Out-Law / Your Daily Need-To-Know

Bitcoin exchange injunction targets ransomware hackers

Out-Law News | 30 Jan 2020 | 3:17 pm | 4 min. read

A court in London issued an interim injunction late last year requiring a bitcoin exchange to help an insurance company recover funds it paid to hackers.

The interim proprietary injunction, among other things, required Bitfinex to disclose information that could help the insurer identify those responsible for carrying out a ransomware attack on one of its customers, and to prevent bitcoin traced from the ransom payment from being moved from a Bitfinex account.

Details of the case have only recently been made public after reporting restrictions were lifted by the High Court. Bitfinex has said it was served, and acted on, the court's order, according to a report by Finextra.

Craven Jennifer

Jennifer Craven

Senior Associate

The case demonstrates that businesses and individuals who have become a victim of fraud and malware attacks, and have paid ransom monies – whether in fiat currency or cryptocurrency – can seek to trace the payment of those monies even where the fraudsters are unknown, using various civil fraud and High Court remedies available

In granting an interim injunction in the case, the court held that cryptoassets can be classed as property and give rise to proprietary claims.

Civil fraud and asset recovery specialist Jennifer Craven of Pinsent Masons, the law firm behind Out-Law, said the judgment has highlighted the willingness of courts in England and Wales "to adapt to new claims involving new technological forms of assets to bring efficient and effective remedies to victims of fraud".

The case before the High Court arose after a Canadian insurance company had access to its systems and data cut off in a ransomware attack last October. The company's cyber insurance provider, based in England, paid the ransom in bitcoin valued at $950,000 as part of a deal struck to enable its customer to regain access to its network.

After the payment was made, the English insurer engaged a specialist to track the payment of bitcoin. While the identity of those behind the ransomware attack was not uncovered, the specialist's investigations found that some of the bitcoin was converted into 'fiat currency' - currency issued by governments or central banks – and that the majority was transferred to an address linked to bitcoin exchange Bitfinex.

The insurer initially applied to the High Court for a range of relief aimed at helping uncover the identity of the perpetrators, freezing their assets and ultimately obtaining recovery of the bitcoin paid. However, applications for a 'Norwich Pharmacal' order, which requires recipients to meet disclosure obligations, and a worldwide freezing order, which prohibits individuals and institutions from moving assets, were adjourned.

Instead, the High Court considered the insurer's request for an interim proprietary injunction, which in this case concerned placing restrictions on the dissipation of the bitcoin traced to the Bitfinex account only. The injunction also placed obligations on both the suspected fraudsters and Bitfinex to disclose identifying information.

In considering the case for the injunction, the court first had to determine whether bitcoin could be considered 'property' and therefore give rise to proprietary claims. It is thought to be the first time the High Court in England has considered the topic since a team of UK experts spanning the government, regulators, industry and judiciary issued a statement addressing the question in November last year. The LawTech Delivery Panel's UK Jurisdiction Taskforce said that cryptoassets are to be treated in principle as property.

Although Mr Justice Bryan accepted the statement was not "a statement of the law", the judge said he believed it to be "an accurate statement as to the position under English law". On that basis he said he was "satisfied for the purpose of granting an interim injunction in the form of an interim proprietary injunction that cryptocurrencies are a form of property capable of being the subject of a proprietary injunction".

Craven said: "Historically, English law has only recognised two forms of property: a chose in possession or a chose in action. Mr Justice Bryan agreed with the legal statement that cryptocurrencies do not fall into either, but he highlighted that this does not necessarily bar them from being treated as property."

The judge said he was satisfied the injunction should require Bitfinex to disclose information it holds about the suspected fraudsters. The persons thought to be involved are unknown but the judge said it is likely Bitfinex will hold information about them because of the 'know your customer' obligations the exchange faces under anti-money laundering laws. The judge acknowledged that Bitfinex "may simply have got mixed up in another's wrongdoing" but said the exchange will have "no entitlement to retain" the bitcoin thought to have been defrauded from the insurer if the insurer goes on to win its case at trial.

Mr Justice Bryan granted the insurer's request to be able to serve the injunction on the persons unknown and Bitfinex by email. The insurer had previously corresponded with Bitfinex by email, and according to the ruling the bitcoin exchange had confirmed to the insurer that it is "not able to comply with any order to identify anyone associated with the account, absent a court order, but that it is their practice to comply with the court order for any national jurisdiction".

According to Finextra, Bitfinex said: "We have assisted the claimant to trace the stolen bitcoin and we understand the focus of the claimant’s attention is no longer on the Bitfinex platform. It now appears Bitfinex is an entirely innocent party mixed up in this wrongdoing."

Craven said: "This judgment is interesting as it included a discussion over whether there is a 'jurisdictional gateway' enabling English courts to serve disclosure orders on entities based abroad. In this case, the location of the suspected fraudsters was unknown, and Bitfinex had said it required to be served in the British Virgin Islands. While the discussion reached no conclusion, it shows the care which needs to be taken in navigating service issues in these types of cases. In this case, the insurer got round the question of jurisdiction by focusing on seeking a narrower interim proprietary injunction and persuaded the court that there are potential jurisdictional gateways applicable enabling the interim injunction to be served on the suspected fraudsters and Bitfinex."

"Crucially, the case also demonstrates that businesses and individuals who have become a victim of fraud and malware attacks, and have paid ransom monies – whether in fiat currency or cryptocurrency – can seek to trace the payment of those monies even where the fraudsters are unknown, using various civil fraud and High Court remedies available," she said.