the accounts to stop the customer from approving and dissipating assets.
Where it can be established that the third party holds property which belongs to the fraud claimant, proprietary injunctions could be obtained to avoid the third party from addressing that specific property. Connected orders are often made to require the subject of a proprietary injunction to disclose information of this Norwich Pharmacal-kind clarified previously.
Cryptocurrency as land in the U.K.
The U.K. courts are very familiar with the preceding remedies when involving bank accounts and fiat currency. But, it is clear that the courts are willing to flexibly apply legal rules, to make sure that these remedies are available to victims trying to regain stolen crypto assets.
In the AA case, Justice Simon Bryan determined -- for the very first time -- that Bitcoin could be categorized as property under British law, meaning he could grant a proprietary injunction in relation to this property. This seems evident, but traditionally the legislation has seen land as something which could be owned in a concrete sense or be enforced with a right to sue. Cryptocurrency obviously does not meet either requirement, but the courts have taken a pragmatic strategy to ensure that novel intangible assets, such as cryptocurrency, are considered real estate.
This flexible approach meant that AA was able to obtain injunctive relief. Bitfinex duly froze the accounts and supplied AA with information regarding the identity of the customer who owned the wallet with all the stolen BTC.
As it turned out though, the BTC had been moved again before Bitfinex was contacted by AA's attorneys, and could not be returned. AA reached a private settlement with Bitfinex's customer (also a defendant to AA's claim) and then turned its sights on Bitfinex, in an attempt to get extra compensation. As such, AA announced a legal trust should be enforced, holding Bitfinex accountable to AA for the BTC. It was also argued that Bitfinex was irresponsible with respect to if the BTC was officially transferred to the appropriate wallet.
These are difficult arguments to prove, and following Bitfinex delivered out its comprehensive legal defense and answer to AA's claims, AA finally decided to abandon its own claims against Bitfinex. However, this was not quite the end of the story. Usually, when a claimant abandons its case, the default position is that it must pay all of the defendant's costs. However, AA argued that its cost liability ought to be reduced by 50%, according to Bitfinex's supposedly"unreasonable" conduct. The parties fought out this at a High Court hearing in January, culminating in the court deciding there wasn't any unreasonable conduct that would warrant any decrease. AA was therefore ordered to cover 100% of Bitfinex's legal expenses, including the costs of its unsuccessful application to have those costs reduced.
It is understandable that victims of fraud -- that might not be able to successfully pursue the true fraudster -- might be tempted to take on a cryptocurrency exchange with heavy pockets, perhaps in the easy expectation that they can engineer a small settlement, also avoid time and cost of complicated legal proceedings.
Cyber insurers like AA might compute that the cost-benefit related to these steps would be warranted. But exchanges such as Bitfinex will still continue to shield themselves robustly, especially when the legal merits of claims are incredibly challenging, and finally represent an effort to drag an innocent trade into the fallout of a cybercrime it had neither knowledge of involvement in.