The dangers of suing crypto exchanges after ransomware attacks

In October 2019, unknown hackers infiltrated a Canadian insurance company by installing BitPaymer malware, which encrypted the company’s data and IT systems. The hackers asked for a ransom of $ 1.2 million in Bitcoin (BTC) in exchange for the decryption software the company needed to regain access to its systems.

The company’s UK-based insurer – known only as AA – arranged for the BTC ransom to be paid and the company’s systems were back up and running in a matter of days. Meanwhile, AA began looking for legal avenues to restore the BTC received from the hackers. It hired the blockchain investigation firm Chainalysis, whose investigations revealed that 96 of the 109.25 BTC paid had been transferred to a wallet connected to the Bitfinex exchange.

So far, this story is (unfortunately) anything but unusual. Bitcoin makes up the vast majority of ransomware payments because of its anonymity, accessibility (which makes it easier for victims to pay the ransom), and transaction verifiability (which allows criminals to confirm after payment is made). What is What is unusual about this story, however, is that it sparked a 14-month legal battle between AA and Bitfinex that was only recently closed after AA dropped its lawsuit against Bitfinex in the UK High Court.

After AA returned the stolen BTC to Bitfinex’s platform – and the identity of the hackers was still unknown – AA began litigation against Bitfinex in December 2019. Again, this is not uncommon: British courts have a wide range of legal remedies to help victims of fraud try to get their property back. In cases where banks, exchanges, or other intermediaries unknowingly received or hold improper or stolen assets, victims of fraud could rely on:

  • Norwich Pharmacal ordered that a third party must disclose certain information to the applicant that will be helpful in the recovery effort. In this context, the information would be the identity of the wallet holder the BTC was traced back to and / or details of any other transactions that BTC has been involved in since receiving the wallet connected to the exchange.
  • Freezing of orders that prevent defendant fraudsters from handling their assets until further notice. An exchange notified of a freeze order in relation to a customer must take steps to freeze the account to prevent the customer from withdrawing and withdrawing assets.
  • If it can be determined that the third party owns property belonging to the fraudulent party, property orders may be obtained to prevent the third party from handling that particular property. Linked orders are often required to require the subject of a copyright injunction to disclose information of the type set out above by Norwich Pharmacal.

Cryptocurrency as a property in the UK

The UK courts are well versed in the above remedies for the inclusion of bank accounts and fiat currencies. More recently, the courts have grappled with the application of these principles to cryptocurrency. However, it is clear that the courts are willing to be flexible in applying legal principles to ensure that these remedies are available to victims attempting to restore stolen crypto-assets.

In the AA case, Judge Simon Bryan ruled for the first time that Bitcoin can be classified as property under UK law, which means that he can issue an order of ownership in relation to that property. This seems obvious, but traditionally the law has viewed property as something that could either be concretely owned or enforced through a right of action. The cryptocurrency obviously does not meet either requirement, but the courts have taken a pragmatic approach to ensure that novel intangible assets such as cryptocurrency are considered property.

This flexible approach meant that AA could seek injunctive relief. Bitfinex duly frozen the account and provided AA with information about the identity of the customer who owned the wallet with the stolen BTC.

However, it turned out that the BTC had been retransmitted before Bitfinex was contacted by AA’s attorneys and could not be returned. AA has entered into a confidential agreement with Bitfinex’s client (also a defendant in AA’s claim) and then targeted Bitfinex for additional compensation. The insurer made a number of legal claims against Bitfinex, including claims that the exchange received the BTC (or its traceable proceeds) when it was owned by AA. For this reason, AA stated that a legal trust should be imposed that would hold Bitfinex accountable to AA for the BTC. It has also been argued that Bitfinex was ruthless as to whether the BTC was legitimately transferred to the appropriate wallet.

These are hard arguments to prove, and after Bitfinex sent out its detailed legal defense and response to AA’s claims, AA eventually decided to abandon its claims against Bitfinex. That was not the end of the story, however. If an applicant gives up their case, they usually have to bear all of the applicant’s costs. However, AA argued that its cost liability should be reduced by 50% due to Bitfinex’s alleged “unreasonable” behavior. The parties challenged this at a hearing in the High Court in January and ultimately determined that there was no inappropriate conduct that would warrant a reduction. AA was therefore ordered to pay 100% of Bitfinex’s legal costs, including the cost of its own unsuccessful request to reduce those costs.


It is understandable that victims of fraud – who may not be able to successfully track the actual scammer – may be tempted to conduct a deep pocket cryptocurrency exchange, perhaps in the simple hope that they can find a humble solution and avoid the time and cost of complex legal proceedings.

Cyber ​​insurers like AA could calculate that the cost-benefit associated with these steps would be justified. However, exchanges like Bitfinex will continue to defend robustly, especially when the legal grounds of claims are extremely difficult, and ultimately represent an attempt to draw an innocent exchange into the aftermath of a cybercrime they were neither aware of nor involved in .

This article was co-authored by Stephen Elam and Shelley Drenth.

The views, thoughts, and opinions expressed are the sole rights of the authors and do not necessarily reflect or represent the views and opinions of Cointelegraph.

This article is for general informational purposes and is not intended as legal advice and should not be construed as legal advice.

Stephen Elam is partner and Shelley Drenth is an associate at Cooke, Young & Keidan LLP, a disputes law firm that regularly advises on litigation and regulatory issues related to cryptocurrency.