To Pay or Not to Pay – Factors to Consider when Faced with a Ransomware Attack

By Chris Recker and Charlyn Cruz

In this digital age, the data held by an organisation can be one of its most important commodities. Threat actors (also known as malicious actors) recognise this and as such, cyberattacks have been on the rise. In particular, ransomware attacks have increased in frequency – studies have found that more than three-quarters of UK businesses were affected by ransomware in 2021. This is to be expected, not least because an organisation can still experience significant disruption, even where it is not the target of a ransomware incident (for example, it could be that an organisation further up or down the supply chain may have been affected).

So what should a company do when their data is being held captive? Should they submit to the demands of the threat actor and simply pay? Or should they refuse to back down, on moral grounds (amongst other things)?

Continue reading “To Pay or Not to Pay – Factors to Consider when Faced with a Ransomware Attack”

Recovering Digital Assets in 2022

Introduction

2021 was a blockbuster year for cryptocurrency, aided largely by the Covid-19 pandemic, which saw markets and trading vastly increase. As a result of such growth, cryptocurrency asset tracing is no longer a niche legal sphere. It is one increasingly visible within the English Courts. In January 2022, the Master of the Rolls Sir Geoffrey Vos emphasised the need for all commercial and dispute resolution lawyers to understand blockchains, smart legal contracts and cryptoassets.

From a commercial perspective, the rising value of cryptocurrency and the capacity to conceal its ownership means the area of cryptoasset tracing will continue to develop as part of commercial dispute resolution.

Commercial dispute resolution practitioners have seen a series of published cases coming before the English Courts which deal with a range of issues, including; securing information from exchanges, restraining onward transactions and ancillary issues including security for costs.

Chris Recker, a senior associate at Duane Morris, and Jonathan Bellamy, a commercial barrister at 39 Essex Chambers, identify the principal legal decisions and highlight some of the key challenges arising and practical steps to be taken. This article is gratefully supported by industry specialists in the form of Asset Reality, the world’s first dedicated asset manager for seized crypto assets, and CSI Tech Ltd, a specialist global blockchain tracing agency that wrote the first book on investigating cryptocurrencies.

Recent Cases

On the basics, in 2019 the Commercial Court confirmed that Bitcoin was capable of being property; AA v Persons Unknown & ors [2019] EWHC 3556 (Comm), a decision consistent with the judgment of the Singapore International Commercial Court in B2C2 Limited v Quione PTC Limited [2019] SGHC (I) 03. Since then there has been judicial acceptance for the purpose of without-notice injunctive relief that the lex situs of cryptocurrency is the owner’s place of domicile; (Ion Science Ltd v Persons Unknown & ors (unreported), 21 December 2020 (Commercial Court)).

On asset tracing, there has been further development of the categories of persons unknown who may be subject to a freezing and/or proprietary injunction; Fetch.AI Limited & Others v Persons Unknown & Others [2021] EWHC 2254 (Comm). Cases have highlighted the importance of using proprietary injunctions to restrain misappropriated cryptocurrency (see for example, Mr Dollar Bill Limited v Persons Unknown & Others [2021] EWHC 2718 (Ch)) and of working with specialist blockchain tracers to locate cryptocurrency.

We have also seen disputes about whether cryptocurrency may be held on trust. In Wang v Darby [2021] EWHC 3054 (Comm) it was common ground that in English law cryptoassets constitute property that is capable of being bought and sold as well as held on trust. However, on the facts of the transaction in question, Tezos (XTZ) was found not to be so held because the ‘essential economic reciprocity’ of the arrangement between the parties precluded any trust. We expect this point to be an issue that will be carefully considered in cases in the future.

One of the most interesting recent developments in the case law relates to seeking assistance from a centralised entity which controls a cryptocurrency. In Lubin Betancourt Reyes v Persons Unknown [2021] EWHC 1938 (Comm) the Claimant sought the assistance of the entity that controls the cryptocurrency called ‘USDT’ (Tether) to cancel and re-issue misappropriated cryptocurrency.

