News

An overseas cryptocurrency exchange has been ordered by the High Court in London to restrain $950,000 in bitcoins from the suspected perpetrators of a ransomware attack on a Canadian insurance firm last year, and identify the person or persons who hold them.

In a ruling published Friday, High Court Justice Simon Bryan found last month that 96 bitcoins in a digital wallet at Bitfinex, an exchange owned by a firm based in Hong Kong but registered in the British Virgin Islands, are the lawful property of a U.K. insurer, “AA,” which paid the sum on behalf of its client, a Canadian insurer that was also granted anonymity in the proceedings.

The judgment is believed to be the first of its kind in finding that cryptocurrencies can be targeted for a proprietary injunction under English common law, according to Laurence Winston, an attorney with Crowell & Moring in London.

“The case is a good example of how judges can be sensible in expanding common law to shoehorn-in modern issues,” Winston told ACAMS moneylaundering.com. “It does give people greater comfort to use Bitcoin in the knowledge that it can be enforced against in terms in injunctions and legal remedies.”

Hackers managed to bypass the Canadian insurance firm’s firewall and anti-virus software in October to install BitPaymer, a malware that encrypted the company’s computer systems and thus prevented it from running its business.

“Hello, to get your data back you have to pay for the decryption tool, the price is $1,200,000,” the crooks wrote in an email cited in the judgment. “You have to make the payment in Bitcoins.”

The Canadian firm contacted its U.K.-based insurer, which agreed to pay the suspects a slightly lesser ransom of 110 bitcoins, which equated to roughly $950,000 at the time, in exchange for the decryption software that would allow its client to regain control of its computer systems.

The U.K. insurer also hired Chainalysis, a New York-headquartered firm, to track, locate and help recover the bitcoins after they were paid out as ransom.

Chainalysis found that the perpetrators exchanged a fraction of the bitcoins into fiat currency but transferred the vast majority of them, 96 bitcoins in total, to a digital wallet at Bitfinex. The U.K. insurer petitioned a High Court for an injunction against the funds in December.

Cryptocurrencies as property

Cryptocurrency continues to grow in popularity as an investment and a form of payment but still remains vulnerable to the large-scale fraud schemes and cyberheists that have plagued the industry since its inception more than a decade ago.

According to CipherTrace, a cryptocurrency intelligence firm in California, criminals netted more than $4 billion in cryptocurrency-related frauds and thefts against individuals and exchanges alike in the first six months of 2019.

London’s commercial court meanwhile represents a popular venue for litigants across the world as English law sets out asset freezes and a range of other powerful measures to settle property- and business-related disputes.

Two previous cases also confirmed that cryptocurrency constitutes property in England.

The High Court granted its first-ever freeze against assets kept in cryptocurrency in September 2018, after a London-based trading platform, Nebeus, failed to prove that it still held £1.5 million worth of Bitcoin and Ethereum for a customer who suspected the funds had disappeared.

Almost a year later, the court granted Liam Robertson, chief executive of Alphabit Fund, a U.S.-based crypto-asset investment company, an asset preservation order of more than £1 million worth of Bitcoin stolen from him in a spearphishing attack.

The legal position was further cemented in December, when the Lawtech Delivery Panel, a government-backed committee of senior lawyers, concluded after a six-month review that crypto-assets can be treated in principle as property in English law.

In his judgement last month, Justice Bryan found that the panel’s analysis as to the proprietary status of cryptocurrencies was “compelling, and for the reasons identified therein should be adopted by this court. … I am satisfied … that cryptocurrencies are a form of property capable of being the subject of a proprietary injunction.”

Bitfinex indicated in emails to AA, the U.K.-based insurer, that it would not identify anyone associated with the digital wallet in question absent a court order. According to the judgement, the exchange also told AA that it was its practice to comply with legal rulings wherever they are made.

Bitfinex’s stated stance of complying with overseas judgements far exceeds that of banks and other traditional financial institutions, said Polly Sprenger, former head of intelligence for the U.K. Serious Fraud Office.

“It begs the question whether this will become standard practice in the crypto-world,” Sprenger, now an attorney with Katten Muchin Rosenman in London, told moneylaundering.com. “At the very least, it’s a way for exchanges to reassure their honest and legitimate users that they’re not operating on the dark side.”

Contact Koos Couvée at kcouvee@acams.org