Tracking Stolen Cryptocurrency - The English High Court Creates a Pathway and a Glimmer of Hope
Off-shore cryptocurrency exchanges ordered to provide information in connection with stolen cryptocurrencies.
Last month, in the case of LMN v. Bitflyer Holdings Inc. et al., [2022] EWHC 2954 (Comm), the High Court ordered six crypto exchanges organised abroad to provide to the Claimant, a crypto exchange incorporated under English law that had been hacked, information about the identity of beneficial owners of stolen cryptocurrencies held on the Defendants' exchanges. In doing so, the High Court provided a pathway under English law to those wishing to recover hacked coins, and perhaps also coins deposited with crypto lending platform that fail to be returned. In the aftermath of the recent bankruptcy of FTX, it can be anticipated that many potential litigants with a connection to England & Wales will find this decision interesting.
What Was the Case About?
LMN, a pseudonym given to the cryptocurrency exchange Claimant, was hacked in 2020, losing several millions of pounds worth of various cryptocurrencies, which represented a portion of its customers' beneficial holdings. The appropriated coins were being held online in one or more of LMN's 'hot wallets', needed to allow transactions to be broadcast from the exchange. Entities such as LMN often operate as custodian, depository and broker for its customers, mingling customers' holdings in omnibus accounts under the exchange's own name. LMN took the position that it was the legal owner of the appropriated coins and had standing to pursue their return, as a bank would have with respect to stolen deposits.
LMN approached the UK authorities upon discovering the hack, but after three fruitless months the Metropolitan Police's Cyber Crime Unit recommended that LMN pursue civil proceedings. LMN instructed lawyers and hired forensic experts CipherTrace to trace the stolen coins by identifying 'address clusters'. But the trail repeatedly went cold when coins were found to have transferred to addresses in the name of exchanges. These addresses appeared to relate to omnibus accounts operated by the Defendants, as to which the identity of the beneficial owners of the commingled coins was known only to the Defendants.
What Order Did the Claimant Seek?
Hence LMN sought an order instructing the exchanges identified by CipherTrace to share information about their customers connected to the appropriated coins that had been traced to the Defendant exchanges. In short, to assist their efforts to trace the stolen coins, LMN wished to obtain the information connected to certain customers' accounts and wallets hosted by the Defendant exchanges, that would have been collected as part of the account-opening procedures in satisfaction of KYC and AML obligations under local law. Presumably hackers generally convey stolen coins to exchange addresses related to omnibus accounts because they provide an additional layer of anonymity.
The Order Was Granted
The judge granted both service by alternative means to the Defendants (none of whom are incorporated in the UK) and an order to provide prescribed information in connection with the whereabouts of the hacked coins, after a thoughtful analysis of the applicable Civil Procedure Rules and judicial precedents.
The Importance of AML/KYC Procedures For Cryptoexchanges to Law Enforcement
This decision demonstrates the importance of crypto exchanges' implementation of KYC and AML procedures; the holding of many coins in omnibus accounts under the sole name of an exchange will defeat law enforcement unless the exchange is obliged to share its customer details in suitable cases. This is the policy behind the first step that the UK took to regulate the crypto world in January 2020, namely to add the categories of 'custodian wallet providers' and 'cryptoasset exchange providers' carrying on business in the UK to the list of 'relevant persons' who must implement the AML checks required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the 'MLRs'). The FCA has registered only 35 crypto companies as fit and proper under this regime. It remains to be discovered how much information will have been collected about their customers by the Defendant exchanges under their local law AML and KYC procedures.
The Jurisdictional Question
The judge analysed the court's jurisdiction in depth, concluding that the fact that the Claimant was incorporated in England & Wales meant that the laws of England and Wales at least arguably governed the case, especially in view of the Claimant's position that it owned the coins before they were hacked. The judge did not inquire into the residence of the customers of LMN who suffered loss. These were good facts on which to base a ruling on jurisdiction.
Will Jurisdiction Be Granted in Allied Cases?
The precedential value of this decision in other fact patterns is unclear. For example, many foreign-incorporated exchanges serve English customers, while taking the view that they do not carry on business in the UK (and so do not need to implement UK AML rules under the MLRs). If an English customer of such an exchange were to instruct it to stake the coins to earn a yield from them (deposit coins out of their hosted wallet with a non-UK crypto lending platform), and the lending platform failed to return the coins, would this English customer be able to rely this decision in support of the High Court's jurisdiction over their claim, if the exchange declined to pursue the case? Equally, could the foreign exchange bring the claim if they aren't party to the agreement between the customer and lending platform?
The Direction of Travel Suggests 'Yes'
Although the answer in these hypothetical cases is unclear, we note that the direction of travel in English courts over the past few years is to support victims of crypto fraud in recovering losses, taking strength from favourable developments in the Civil Procedure Rules and other legislation (e.g. the expansion of the gateways for service outside of the jurisdiction in CPR Practice Direction 6B). In general, the English courts are creating a number of tools for victims to approach what are often complex and cross-border disputes (e.g. the service of court documents by NFT in Fabrizio D’Aloia v. (1) Persons Unknown (2) Binance Holdings Limited & Others [2022] EWHC 1723 (Ch)). Thus it would not be surprising to us if an English court were to strive to assert jurisdiction over such a hypothetical claim and in allied situations.
Until global regulation catches up with the crypto world, victims of digital asset fraud with a connection with England & Wales are likely to continue to look to the civil courts for recourse, so long as those courts continue to adopt a pragmatic and future-focused approach.
Written by Thomas Dick, Maria Hill, James Piper, Harry Williams and Jonathan Bywater of VWV Blockbusters - VWV's Crypto-Asset Special Interest Group.