On related matters, the Court has recently refused to order security for costs in the form of a digital asset. Amongst other things, it is of note that the Court considered that granting security in this manner would expose a defendant to a risk in the form of a fall in the value of Bitcoin which is not a risk in conventional forms of security – such as a payment into Court, or first class guarantee; Tulip Trading Ltd v Bitcoin Association for BSV [2022] EWHC 141 (Ch).

Emerging Issues

The development of international information production orders is an important emerging issue. Cryptoassets are often held in exchanges registered in offshore, and often “exotic”, jurisdictions chosen for their resistance to outside legal intervention. At present there is some uncertainty on the authorities about whether an English Court has jurisdiction to issue information production orders addressed to parties outside England and Wales and, if so, on the basis of which gateway. There is an unresolved tension between relevant authorities; AB Bank Ltd v Abu Dhabi Commercial Bank PJSC [2016] EWHC 2082 (Comm), CMOC v Persons Unknown [2017] EWHC 3599 (Comm), AA v Persons Unknown (supra) and Lubin Betancourt Reyes & anr v Persons Unknown & ors [2021] EWHC 1938 (Comm).

Cryptoassets, including assets representing the fruits of misappropriated fiat or cryptocurrency, may also be held at addresses outside a centralized exchange. A proprietary and/or freezing injunction may restrain further transactions and dispositions, but in the absence of a third party holder, how will the order be enforced? It is likely that the courts will have to consider development of search and seizure orders in such cases to promote enforcement. It may be the case that, to maximise the prospects that the cryptocurrency is seized and secured, a hybrid search order and receivership order is appropriate to locate and secure private keys on a wrongdoer’s computer or in their property. We expect parties to invite the Court to develop creative legal solutions to assist victims of fraud in such cases.

A key theme in litigation management is the sheer international scale of disputes and claims involving digital assets. As international commercial lawyers, we are familiar with the quarterbacking of litigation across the globe and working with teams of lawyers and technical experts in multiple jurisdictions.

Aidan Larkin, CEO at Asset Reality, highlights the importance of selecting the right team and harnessing the benefits of blockchain technology:

“It’s easy when we hear the term “crypto” to immediately think of the incredibly technical ecosystem it operates in and that often leads to a combination of misconceptions, panic, and assumptions that hinder asset recovery attempts for victims. The truth is, in an asset recovery context, crypto presents more opportunities for success than traditional cases. As a former criminal investigator, I have first-hand experience of the frustration felt when tracing assets internationally. However, blockchain analysis tools allow us to map out fraudulent activity or trace digital assets in minutes and hours compared to weeks and months similar activity takes in the fiat world. 

A unique challenge in crypto asset recovery is the speed of potential dissipation of assets and mismanagement of seized digital assets. We’ve seen litigation cases, successfully trace and freeze crypto at a third party exchange, for example, only to lose the asset through inexperience, negligence or in some rare cases, theft and internal fraud.

Specifically, for the regulated sector and asset recovery practitioners, a significant risk comes in the form of IP’s failing to identify potential crypto assets that could be recovered for the benefit of the estate. If it is later proved that they missed potentially available assets they could find themselves facing action from disgruntled creditors.”

Practical Steps – how do you respond if you are victim?

A recovery strategy is only as good as the legal and technical team that is put together. Picking a team that understands what is and is not possible, and that knows the questions to ask and investigate, is key. The faster that team is put together, the better the chance of a positive recovery including without notice and interim orders sought at short notice. Ultimately, each case needs to be considered on its own facts and merits.

Legal teams experienced in this area work with specialist blockchain tracing agencies which are able to interpret blockchain transactions. This is usually the first evidential phase. In some cases, such as those involving NFTs (non-fungible tokens) this may provide adequate evidence of identification and location. In other cases, this evidential phase may identify the entities (or exchanges) which may form the target of document production or freezing orders. When combined with specialist open source intelligence, it is also possible that other targets may be identified.

