The case is a symptom of the dramatic spike in the number of ‘ransomware’ cyber attacks in the last 12 months. Hackers are increasingly locking organisations out of their own networks and demanding significant ransoms to unlock the networks for those organisations. In the United States, many of the attacks are against municipal authorities and utilities. It is difficult to obtain accurate statistics of the prevalence of ransomware cyber attacks because many victims ‘quietly pay off their attackers without notifying the authorities’. However, the best available data suggests that in 2019, over 205,000 organisations submitted files that had been hacked in a ransomware attack – a 41% increase from the year before. Further, the average payment to release files was over USD 84,000 in the last quarter of 2019, and over USD 190,000 in December 2019 when several organisations faced ransom demands for sums in the millions of dollars.
A hacker infiltrated a company’s computer system and installed malware that encrypted all the data in the company’s entire computer system so it was locked and not usable by the company. The hacker demanded a ransom in bitcoin. The company’s cyber insurer made this payment. In return, the hacker provided the company with the decryption tool needed for the company to unlock its computer systems.
The ransom payment was an amount of 109.25 bitcoins (then equivalent to USD 950,000), made on behalf of the insurer to a bitcoin public address nominated by the hacker. The insurer then took steps to trace the payment. Some of the bitcoin was converted into central bank currency, but 96 bitcoins (equivalent to approximately USD 947,000 as of 10 February 2020) were ultimately traced to public bitcoin addresses associated with the Hong Kong-based exchange Bitfinex. It was in this context that the insurer made an urgent application to the High Court in London in December 2019, listing the unknown hackers and companies operating the cryptocurrency exchange Bitfinex as defendants. There is no suggestion that Bitfinex acted improperly.
What did the court say?
Here are the key points:
- The judge granted the insurer’s application for the hearing in December 2019 to be in private. This was because publicity would destroy the object of the hearing, by tipping off the hacker that steps were underway to capture the bitcoin that had been traced to the relevant public address. This was on the basis that the judgment would be made public once the hackers were served and/or the bitcoin was recovered. One or both of those things must have happened by 17 January 2020, when the judgment arising from the private December hearing was published.
- It is highly unusual for hackers to use cryptocurrency exchanges. For understandable reasons, the details of how the insurer was able to trace the bitcoin are not set out in the judgment. However, it seems reasonable to infer that the insurer initiated proceedings against Bitfinex because the insurer believed that Bifinex (either exclusively or concurrently with the hackers) had knowledge of the private key needed to ‘unlock’ the value of the bitcoin traced to the relevant public address.
- The judge concluded that, for the purpose of granting an interim injunction in the form of an interim proprietary injunction, cryptocurrencies like bitcoin were a form of property. In particular, cryptocurrencies met the four criteria set out in National Provincial Bank v Ainsworth of being definable, identifiable by third parties, capable in their nature of assumption by third parties, and having some degree of permanence.
- At the start of the hearing, the insurer sought ‘Norwich Pharmacal and/or Bankers Trust’ orders. Broadly, a Norwich Pharmacal order, if granted, compels the respondent (who is a third party to another’s wrongdoing) to disclose documents or information to the applicant. The purpose of this relief is to provide the applicant with information that may enable it to identify the wrongdoer (in this case the hackers) or elicit evidence of the claimed misconduct. A Bankers Trust order is similar. It orders a third party to disclose all relevant information (such as information covered by a financial institution’s duty of confidentiality) so the applicant can locate and protect its assets; for example, by way of a freezing order. Ultimately, however, the insurer limited its application to seeking a proprietary injunction, which was granted. The insurer provided an undertaking to amend its claim form to make claims against the defendants for restitution and/or as constructive trustee to recover and take a proprietary claim over monies, including delivery up of the bitcoins.
What are the key takeaways?
- Insurers who make ransom payments in cryptocurrencies are understandably making significant efforts to trace and recover those payments. This case is an example of where tracing was practicable because the value attributable to the ransom payment could be traced to public addresses associated with a cryptocurrency exchange.
- Law enforcement bodies do not recommend that ransom payments be made in these scenarios. Nor is it clear that cyber insurance policies cover them (although that seems to have been the case in this instance).
- If the case arose in Australia and individuals’ personal information was compromised by the hack, it appears to be unlikely that the insured company would be able to avoid its data breach notification obligations solely on the basis that, by paying the ransom and obtaining control of the relevant information once more, it has taken remedial action before the compromise could result in serious harm to the individuals. This is because there is no guarantee that the hacker has not kept a copy of the compromised information to use it at a later stage.
- Judges are increasingly holding that cryptocurrency constitutes property for particular purposes – without, however, conceptualising exactly what aspects of a cryptocurrency enable this conclusion to be reached.
This article is the third in our Cryptocurrency series. You can find our article on Taxation and Digital Currency and our article on The New Zealand Inland Revenue Department releasing three binding rulings dealing with what they describe as “crypto-assets”.
This article is general commentary on a topical issue and does not constitute legal advice. If you are concerned about any topics covered in this article, we recommend that you seek legal advice.
For further information please contact the author or any member of our Fintech, Privacy & Emerging Technologies team
AA v Persons Unknown & Ors; Re Bitcoin  EWHC 2556;  WLR (D) 50.
N Popper, ‘Ransomware Attacks Grow, Crippling Cities and Businesses’ New York Times, 9 February 2020.
See N Popper, note 2.
See N Popper, note 2.
For a more detailed explanation of public and private keys and cryptocurrencies, see D Kreltszheim, ‘Taking and Enforcing Security over Cryptocurrency’ (2018) 34 Australian Banking & Finance Law Bulletin 105 at 105-106.
This is similar to the approach taken by Singapore’s International Commercial Court in B2C2 v Quoine  SGHC (I) 03. Judgment in this case was handed down in March 2019; an appeal was heard in October 2019, and the appeal decision is pending as at 11 February 2020.
It appears that, in this case, Bitfinex may have had either exclusive or concurrent knowledge of the private keys necessary to ‘unlock’ the bitcoin traced from the ransom payments. For more information about the legal issues concerning the operation of cryptocurrency exchanges, see D Kreltszheim, ‘What We Know and Don’t Know about Cryptocurrency Exchanges: A Summary for Finance and Insolvency Lawyers’ (2020) 36 Australian Banking & Finance Law Bulletin (forthcoming).