4 February, 2020
The Court in AA v Persons Unknown [2019] EWHC 3556 (Comm) (17 January 2020) ordered injunctive relief against unknown persons accused of extorting ransom payments in the form of Bitcoin worth $950,000 from an insurance company, following a cyber-attack. The judge also allowed the hearing to be held in private on the basis that publicity would defeat the object of the injunction and potentially allow the ransom payment to be dissipated and/or fuel reprisal attacks.
Speedread
Cyber-attacks leading to bribery and extortion are every business’s worst nightmare. Businesses need to have ready a toolkit of technical, commercial and legal options ready to manage the breach. The English Courts are addressing the need to develop legal tools to assist the victims of attacks to trace and recover extorted funds. Such tools include the ability to apply urgently to the Court for orders to unmask the hackers and freezing injunctions to prevent dissipation of any stolen assets. The case of AA v Persons Unknown [2019] EWHC 3556 (Comm) is the latest step and the first time the legal status of cryptocurrency has been the subject of judicial scrutiny since the UK Jurisdiction Task Force issued its Legal Statement on the topic. The treatment of Bitcoin as ‘property’ in this case enabled the victim to establish a proprietary interest in the funds that had been extorted. The case highlights the importance of establishing clear protocols for responding to attacks if the worst does happen.
Background
A Canadian insurance company was subject to a cyber-attack in which hackers infiltrated and bypassed the company’s firewall and other perimeter defences and installed “BitPaymer” malware (a trojan horse that runs on Microsoft Windows), with the effect that all of the company’s computer systems (and therefore all of its customer data) were encrypted.
The hackers sent the following message to the company:
“Hello […] your network was hacked and encrypted. No free decryption software is available on the web. Email us at […] to get the ransom amount. Keep our contact safe. Disclosure can lead to impossibility of decryption. Please use your company name as the email subject.”
Bitcoin ransom payment
The company was insured against cyber-attacks. Its insurer appointed an Incident Response Company (IRC) that provides negotiation services in relation to cryptocurrency ransom payments. Following negotiation by IRC on the company’s behalf, the hackers demanded a ransom of $950,000, to be paid in Bitcoin, in return for which they would provide a tool which would decrypt the company’s network. The company’s insurer agreed to pay the ransom in return for the tool.
The insurer had an agent who assisted with the purchase and transfer of Bitcoin. The agent was instructed to purchase and transfer 109.25 Bitcoins (equating to $950,000 based on the USD/Bitcoin exchange rate at the time) and transfer them to the wallet provided by the hackers, following which the hackers provided access to the decryption tool.
It took the IRC a total of five days to decrypt the company’s 20 servers, and a further 10 business days to decrypt its 1,000 desktop computers.
Tracing the culprits
With the assistance of a specialist blockchain investigations firm, the insurer traced the vast majority of the ransomed payment to an account held in a Bitcoin exchange. It was inferred that that exchange would hold information on the identity of the hackers by virtue of their KYC anti-money laundering procedures.
Are cryptocurrencies “property” under English law?
The judge was required to consider certain novel legal issues relating to cryptocurrencies, including whether they are capable of satisfying the legal status of “property” in the absence of all of the traditional qualities of a chose in possession (capable of being possessed in a tangible sense) or a chose in action (a right capable of being enforced by action).
The judge concluded in this case that cryptoassets such as Bitcoin are “property”. In his Judgment, the judge made reference to the report of the UK Jurisdiction Task Force: “Legal Statement on cryptoassets and smart contracts”. While the Legal Statement was not binding as a statement of law, the judge considered that its analysis was “compelling”. The judge found that Bitcoin met the four criteria set out in the classic definition of property, being: (a) definable, (b) identifiable by third parties, (c) capable in their nature of assumption by third parties, and (d) having some degree of permanence (Lord Wilberforce in National Provincial Bank v Ainsworth [1965] 1 AC 1175).