Nick Furneaux of CSI Tech highlights the extent of this risk:

“Having investigated crimes involving over $21 billion dollars in the past 4 years, we have seen every scam under the sun. Knowledge is always the key to avoiding being a victim of fraud and this includes fraud related to cryptoassets. If you are going to purchase or otherwise invest in cryptocurrencies you need to understand how your asset is protected. Cryptocurrencies are traditionally protected by a private key, this can be a long string of numbers and letters or more often a list of words, 12 or 24 words long. This is a PRIVATE key and the clue is most definitely in the name!

Many attacks are social engineering plays to try and obtain your private key either by just asking for it to ‘authenticate’ you or because they pretend to need it to, so-say, invest your funds or otherwise. Handing over seed words gives attackers access to all the crypto in your wallet, it is akin to giving someone your bank card and pin.

Some keep their funds in an account at a cryptocurrency exchange and this will likely be protected primarily by usernames and passwords. If there is an option to set up multi-factor authentication it is vital to use it. If multi-factor authentication is not available, don’t use the exchange, walk away.

Investment companies that promise to ‘make your crypto work harder’ are almost always scams, support personnel that ask for your seed words are always thieves and hackers are looking for easy targets with unprotected computers or other devices. Do your homework, understand the fundamentals of the technology and hopefully you will not need my services to try and recover your money.”

Summary

The risk to victims is a real and increasing one and, therefore, cryptoasset disputes and related investigations will continue to increase in 2022. We expect that Courts in a variety of sophisticated jurisdictions, including England and Wales, will continue to embrace new solutions to what are complex disputes. This is very much emerging area of law. In that regard, 2022 is very much the start!

“It’s art… but not as you know it!” – NFTs and Fraud – a new frontier?

Non-fungible tokens (NFTs – digital assets which are not traded on exchanges, but instead are tokens which represent the ownership of a digital file (for example, a photo or digital art)) have exploded onto the digital asset ‘scene’ over the last 18 months or so.  They are generally (but not always) built on the Ethereum blockchain.  NFTs are bought and sold using cryptocurrency, but not traded on exchanges. Instead, they are purchased through specialist third party auction sites or sold/transferred privately. The terms of the smart contract (which facilitates the purchase or sale of an NFT) will dictate the extent to which any rights are passed on to a user, or not, when an NFT is transferred.

The use cases continue to expand; NFTs are being used to enter private ‘communities,’ as part of blockchain games and in e-sports markets (amongst other things). The speed of mass NFT adoption has created significant opportunity (in the wake of the increase in value of NFTs, and also allowing content creators to monetise their services by tokenising art and music) but also exposed potential for the system to be exploited. For example, the holder of an NFT may be more likely to be targeted by phishing or social engineering campaigns. The purpose would be to ultimately gain access to their wallet (and by extension, achieve the ability to transfer the token out). In addition, a content creator might find that their work is being copied or re-sold and not have an obvious ‘target’ for the enforcement of their intellectual property rights.

Continue reading ““It’s art… but not as you know it!” – NFTs and Fraud – a new frontier?”

Fraud and Cryptocurrency – recent developments

We are now starting to see a variety of cryptocurrency related frauds appearing before the English Court. Following the decision in AA v Persons Unknown [2019] EWHC 3556 (Comm) (where an insurer was granted a proprietary injunction as part of its strategy to recover a ransomware payment which had been negotiated and paid in Bitcoin) the English Court has dealt with several cases relating to cryptocurrency. Two of those cases are mentioned in this blog.

Firstly, it is noteworthy that disputes involving cryptoassets require specialist legal assistance. Not only do they require the deploying of specialist third party blockchain tracers, they are almost always multi-jurisdictional. This presents operational challenges which need to be developed and carefully considered as part of the asset recovery strategy. For example, the governing law and jurisdiction of the claim may be unclear, or alternatively interim and final orders may need to be recognised and enforced in other jurisdictions.

Continue reading “Fraud and Cryptocurrency – recent developments”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress