Case summary – AA v Persons Unknown
In the English Commercial Court case of AA v Persons Unknown[1], which was handed down late last year (13 December 2019) and released for publication on 17 January 2020, the claimant, an English insurer whose request to be anonymised was granted (the Claimant), brought a claim against certain persons unknown as well as entities trading as Bitfinex (the Defendants) following a cyber ransomware attack on one of the Claimant’s insured customers who had paid a ransom of USD950,000 by way of 109.5 Bitcoin. The Claimant’s application was for both an information disclosure order (known as a “order”) in relation to Bitcoin accounts held with the Defendants into which part of the ransom payment (96 Bitcoin) had been traced, and a proprietary injunction to prevent any payment away of the Bitcoin sitting in that account. The court, after determining that cryptocurrencies are under English law a form of property capable of being the subject of a proprietary injunction, ruled in favour of the Claimant and granted both the disclosure order and the injunction, with the Claimant’s request for a worldwide freezing order being left to a later date to be determined. The disclosure order allows the Claimant to attempt to obtain relevant identification information relating to the “Persons Unknown” who are the account holders in respect of the account operated by Bitfinex to which the Bitcoin were transferred.
Cryptoassets as property and the importance of the UKJT Legal Statement
Readers will remember our FinBrief on the UK Jurisdiction Taskforce’s Legal Statement and the importance of its guidance and conclusion that cryptoassets should be characterised as property. The impact and importance of this assessment is highlighted in Mr Justice Bryan’s judgment in this case which refers to the legal considerations put forward in the Legal Statement throughout, often quoting direct passages from the Legal Statement to set out his rationale for the conclusions reached. He highlights that while the Legal Statement is not a statement of law, it was a relevant consideration given the ‘detailed and careful consideration’ of the proprietary status of cryptocurrencies which was set out in the Legal Statement. The consideration, and ultimately acceptance of, cryptoassets as property are what allowed the Claimant to obtain the urgent proprietary injunction mentioned above. Notably, the judge was also persuaded to grant alternative service out of the jurisdiction of England and Wales by e-mail on the Defendants (which were British Virgin Islands companies) demonstrating the novel legal issues and remedies that cryptocurrencies raise when assets can be transferred, as the judge put it, “at the click of a mouse”.
Cyber ransom cases on the rise?
This is not the first case of its kind to be brought before the courts, indeed the judgment references the case of Vorotyntseva v Money-4 Limited, trading as Nebeus.com [2018] EWHC 2598 (Ch) and Liam David Robertson v Persons Unknown (unreported), and will most likely not be the last. There are many questions which remain unanswered and untested (at least for now). Principal among those is the level of identification information which digital assets exchanges such as Bitfinex should be required to request and maintain from their customers, as well as the traceability of accountholders which results in difficulties with enforcement of judgments where the unidentified persons may well be outside of the jurisdiction of English courts. The new anti-money laundering directive (AMLD5) and FATF standards aim to address some of the concerns.
It is important to remember that while this is a clear indication of support for conclusions outlined in the Legal Statement, Mr Justice Bryan did clarify in his judgment that he is satisfied ‘at least to the level required for the purposes of this application for interim relief’. This is not the outcome of a fully considered trial or, indeed, one which was defended and it therefore remains open to challenge. Nonetheless, it is likely that this decision will be of interest in future corporate and insolvency cases where practitioners will be looking to identify, recover and / or dispose of cryptoassets which a company has acquired.
There is also a wider consideration on the best practice cyber security measures to deter increasingly common ransomware attacks. While this was not a principal legal consideration in this particular case, recent statistics show that ransomware attacks grew by 118% last year[2] and if incidents like Travelex’s attack from ransomware hackers on New Year’s Eve are anything to go by – incidents are unlikely to decline. While not a preventative measure, proprietary injunctions and disclosure orders may offer some recourse to victims of similar ransomware attacks where ransom amounts have been paid out and transferred between accounts. For guidance on cybersecurity risk management head over to our cybersecurity services overview page.
When the worst case scenario does happen, service providers like Chainalysis look to provide after the event detailed analysis which includes tracing the flow of funds across blockchains. They are described in the judgment as a blockchain investigations firm who traced the ransom to the Bitfinex accounts in this case as well as being referenced in the earlier case of Liam David Robertson v Persons Unknown. Bitfinex for their part made a statement[3] in which they are clearly seeking to distance themselves from the “wrongdoing” in which they have become mixed up as described in para 35 of the judgement. Whether that is ultimately the case, and what the consequences for exchanges like Bitfinex where there is evidence of “bad actor” behaviour will be, remain to be seen.
Footnote 1: [2019] EWHC 3556 (Comm)
Footnote 2: McAfee Labs Threats Report, August 2019
Footnote 3: Cointelegraph.com
and then 