Recovering Ransomed Bitcoin Sent To Exchanges – Bitcoin Magazine
This is an opinion editorial by Matthew Green and Brian Mondoh, contributors for Bitcoin Magazine.
With all the available cryptocurrencies, including anonymity-designed bytecoin, monero and zcash, ransomware attackers continue to demand bitcoin and some reports show darknet markets are fuelled by bitcoin transactions (see pages 54 and 109 of the Chainalysis 2022 Crypto Crime Report). Seemingly, bitcoin remains one of the most valuable assets for criminals utilizing blockchain technology given its relative stability, price and relevance.
Similarly, in many cases, where other cryptocurrencies have been stolen, obfuscated or paid as part of a scam, funds are transferred into bitcoin and then extracted as fiat. In August 2021, Liquid exchange announced that 67 different ERC-20 tokens, along with large quantities of ether and bitcoin, had been moved by a party working on behalf of the Democratic People’s Republic of Korea. The attacker swapped numerous tokens including ERC-20 tokens to ether and then bitcoin before cashing out. As a result, approximately $91.35M was laundered. Similar transfers were made in the Spartan Protocol hack in May 2021 where the attacker was able to steal approximately $30 million from the project.
While large-scale attacks worth hundreds of millions of dollars are investigated by the government bodies designed to fight criminal activity, similar values of bitcoin are extracted from people and businesses everyday. There are now systems in place to allow private individuals, including corporate entities, to trace their assets (and their proceeds) and use the court system to make them whole.
This approach has been exercised routinely in the English court system and is on the rise in other common law jurisdictions, which rely on precedents to match victims back with their funds. Below is a summary of the legal and practical journey of how this has come to be.
When Bitcoin Became Property
In England, prior to December 2019, the question of whether cryptocurrencies were property under law was still undetermined. Common law dictates that property is either something capable of being possessed or enforced by an action (like a debt), and the law had difficulty categorizing bitcoin in this way. A “Legal Statement On Crypto Assets And Smart Contracts” prepared by the U.K. Jurisdiction Taskforce (UKJT) only a month before noted “cryptoassets have all of the indicia of property,” the first sign of bitcoin’s recognition as property.
The question was finally considered in court in December 2019 (see: AA v Persons Unknown & Ors, Re Bitcoin). A Canadian hospital fell victim to a malware attack, a ransom was demanded in bitcoin and paid its London insurer. Payment of the ransom led to the recovery of the hospital’s data and access to its systems. However, the insurer sought to trace and recover that ransom given the flow of transactions could be seen on the blockchain. The insurer then instructed a blockchain analysis firm to assist with the tracing of the ransom’s proceeds, which ended up at Bitfinex, an exchange listed in the British Virgin Islands.
Knowing this the insurer then applied to the High Court in England for interim relief to freeze the funds, to freeze the worldwide assets of the individuals who controlled the depositing address at Bitfinex and for disclosure orders. It is worth nothing that the identity of the individual who controlled the relevant address was not known, so more information was needed before the insurer could continue.
In order to obtain these reliefs, the court had to determine whether bitcoin was property, and the judge noted on the judgment that, “I am satisfied for the purpose of granting an interim injunction in the form of an interim proprietary injunction that cryptocurrencies are a form of property capable of being the subject of a proprietary injunction.”
As a result, bitcoin and cryptocurrencies in general could be treated as “real property” like any other asset, and (theoretically) be frozen, transferred and dealt with like other property such as a car, a house or fiat money.
Why Is This Important?
The “AA v Persons Unknown” case saw the first proprietary injunction over bitcoin. This means that the bitcoin paid — or its traceable proceeds, in this instance those found at Bitfinex — were frozen and subject to the determination of the English High Courts. The insurer now had its bitcoin ring-fenced. The insurer’s application therefore resulted in the freezing of those funds, the identity, including know-your-customer documents held by Bitfinex of the person who controlled the depositing address, and a worldwide freezing injunction over their assets.
Now there was a precedent to trace, freeze and recover bitcoin, available to private individuals who could use the courts to exercise their rights as a victim of fraud. Importantly, the aim is to trace and chase the funds, not necessarily the party that committed the fraud in the first place, although the depositing address holder and the initial criminals are usually linked, proven by blockchain analysis, open-source intelligence or law enforcement. It is always worth informing the authorities of any crime that has been committed in any event.
There are now a swathe of cases in England, the U.S. and Singapore where bitcoin and other cryptocurrencies have been frozen to assist recovery, including enforcement of third-party debt orders, which compel an exchange to transfer funds from an address to the victim.
Challenges To Consider
Despite an increasing number of recoveries, it is worth turning to certain obstacles.
First, there are commercial considerations, like how much was lost and whether it is worth instructing investigators and lawyers. Experts are not always cheap and if the sum lost is nominal, it may not be worth pursuing. Second, which jurisdiction is relevant? Taking England as an example, if either the victim is domiciled there, the fraudster has been linked or if the fraud occurred in England, then usually the English courts will have jurisdiction to consider these cases. Without one of these, the victim may have to pursue their case in another, more relevant territory.
Next is to consider the tracing report, which shows the flow of funds, from the point they left the victim or relevant account, to where they are now. Consider where the funds have gone, whether they reached an exchange at this point (live tracing is usually available) and if so, which exchange. From experience, and using England again as an example, exchanges want to be seen as doing the right thing by complying with English court orders, and the risk of breaching them and subsequent negative press is a strong factor. In that respect, to obtain the key information from the exchanges, applications against those exchanges are necessary and considering which to pursue is important.
Once assets have been frozen, the next steps depend on who controls the address of the funds. They may want a quick deal, may not respond at all or may want to litigate, although usually individuals connected to criminal activities do not want their business immortalized in court papers.
In the event the court agrees that the assets are the victims’ and orders that they should be transferred, victims need to consider enforcement, i.e., how they get their funds back. Third-party debt orders compel exchanges to transfer assets, but where this is not available, other tactics come into play and vary depending on the circumstances. It may be individuals who have been identified as further address holders, purported officers of the fraudster company or otherwise, and insolvency proceedings may be brought against them, especially where conspiracy and joint and several liability are available. Settlement however, on the basis that they have responded, is always preferable to all parties involved.
Recoveries In Different Fields
While stories of decentralized exchange hacks of hundreds of millions of dollars litter headlines, it must be remembered that individuals who fall victim to romance scams, insurers paying ransoms, scam victims generally and insolvency proceedings involving digital funds, there are ways to investigate and recover bitcoin and other blockchain-based assets.
Importantly, where victims can club together to create a group suitable for a class action lawsuit, litigation funding may be available and the cost of the process shared. It may also result in mass recovery, assisting those who have only lost a little.
Separately, insurers, who continue to pay ransoms in bitcoin on behalf of their clients, may be able to recover those ransoms and break the cycle of payment, which fuels the continuation of the ransomware industry. Insurers can become the solution, by making good on their contract with their client and depriving the criminals of their ransom.
There are endless applications for recovery, including bitcoin where appropriate, and as common law precedents continue to mount, best practice measures will continue to develop. The U.K. continues to recognise the value of swift and effective asset recovery remedies, and on April 22, 2021, the UKJT published the “Digital Dispute Resolution Rules,” which seeks to facilitate the speedy and cost-effective resolution of commercial disputes digital assets and blockchain. In sum, the U.K. is taking disputes involving blockchain seriously and the inherent flexibility of common law jurisdictions continues to focus on assisting victims and recovering ill-gotten gains.
This is a guest post by Matthew Green and Brian Mondoh. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.