The Court’s findings were made in the context of an application for interim relief and so cannot be regarded as a definitive statement of the legal position under English law, but they are a clear judicial endorsement of the Legal Statement, and are consistent with the approach taken in other common law jurisdictions such as Singapore (in B2C2 Ltd v Quoine Pte Ltd [2019] SGHC(I) 03). All cryptoassets are different, but we can have some confidence that English Courts are likely to find that established tradeable cryptocurrencies will be treated as ‘property’.
Unmasking the hackers and recovering funds
There are a number of legal tools that can be used to assist in unmasking hackers, tracing and freezing the stolen or extorted funds, and ultimately recovering those funds.
In this case the claimant sought a ‘Norwich Pharmacal’ (or ‘Bankers Trust’) order against the Bitcoin exchange, requiring it to identify the account holder (likely to be the hacker). This is often a useful tool, but appears to have been problematic in this case because the Bitcoin exchange was based outside of England and Wales.
However, the confirmation of Bitcoin as ‘property’ meant that the Court could grant a proprietary injunction preventing the onward disposal of the Bitcoins. The Court concluded that there was a good arguable case (for the purpose of interim relief) that the extorted Bitcoins were “property obtained by fraud” and therefore that the Bitcoin exchange was holding them as constructive trustee on behalf of the Claimant. Ancillary to the proprietary injunction, the court ordered the Bitcoin exchange to identify the account holders “within short order” (thus hopefully identifying the hackers).
Complex jurisdictional issues may lie ahead in terms of enforcing the injunction outside of England and Wales, but the judgment provides a strong platform to allow the claimant to secure the funds (preventing them from onwards dissipation) and unmasking the hackers.
The Courts support the recovery of stolen funds
This case further demonstrates that in well-prepared cases supported by cogent evidence, Courts in England and Wales will take a flexible approach to delivering legal solutions for the victims of cyber-attacks. In particular, in appropriate cases the Court can:
- permit legal actions against “persons unknown” at a stage where the perpetrators have not yet been unmasked
- establish jurisdiction over persons outside of England and Wales where the relief sought falls within established gateways
- permit quick service by alternative means (e.g. on a known email address)
- order that hearings take place in private and/or impose reporting restrictions where it can be shown that there is a real risk of the assets in question being dissipated, or repeat or reprisal attacks on the victim
Further reflections on “ransomware” attacks
“Ransomware” attacks put businesses in an unenviable position. The guidance of the National Crime Agency and the National Cyber Security Centre is not to pay the ransom. Payment of the ransom does not guarantee that the perpetrators will release the decryption key (or that it will work) and some commentators have argued that cyber-criminals are more likely to target a company which has previously paid a ransom demand. Paying a ransom may also cause the victim to fall foul of money laundering regulations, sanctions rules or even rules on funding terrorism (particularly in cases where the victim is unable to identify the perpetrators and they may be an organised crime syndicate, a terrorist group, or funded by a nation-state which is subject to US or EU sanctions). It is also important to note that while in this case the ransom payment appears to have been insured, some cyber risks insurance may not extend to the payment of ransoms.
Conclusion
In many ways, this case is no different from any other case of extortion or blackmail, where ransom money is paid out through traditional banking routes. The treatment of Bitcoin as ‘property’ in this case meant that hackers could not escape legal remedies to track them down and secure the funds.
Whilst businesses rightly focus on preventing cyber-attacks from within their own IT infrastructure, no business is immune to such attacks. The victim in this instance appears to have had a robust response protocol in place including a network of intermediaries who assisted with the negotiation and payment of the Bitcoin ransom, as well as, crucially, tracing the payments, thereby enabling prompt legal action to be taken. Random demands continue to place businesses in an invidious position, and this case highlights the importance of establishing in advance clear protocols for responding to attacks if the worst does happen.
John Siu, Partner, Eversheds Sutherland
johnsiu@eversheds-sutherland.com
