The Dangers of Suing Crypto Exchanges After Ransomware Attacks

In October 2019, unknown hackers infiltrated a Canadian insurance company by installing the malware BitPaymer, which encrypted the company’s data and IT systems. The hackers demanded a ransom of $ 1.2 million in Bitcoin (BTC) in exchange for the decryption software the company needs to regain access to its systems.

The company’s UK-based insurer – known only as AA – arranged for the payment of the BTC ransom, and the company’s systems were back up and running in a matter of days. Meanwhile, AA started the process of seeking legal ways to get back the BTC obtained by the hackers. It engaged the blockchain research firm Chainalysis, whose investigation found that 96 of the 109.25 BTC paid had been transferred to a wallet linked to the Bitfinex exchange.

So far this story is (unfortunately) far from unusual. Bitcoin is responsible for the vast majority of ransomware payments due to its anonymity, accessibility (making it easier for victims to pay the ransom) and verifiability of transactions (allowing criminals to confirm that the payment was made). What is unusual about this story, however, is that it sparked a 14-month legal battle between AA and Bitfinex, a battle that was only recently concluded after AA dropped its claim against Bitfinex in the UK Supreme Court.

After tracing the stolen BTC to the Bitfinex platform – and with the identity of the hackers still unknown – AA filed a lawsuit against Bitfinex in December 2019. Again, this is not uncommon: UK courts have a wide variety of remedies available to them. decision to assist victims of fraud in trying to recover their belongings. In cases where banks, exchanges or other intermediaries may unwittingly receive or hold misappropriated or stolen assets, victims of fraud have been able to rely on:

  • Norwich Pharmacal orders, which require a third party to disclose certain information to the applicant that can aid in recovery efforts. In this context, the information would be the identity of the wallet holder to which the BTC was traced, and / or details of other transactions involving the BTC since receipt by the wallet associated with the exchange.
  • Freezing of orders preventing suspected fraudsters from handling their assets until further notice. An exchange that has been notified of a freeze order related to a customer must take steps to freeze the account to prevent the customer from withdrawing and distributing funds.
  • When it can be determined that the third party owns property belonging to the fraudster, property bans can be obtained to prevent the third party from handling that particular property. Linked orders are often made to require the subject of a proprietary order to disclose Norwich Pharmacal-type information as explained above.

Cryptocurrency as Ownership in the UK

The UK courts are very familiar with the foregoing remedies when it comes to bank accounts and fiat currency. More recently, the courts have been grappling with how these principles apply to cryptocurrency. However, it is clear that the courts are willing to apply legal principles in a flexible manner to ensure that these remedies are available to victims attempting to recover stolen crypto assets.

In the AA case, Judge Simon Bryan ruled – for the first time – that Bitcoin could be classified as property under UK law, meaning that he could issue a ban on ownership of that property. This seems obvious, but traditionally the law sees property as something that can either be tangibly owned or enforced by the right to sue. Cryptocurrency obviously doesn’t meet both requirements, but the courts have taken a pragmatic approach to ensure that new intangible assets, such as cryptocurrency, are considered ownership.

This flexible approach allowed AA to obtain a temporary injunction. Bitfinex froze the account and provided AA with information about the identity of the customer who owned the wallet containing the stolen BTC.

However, it turned out that the BTC had been transferred again before Bitfinex was contacted by AA’s lawyers and could not be returned. AA reached a confidential settlement with Bitfinex’s customer (also a defendant of AA’s claim) and then turned to Bitfinex in an attempt to receive additional compensation. The insurer has made a number of legal claims against Bitfinex, including the claim that the exchange received the BTC (or the traceable proceeds) when it was owned by AA. As such, AA stated that a legal trust should be imposed, with Bitfinex accountable to AA before the BTC. It was also argued that Bitfinex was reckless as to whether the BTC was lawfully transferred to the relevant wallet.

These are difficult arguments to prove, and after Bitfinex sent its detailed legal defense and response to AA’s claims, AA finally decided to give up its claims against Bitfinex. But this was not quite the end of the story. When a plaintiff leaves his case, the default position is that he must pay all of the defendant’s costs. However, AA argued that its liability for costs should be reduced by 50%, based on Bitfinex’s allegedly “unreasonable” behavior. The parties fought this out at a Supreme Court hearing in January, culminating in the court ruling that there was no unreasonable behavior that would warrant any reduction. AA was therefore ordered to pay 100% of Bitfinex’s litigation costs, including the cost of its own failed filing to reduce those costs.


Understandably, victims of fraud – who may not be able to successfully prosecute the actual fraudster – could be tempted to engage in a cryptocurrency exchange with deep pockets, perhaps in the simple hope that they can reach a modest settlement. and avoid the time and expense of complex legal proceedings.

Cyber ​​insurers such as AA could calculate that the cost-benefit ratio of those steps would be justified. However, exchanges such as Bitfinex will continue to vigorously defend itself, especially when the legal merits of claims are extremely challenging, ultimately attempting to drag an innocent exchange into the fallout of a cybercrime that it was neither aware of nor involved in. used to be.

This article was contributed by Stephen Elam and Shelley Drenth

The views, thoughts and opinions expressed here are the sole ones of the authors and do not necessarily reflect or represent the views and opinions of Cointelegraph.

This article is for general information purposes and is not intended and should not be construed as legal advice.

Stephen Elam is a partner and Shelley Drenth is an associate at Cooke, Young & Keidan LLP, a litigation law firm that regularly advises on litigation and regulatory issues related to cryptocurrency.