This article discusses a recent case before the English High Court (AA v Persons Unknown [2019] EWHC 3556 (Comm)) where a claimant successfully obtained an injunction in respect of Bitcoins transferred following a ransomware attack (which were ultimately traced to a wallet held at a crypto currency exchange).

The case drew attention to the difficult situations businesses find themselves in following ransomware attacks, and highlighted the role of Bitcoin and other crypto currencies as the preferred payment method for criminals behind cyber-attacks.

Law enforcement guidance is that generally businesses should not pay ransoms to decrypt files. However in practice victims may find themselves in the unenviable position of being forced to either make a ransom payment to decrypt their systems or suffer greater financial harm from lost activity.

We discuss some of the steps companies can take in the aftermath of a ransomware attack, and if forced to make a ransom payment, how the chances of recovery may be maximised through the swift engagement of crypto currency tracing specialists.

Facts Of the Case

Late in 2019 the security systems of a Canadian insurance company (the “Insured”) were bypassed and subject to a ‘ransomware’ attack as a hacker managed to install malware (BitPaymer) onto their computer systems, encrypting them. On 10th and 11th October 2019 the hackers demanded a ransom be paid via Bitcoin to decrypt the Insured’s systems. The hackers left a note to the Insured on their encrypted system with instructions on how they could be contacted to pay the ransom and obtain the necessary decryption tools.

The Insured was insured by an English insurer who was the applicant in the current case (the “Insurer”). The Insurer instructed an incident response company to handle communication with the hackers. The hackers stated that they required a ransom of USD $1,200,000 to be paid in Bitcoin before they would release the decryption tool to the Insured. The final ransom was agreed to be USD $950,000 (109.25 Bitcoins) which the Insurer agreed to pay.

After payment of the ransom and decryption of the Insured’s systems, the Insurer undertook further investigations and engaged Chainalysis Inc, a multinational blockchain investigations firm specialising in tracking the payment of crypto currencies. Whilst it emerged some of the Bitcoins making up the ransom payment had already been transferred into ‘fiat’ currency, it was possible to trace the remaining 96 Bitcoins into a specified address at a crypto currency exchange called Bitfinex.

The Insurer applied for several forms of relief, including an order for Bitfinex to disclose information on the individuals holding the accounts to which the Bitcoin had been transferred, a proprietary injunction against Bitfinex in respect of the 96 Bitcoins that had been traced to an account there, and for alternative service on the defendants.

Judgment

The judge concluded that the requirements to order a proprietary injunction were met. There was a serious issue to be tried, and damages would not be an adequate remedy where the Bitcoins could be readily dissipated.

Notably, the judgment discussed the status of crypto assets as property under English law as a preliminary point: “the first and perhaps fundamental question that arises in relation to this claim for a proprietary injunction” was whether the Bitcoins “are property at all.” It was set out that the difficulty in relation to assets such as Bitcoin is that they are neither chose in possession, nor chose in action (i.e. they are virtual, intangible and not capable of possession, nor do they embody any right capable of enforcement).

Discussion focused on the legal statement of the UK Jurisdiction Task Force on “Crypto Assets and Smart Contracts” (available here), which had concluded that “cryptoassets possess all the characteristics of property set out in the authorities”. It was held in this case that crypto assets were property, and that Bitcoin was therefore a form of property capable of being the subject of a proprietary injunction.

The other applications, for Bitfinex to identify the individuals behind the account and for alternative service, were also granted. Although Bitfinex had said they were required to be served in the British Virgin Islands, the urgency of the application and the fact that Bitcoins could be dissipated “at the click of a mouse”, meant that service on Bitfinex via email was appropriate.

Key Takeaways

• This is an important English judgment explicitly confirming that crypto currencies are property and backs this conclusion with detailed discussion. This judgment follows cases in other common law jurisdictions reaching similar conclusions from New Zealand (Ruscoe & Moore v Cryptopia Ltd [CIV-2019-409-000544] [2020] NZHC 728) and Singapore (Quoine Pte Ltd v B2C2 [2020 SGCA (I) 02)]. Previous English High Court decisions had treated crypto currencies as property, but had not considered the issue in detail.
• Whilst National Crime Agency guidance remains that generally ransoms should not be paid as there is no guarantee that access will be restored to systems that are the subject of a ransomware attack, this judgment may give some comfort to those for whom this is not an option. In practice many companies feel they have little choice but to give in to ransom demands if the victim of an attack, and the costs of a ransom may be relatively small compared to the cost of lost business activity. The outcome of this case shows that by acting quickly and employing tracing specialists, the courts may be able to assist in taking steps to recover a ransom paid in crypto assets.
• Transactions in Bitcoin are public, even if the identities of the transacting parties are anonymous. The alphanumeric wallets created to send and receive Bitcoins are unique and publicly linked to the transactions they have made (the history of transactions associated with a wallet is also public) and from this and other public information specialist organisations may be able to trace payments to real world entities. This case is only the latest example of a claimant able to take steps to recovery after successfully tracing the payment of their Bitcoins. The issue had previously arisen in Robertson v Persons Unknown (unreported), where the claimant was able to trace 80 out of 100 stolen Bitcoins to a wallet at Coinbase UK and obtain an asset preservation order (Chainalysis was also involved in tracing the Bitcoins in that case). Whilst there is no guarantee that payments of crypto currency can be recovered, the success in these cases emphasises the importance of involving specialists from an early stage to maximise the chances of recovery.
• This judgment also confirms the courts are cognisant of the other hurdles associated with recovering crypto assets transferred to a wrongdoer. Allowing the applicant to serve via email (despite requests to the contrary), was specifically justified on the basis that it was possible to quickly dissipate Bitcoins.
• The valuation of crypto assets was not discussed in this case, but remains an issue to be borne in mind when considering making a claim for recovery. In Vorotyntseva v Money-4 Ltd [2018] EWHC 2596 (Ch) the valuation of Ethereum and Bitcoin in GBP was fixed by reference to a specific date to take into account the volatile nature of cryptocurrencies. Given this volatility, victims of ransomware should act quickly to maximise the value of any recovered crypto assets paid out as ransom. Identifying a specific date to calculate exchange values is also likely to be a prudent step.
• Many insurance policies already cover the payment of ransoms following cyber-attacks, and the outcome in this case may make insurers more comfortable with the idea of making payments. However companies may face stricter requirements for staff training and information security as pre-conditions for cover in order to avoid reliance on insurers being viewed as the default option.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our White Collar Defense and Investigations practice.