As seen in the case of AA v. Bitfinex, targeting a crypto exchange over stolen funds is a high-risk, low-reward proposition.
In October 2019, unknown hackers infiltrated a Canadian insurance company by installing the malware BitPaymer, which encrypted the firm’s data and IT systems. The hackers demanded a ransom of $1.2 million be paid in Bitcoin (BTC) in return for the decryption software needed for the firm to regain access to its systems.
The firm’s United Kingdom-based insurer — known only as AA — arranged to pay the BTC ransom, and the firm’s systems were back up and running within a few days. Meanwhile, AA started the process of seeking legal avenues to recover the BTC obtained by the hackers. It engaged the blockchain investigations firm Chainalysis, whose investigations revealed that 96 of the 109.25 BTC paid had been transferred to a wallet linked to the Bitfinex exchange.
So far, this story is (unfortunately) far from unusual. Bitcoin accounts for the vast majority of ransomware payments due to its anonymity, accessibility (making it easier for victims to pay the ransom) and verifiability of transactions (allowing criminals to confirm once payment has been made). What is unusual about this story, however, is that it sparked a 14-month-long legal battle between AA and Bitfinex, one that only recently concluded after AA discontinued its claim against Bitfinex in the U.K. High Court.
Having traced the stolen BTC to Bitfinex’s platform — and with the identity of the hackers still unknown — AA started its litigation against Bitfinex in December 2019. Again, this is not unusual: U.K. courts have a wide range of remedies at their disposal to assist victims of fraud in trying to recover their assets. In instances where banks, exchanges or other intermediaries may find themselves unknowingly receiving or holding misappropriated or stolen assets, victims of fraud have been able to rely on:
- Norwich Pharmacal orders, which require a third party to disclose certain information to the applicant that will assist in recovery efforts. In this context, the information would be the identity of the wallet holder to which the BTC was traced, and/or details of any other transactions involving the BTC since receipt by the wallet linked with the exchange.
- Freezing orders that prevent defendant fraudsters from dealing with any of their assets until further notice. An exchange notified of a freezing order relating to a client must take steps to freeze the account to prevent the client from withdrawing and dissipating assets.
- Where it can be established that the third party holds property that belongs to the fraud claimant, proprietary injunctions can be obtained to prevent the third party from dealing with that particular property. Linked orders are often made to require the subject of a proprietary injunction to disclose information of the Norwich Pharmacal-kind explained above.
Cryptocurrency as property in the U.K.
The U.K. courts are very familiar with the preceding remedies when involving bank accounts and fiat currency. More recently, the courts have been grappling with how these principles apply to cryptocurrency. However, it is clear that the courts are willing to flexibly apply legal principles, to ensure that these remedies are available to victims trying to recover stolen crypto assets.
In the AA case, Justice Simon Bryan determined — for the first time — that Bitcoin could be classified as property under British law, meaning that he could grant a proprietary injunction in relation to that property. This seems obvious, but traditionally the law has seen property as something that could either be possessed in a tangible sense or be enforced by a right to sue. Cryptocurrency obviously does not meet either requirement, but the courts have taken a pragmatic approach to ensure that novel intangible assets, like cryptocurrency, are considered property.
This flexible approach meant that AA was able to obtain injunctive relief. Bitfinex duly froze the account and provided AA with information about the identity of the customer who owned the wallet with the stolen BTC.
As it turned out though, the BTC had been transferred again before Bitfinex was contacted by AA’s lawyers, and could not be returned. AA reached a confidential settlement with Bitfinex’s customer (also a defendant to AA’s claim) and then turned its sights on Bitfinex, in an attempt to receive additional compensation. The insurer raised a number of legal claims against Bitfinex, including the assertion that the exchange received the BTC (or its traceable proceeds) when it was property belonging to AA. As such, AA declared that a legal trust should be imposed, holding Bitfinex accountable to AA for the BTC. It was also argued that Bitfinex was reckless with regards to whether the BTC was lawfully transferred into the relevant wallet.
These are difficult arguments to prove, and after Bitfinex sent out its detailed legal defense and response to AA’s claims, AA ultimately decided to abandon its claims against Bitfinex. But this was not quite the end of the story. Usually, when a claimant abandons its case, the default position is that it must pay all of the defendant’s costs. However, AA argued that its cost liability should be reduced by 50%, based upon Bitfinex’s supposedly “unreasonable” conduct. The parties fought this out at a High Court hearing in January, culminating in the court deciding there was no unreasonable conduct that would justify any reduction. AA was therefore ordered to pay 100% of Bitfinex’s legal costs, including the costs of its own unsuccessful application to have those costs reduced.
It is understandable that victims of fraud — who may not be able to successfully pursue the actual fraudster — might be tempted to take on a cryptocurrency exchange with deep pockets, perhaps in the simple hope that they can engineer a modest settlement, and avoid the time and cost of complex legal proceedings.
Cyber insurers like AA might calculate that the cost-benefit associated with those steps would be justified. However, exchanges like Bitfinex will continue to defend themselves robustly, particularly when the legal merits of claims are extremely challenging, and ultimately represent an attempt to drag an innocent exchange into the fallout of a cybercrime it had neither knowledge of nor involvement in.