Background

The plaintiff, CMOC Sales & Marketing Ltd, was the victim of a cyber fraud conducted by an unknown cyber attacker. The perpetrators hacked into the plaintiff's email account and purported to be an authorised signatory of the plaintiff, who then instructed the Bank of China in London to pay US$6.91m and €1.27m across 20 different transactions. Upon discovery of the fraud, the plaintiff instituted proceedings, yet struggled to identify the perpetrators and recipients of the funds. As a consequence, the Court granted a "world-wide freezing order against "persons unknown", the perpetrators of the initial fraud. Additionally, the plaintiff obtained disclosure orders against the banks and accounts into which the stolen funds had been paid, thereby identifying further defendants to the action.

The defendants did not attend the trial, prompting the trial judge to make a preliminary observation in respect of the continuing obligation of fair procedure in those circumstances and he commended the plaintiff for following fair procedure requirements, recognising that, as stated in Braspertro Oil Services v FPSO that that included drawing to the attention of the court "… points, factual or legal, that might be to the benefit of [the defendant]"

Judgment

Persons Unknown in the new cyber era

The Court held that there is a "clearly established" jurisdiction for the granting of injunctive relief against parties unknown, highlighting three lines of jurisprudence which permitted the extension of jurisdiction to grant a freezing order against unknown people:

  • "persons unknown" must be identifiable as either included within the party or not (Bloomsbury Publishing Group Limited and JK Rowling v News Group Newspapers Ltd and Others [2003] 1 W.L.R 1633 ("Bloomsbury"))
  • Information can be obtained from banks leading to the identification of account holders (Norwich Pharmacal Co v Customs and Excise Commissioners [1974] A.C. 133)
  • Injunctions have been previously granted against persons unknown in the context of an IT security breach. (PML v Person(s) Unknown (responsible for demanding money from the Claimant on 27 February 2018) [2018] EWHC 838 and Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 (QB))

The Court held that whilst granting a freezing order against persons unknown would be extending the principle enunciated in Bloomsbury, such was permissible given the use of Mareva injunctions as a "springboard" for further relief.

In addition there was no principled reason why knowledge of the precise identity of the victim should be required to establish liability for unlawful means conspiracy, particularly in the age of cyber fraud and given the ease with which persons may conspire together to steal a victim's funds, without needing to engage with the victim in the same way as "traditional" fraud requires.

Service via Whatsapp

In this case the Court sanctioned the service of proceedings through Facebook Messenger (as opposed to a public Facebook platform), Whatsapp Messenger and via access to a data room. Whilst heralding such as innovative, the Court noted that such should only be used where considered appropriate on an individual case by case basis.

Irish Implications?

Service via social media

The Irish Courts have been prepared for some time to accept innovative means of substituted service and service has been affected through private messages on Facebook and LinkedIn.1 The judgment in CMOC notes the benefits of service through Whatsapp Messenger as including knowledge that recipient has read the content. The Irish High Court has noted previously, that in service by Facebook message, proof of service was evidenced by a printed copy of the message sent and a copy of the summary summons. CMOC will serve to further strengthen this novel line of case law which highlights the courts' flexibility in assisting parties with the service of legal proceedings.

Mareva Injunctions against persons unknown

Another issue raised in light of the judgment delivered in CMOC is the granting of a freezing order or Mareva injunction against persons unknown. This seems to clash with the character of Mareva injunctions as a relief granted against a specific person. However, applying the reasoning of HHJ Waksman QC and that of the Court in Bloomsbury, it is clear the parties must be identifiable. For example in this instance it was possible to trace the fraudulently appropriated funds into specific bank accounts.

Whilst there has been no recent Irish jurisprudence on the availability of a Mareva injunction against persons unknown, it is interesting to see the English High Court approve such action. Given the frequency of cyber-attacks and cyber-fraud, a decision permitting the granting of a Mareva injunction against persons unknown would undoubtedly enhance the legal remedies available to victims of such a crime.