The perils of suing crypto exchanges after ransomware attacks

In October 2019, unknown hackers infiltrated a Canadian insurance coverage firm by putting in the malware BitPaymer, which encrypted the agency’s information and IT programs. The hackers demanded a ransom of $1.2 million be paid in Bitcoin (BTC) in return for the decryption software program wanted for the agency to regain entry to its programs. 

The agency’s United Kingdom-based insurer — recognized solely as AA — organized to pay the BTC ransom, and the agency’s programs have been again up and operating inside a couple of days. Meanwhile, AA began the method of in search of authorized avenues to get better the BTC obtained by the hackers. It engaged the blockchain investigations agency Chainalysis, whose investigations revealed that 96 of the 109.25 BTC paid had been transferred to a pockets linked to the Bitfinex alternate.

So far, this story is (sadly) removed from uncommon. Bitcoin accounts for the overwhelming majority of ransomware funds because of its anonymity, accessibility (making it simpler for victims to pay the ransom) and verifiability of transactions (permitting criminals to verify as soon as cost has been made). What is uncommon about this story, nevertheless, is that it sparked a 14-month-long authorized battle between AA and Bitfinex, one which solely lately concluded after AA discontinued its declare in opposition to Bitfinex within the U.Okay. High Court.

Having traced the stolen BTC to Bitfinex’s platform — and with the identification of the hackers nonetheless unknown — AA started its litigation against Bitfinex in December 2019. Again, this isn’t uncommon: U.Okay. courts have a variety of treatments at their disposal to help victims of fraud in attempting to get better their property. In cases the place banks, exchanges or different intermediaries could discover themselves unknowingly receiving or holding misappropriated or stolen property, victims of fraud have been in a position to depend on:

  • Norwich Pharmacal orders, which require a 3rd celebration to reveal sure information to the applicant that can help in restoration efforts. In this context, the information could be the identification of the pockets holder to which the BTC was traced, and/or particulars of another transactions involving the BTC since receipt by the pockets linked with the alternate.
  • Freezing orders that forestall defendant fraudsters from coping with any of their property till additional discover. An alternate notified of a freezing order regarding a consumer should take steps to freeze the account to stop the consumer from withdrawing and dissipating property.
  • Where it may be established that the third celebration holds property that belongs to the fraud claimant, proprietary injunctions will be obtained to stop the third celebration from coping with that exact property. Linked orders are sometimes made to require the topic of a proprietary injunction to reveal information of the Norwich Pharmacal-kind defined above.

Cryptocurrency as property within the U.Okay.

The U.Okay. courts are very conversant in the previous treatments when involving financial institution accounts and fiat forex. More lately, the courts have been grappling with how these rules apply to cryptocurrency. However, it’s clear that the courts are keen to flexibly apply authorized rules, to make sure that these treatments can be found to victims attempting to get better stolen crypto property.

In the AA case, Justice Simon Bryan decided — for the primary time — that Bitcoin might be classified as property underneath British regulation, that means that he may grant a proprietary injunction in relation to that property. This appears apparent, however historically the regulation has seen property as one thing that would both be possessed in a tangible sense or be enforced by a proper to sue. Cryptocurrency clearly doesn’t meet both requirement, however the courts have taken a realistic strategy to make sure that novel intangible property, like cryptocurrency, are thought of property.

This versatile strategy meant that AA was in a position to receive injunctive reduction. Bitfinex duly froze the account and supplied AA with information concerning the identification of the client who owned the pockets with the stolen BTC.

As it turned out although, the BTC had been transferred once more earlier than Bitfinex was contacted by AA’s legal professionals, and couldn’t be returned. AA reached a confidential settlement with Bitfinex’s buyer (additionally a defendant to AA’s declare) after which turned its sights on Bitfinex, in an try to obtain extra compensation. The insurer raised a quantity of authorized claims in opposition to Bitfinex, together with the assertion that the alternate acquired the BTC (or its traceable proceeds) when it was property belonging to AA. As such, AA declared {that a} authorized belief must be imposed, holding Bitfinex accountable to AA for the BTC. It was additionally argued that Bitfinex was reckless with reference to whether or not the BTC was lawfully transferred into the related pockets.

These are troublesome arguments to show, and after Bitfinex despatched out its detailed authorized protection and response to AA’s claims, AA finally determined to desert its claims in opposition to Bitfinex. But this was not fairly the top of the story. Usually, when a claimant abandons its case, the default place is that it should pay all of the defendant’s prices. However, AA argued that its value legal responsibility must be diminished by 50%, based mostly upon Bitfinex’s supposedly “unreasonable” conduct. The events fought this out at a High Court listening to in January, culminating within the court docket deciding there was no unreasonable conduct that may justify any discount. AA was subsequently ordered to pay 100% of Bitfinex’s authorized prices, together with the prices of its personal unsuccessful utility to have these prices diminished.


It is comprehensible that victims of fraud — who could not be capable of efficiently pursue the precise fraudster — could be tempted to tackle a cryptocurrency alternate with deep pockets, maybe within the easy hope that they’ll engineer a modest settlement, and keep away from the time and value of complicated authorized proceedings.

Cyber insurers like AA would possibly calculate that the cost-benefit related to these steps could be justified. However, exchanges like Bitfinex will proceed to defend themselves robustly, notably when the authorized deserves of claims are extraordinarily difficult, and finally signify an try to pull an harmless alternate into the fallout of a cybercrime it had neither data of nor involvement in.

This article was co-authored by Stephen Elam and Shelley Drenth.

The views, ideas and opinions expressed listed below are the authors’ alone and don’t essentially replicate or signify the views and opinions of Cointelegraph.

This article is for basic information functions and isn’t supposed to be and shouldn’t be taken as authorized recommendation.

Stephen Elam is a companion and Shelley Drenth is an affiliate at Cooke, Young & Keidan LLP, a disputes regulation agency that repeatedly advises on litigation and regulatory points, in relation to cryptocurrency.