A recent English High Court decision means that extorted cryptocurrency payments may now be recovered by obtaining an injunction. The High Court case of AA v Persons Unknown arose in the aftermath of a ransomware attack on a Canadian company’s computer system. The hackers installed malware which encrypted the system and then demanded a USD$1.2 million payment in Bitcoins for the decryption software.
The company had insurance against such cyberattacks and the insurer rapidly became involved. It hired an incident response company to liaise with the hackers and a ransom payment of $950,000 was agreed. The insurer then paid the Bitcoin equivalent, 109.25 Bitcoins, to the hackers who then sent the decryption software.
The insurer then hired consultants who located the Bitcoins at an exchange and found that 96 of the 109.25 Bitcoins extorted remained in the account. The insurer commenced legal proceedings to recover the Bitcoins, asking the High Court to grant a proprietary injunction over the remaining 96 Bitcoins, as they were paid over under extortion. The court allowed the proceedings to be heard in private, to avoid tipping off the hackers. The first two defendants, described as persons unknown. were the hackers. The Bitcoin exchange, which held the extorted Bitcoins, was also included in the proceedings.
However, before the court could grant a proprietary injunction over the Bitcoins, the court had to consider whether Bitcoins could be regarded as “property” in law. While there is no general or comprehensive definition of property in statute or case law, English law traditionally recognises two kinds of personal property known as choses in possession, (or “things in possession”) and choses in action (or “things in action”). Choses in possession represent rights which can be enforced or acquired by taking physical possession of the object e.g. a legal mortgage. . Choses in action are rights over property which can only be claimed or enforced by action and not by taking physical possession e.g. money due on a debt.
Cryptocurrencies do not fit either category, since they cannot be physically possessed and do not embody a legal right. In analysing the issue, Mr Justice Bryan noted that “This exact issue has recently in November 2019 been the subject of detailed consideration by the UK Jurisdictional Task Force (“UKJT”) which has published a legal statement on Crypto assets and Smart contracts”.
Mr. Justice Bryan went on to consider carefully the UKJT legal statement in detail, finding it to be “compelling” and holding that it should be adopted by the court. Mr. Justice Bryan ultimately held that “a crypto asset might not be a thing in action on a narrow definition of that term, but that does not mean that it cannot be treated as property. Essentially, and for the reasons identified in that [UKJT] legal statement, I consider that crypto assets such as Bitcoin are property. They meet the four criteria set out in Lord Wilberforce’s classic definition of property in National Provincial Bank v Ainsworth [1965] 1 AC 1175 as being definable, identifiable by third parties, capable in their nature of assumption by third parties, and having some degree of permanence.” The Bitcoins were therefore held to be property and a proprietary injunction was granted, enabling them to be recovered.
Whether courts are capable of making determinations on matters relating to the ownership of cryptoassets remains a grey area in many jurisdictions, however the UK has made significant strides in resolving the issues raised by cryptoassets in recent months. The High Court’s landmark ruling that cryptocurrencies are legally capable of being property has been followed in the High Court of New Zealand in the case of Ruscoe and Another v Cryptopia Ltd in Liquidation [2020] NZHC 728 (Gendall J).* These rulings also imply greater legal certainty surrounding their legitimate use.
The November 2019 UK Jurisdiction Task Force statement, which was so enthusiastically endorsed by the High Courts of England and New Zealand , came to conclusions which have already foreshadowed and may yet further prefigure the position as to cryptocurrencies more widely. Its findings included that:
- Cryptoassets have all the characteristics of property, namely, that they are definable, identifiable by third parties, capable of assumption by third parties and have some degree of permanence or stability;
- Cryptoassets are not disqualified from being property by the novel or distinctive features many possess, which can include intangibility, cryptographic authentication, use of a distributed ledger, decentralisation and rule by consensus; and
- A cryptoasset, comprising a conglomeration of public data, a private key and system rules, is treated as property. However, a private key cannot, of itself, be viewed as property.
Interestingly, following the judgment in AA v Persons Unknown, HMRC clarified its guidance on the tax status of cryptoassets. The revised guidance stated that cryptoassets would be property for the purposes of inheritance tax.
If cryptoassets become more widely recognised and contracts involving cryptocurrencies are more easily enforced, their use may increase as public confidence grows. Of course, unlike a traditional or fiat currency, there is no central bank or government to back a cryptocurrency or to manage the systems underpinning it. However, that is often the very reason that cryptoassets are attractive to users.
Cryptocurrencies are used for both proper and improper purposes. Some use cryptocurrencies precisely to avoid the need to deal with banks and governments. Others are attracted by the relative anonymity that cryptocurrencies provide, by disassociating the transaction from the user’s personal identity. Others enable users to send and receive payments without requiring external approval while limiting banking fees.
The use of cryptocurrencies is likely to remain niche until people and businesses globally can feel confident to seek recourse to the courts in respect of disputes or criminal activities involving cryptoassets. The judgments of the English High Court in AA v Persons Unknown and the New Zealand High Court in Ruscoe and Another v Cryptopia Ltd in Liquidation represent an important step in that direction. If other jurisdictions follow suit, cyber criminals may find it increasingly difficult to avoid the long arm of the law, as it reaches deeper into cyberspace.
* My thanks to Nik Yeo, Fountain Court Chambers, for bringing this case to my attention.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.