Blockchain & Cryptocurrency

Bitcoin is Property and Can be Injuncted in International Fraud Cases

Author: Alexander Shirtcliff

English Court confirms its appetite to allow fraud and asset recovery campaigns to be pursued against Crypto Assets in AA v Persons Unknown.  However, the path to recovery is still not completely clear.

Here are five tips for successfully pursuing Crypto Assets in the English Courts and some notes of caution about the case.

The Case

The IT systems of a Canadian business were hacked and held to ransom by BitPaymer malware.   The hackers demanded a US $1.2m ransom payment, payable in Bitcoin.  The Canadian business had cyber-attack insurance cover from a UK provider (the "Insurer").  The Insurer negotiated the ransom down to US $950,000 and paid it.  The hack was no doubt damaging enough but the decryption was no small undertaking – it took 5 days for the servers and 10 days for the affected laptops to be cleared.

Specialist investigators, Chainalysis, tracked most of the Bitcoin down to an address linked with the BVI registered exchange known as Bitfinex.  The balance had been converted into fiat currency.

The Insurer sought interim relief from the English Court, aimed at seizing assets and revealing the identity of the hackers.  The judge:

  • granted a proprietary injunction over the identified Bitcoin;
  • ordered discovery into the fraud; and
  • allowed proceedings to be served out of the jurisdiction.
Bitcoin is Property

In its clearest statement to date, the English Court has endorsed the view that Bitcoin (and by extension, other crypto assets) is property.  This issue has been the subject of some academic uncertainty.  Traditionally, English common law recognised two esoteric classes of property: "things" in possession (like the screen on which you are reading this) and "things" in action (like sums due on a bond) (plus some classes created by statue, like patents).  Crypto assets do not belong to the first class and do not fit easily into the second.

To seek to address this issue, the industry led and government backed UK Jurisdictional Task Force analysed what kind of property crypto assets are.  Their analysis concluded that just because "a crypto asset might not be a thing in action on the narrower definition of that term does not in itself mean that it cannot be treated as property".

This conclusion was enthusiastically endorsed by the Judge in this case.  Mr Justice Bryan decided that crypto assets are: "a form of property capable of being the subject of a proprietary injunction" concluding in doing so, that crypto assets met an established common law test for property: "definable, identifiable by third parties, capable in their nature of assumption by third parties, and having some degree of permanence."

Strictly, this decision is not the first of its kind in the UK.  In two prior cases the Court has, in effect, endorsed the same view (Vorotyntseva v Money-4 Ltd (trading as nebeus.com) [2018] EWHC 2596 (Ch) and Robertson v Persons Unknown (unreported, 2019)).  However, this is the first time the Court has considered the Task Force's analysis at all, and the proprietary nature of crypto assets in some depth.

Bitcoin can be Injuncted

Because Bitcoin is property, it can be the subject of a proprietary injunction in English law.  A proprietary injunction can be a particularly potent remedy because: (i) it can cauterise the victim's losses by reducing the risks and costs involved in identifying, and then pursuing, the fraudster for damages; and (ii) it can be obtained without showing that there is a risk of asset dissipation.

A proprietary injunction is available to parties who can make a persuasive argument that the property in question belongs, in effect, to them.  In this case, the Insurer's argument would be that the $950,000 cash could be traced into the Bitcoin ransom and that, therefore, the hackers and/or the exchange held that Bitcoin as constructive trustees.

Importantly for other cases, the Judge was sufficiently content with this rationale to grant the injunction.  This opens the door for parties to argue that crypto assets are traceable in similar situations.

Discovery About the Wrongdoing Ordered

The judge also ordered the exchange (and the hackers) to produce discovery concerning the identity of the fraudsters.  Whilst discovery of this kind is not uncommon, it is potentially critical in this sort of case - where the identity of the fraudsters is not known and you might have to hunt down their assets to satisfy a judgment (e.g., if the assets caught by the proprietary injunction are not enough, or if the proprietary injunction is not upheld at trial).  Critically, if the discovery order is well framed, it could lead you to the bank which the fraudsters used to convert Bitcoin into fiat currency or another asset.

Jurisdiction Exercised Over International Parties

There were relatively limited touch-points between the claim and the jurisdiction of the English court.  The Bitfinex exchange is located in the BVI, the hackers were not known (nor was their location) and the hacked business was Canadian. However, the Insurer and the bank account from which cash was used to purchase the relevant Bitcoin were located in the jurisdiction.  On the face of it, these factors alone would not obviously confirm the English Court's jurisdiction.  However, it seems to have been enough in this case for the Judge to allow the case to proceed in the English Court against parties outside the jurisdiction (but see below).

Notes of Caution
  • This decision was made on an interim basis, inevitably without argument from the unknown hackers, or (it seems) substantive argument from the exchange. The true test will come when a case like this goes to a fully contested trial.
  • The ability to trace Bitcoin into the hands of the exchange will break down if the exchange can show it has innocently bought the Bitcoin. Also, it remains to be fully tested whether a Bitcoin exchange really "holds" Bitcoin and if it does, where.
  • The basis on which the judge allowed service on international parties was not completely clear. Two reasons (or "gateways") were cited by the judge:

(i) the injunction was appropriate to support foreign proceedings – however, there were no foreign proceedings mentioned in the judgment; and

(ii) the injunction was made in support of a tort/delict claim where the damage was sustained in the UK.  Again, the facts set out in the judgment do not make it clear that the Insurer's loss was felt in the jurisdiction.  Perhaps payment from the Insurer's bank account in the UK was enough for the Judge in this case (at least, for the purposes of interim relief), it remains to be seen whether it will be every time.

Five Tips Towards Successful Recovery
  1. Act Fast – Whilst a good tip for every emergency situation, it is particularly so in crypto asset fraud cases; otherwise the risk will increase that a proprietary injunction will not be available and the specific asset in question will likely become harder to track down.
  2. Maximise Jurisdictional touch-points – Consider if there are targets in the jurisdiction. In the AA v Persons Unknown case, this was difficult because the parties' locations were not known. However, in other cases, the exchange might be in the jurisdiction, and could anchor the claim here (as was the situation in the Robertson case).  There might be suspected wrong-doers in the jurisdiction, such as officers of an entity caught up in the fraud.  There may also be innocent third parties against whom proprietary claims may be made, such as a fiat currency bank.
  3. Expand Discovery Opportunities – Seek as wide a discovery order as possible as part of your injunction. Also, you may be able to source information about the fraudsters from: third parties though Norwich Pharmacal or third-party discovery orders; or from potential defendants, through pre-action disclosure orders.
  4. Anonymise the proceedings – The English court will exceptionally allow proceedings to be conducted in private in the right cases. The judge rightly did so in this case.  Otherwise, the identity of the victim and the Insurer would become known, which would encourage revenge attacks.  Also, how the hack was perpetrated would become known, encouraging copy-cat attacks.
  5. Remember the private key – Identify, if you can, who holds the private key to the identified crypto assets and consider joining them to the proceedings. Unless the party who holds the private key is the subject of the order, it may make policing the injunction and ultimately liquidating the asset very difficult in practice.
< Back