Cryptocurrencies are an increasingly popular investment option for both professional and retail investors. However, trading in them remains risky as criminal authorities and regulators play catch-up with fraudsters who try to exploit this new infrastructure. In late 2020, the English Financial Conduct Authority (the financial regulator) judged cryptoassets to be so risky that it banned the sale of derivatives and exchange-traded notes referencing certain types of cryptoassets (including most cryptocurrencies) to retail investors, identifying "market abuse and financial crime in the secondary market" of these products1. The civil courts have also had to adapt the way in which they apply the law to this new form of asset. Following a series of recent decisions regarding the legal status of cryptocurrency, we examine the current position and what you can and should do when litigating over cryptocurrencies and cryptoassets.
What is cryptocurrency?
Cryptocurrencies are a form of cryptoasset – tradeable digital assets that represent a certain value. Ownership in cryptocurrencies and other cryptoassets (such as non-fungible tokens, which are unique units of digital data) is recorded through a – usually decentralised – ledger taking, for instance, the form of a blockchain. This ledger is not controlled by a state's central authority or bank; instead, the consensus of users determines which version of the distributed ledger is definitive. The lack of a central authority means that cryptocurrencies are highly volatile. In addition, it means that transactions are not vetted by any entity that could intervene in case of suspected fraud. In practice, cryptocurrencies are commonly represented by a set of two "keys" (usually a string of alphanumeric characters): (a) a public key, which records ownership, value and the transaction history of a given asset in encoded form; and (b) a private key, which is needed in order to deal with the relevant asset (e.g. to transfer it).
Given that cryptocurrency transfers are recorded on a public ledger, coins should – at least in theory – be traceable. Like normal investors, fraudsters are likely, at some point, to want to transfer their cryptocurrency to an exchange, i.e. a service where users can convert their coins into traditional (often called "fiat") currency. In many countries, exchanges are subject to stringent anti-money laundering requirements, and in those countries once cryptocoins enter an exchange, it should be possible to identify links to actual names and addresses.
Is cryptocurrency property?
When cryptocurrency fraud was first litigated before the English civil courts, legal discussions focussed on whether cryptocurrency could be defined as "property". This may seem like an academic legal debate, but it is vitally important as it affects what kind of injunctions (and in particular freezing orders) can be obtained in England.
In November 2019, a UK Jurisdiction Taskforce headed by Sir Geoffrey Vos examined this question.2 The taskforce considered the relevant authorities in English law and concluded that cryptocurrency was indeed "property". Although the legal statement is (contrary to what its name suggests) not a statement of the law, the English Courts have been ready to agree with it and accept that cryptocurrency is "property" in a legal sense.3
What are the fraud risks associated with cryptocurrency?
The purpose of the cryptocurrency ledger is to ensure the integrity of the currency, so that once a transfer is recorded on the ledger, the underlying coins can no longer be traded by the transferor (and can only be traded by the transferee, i.e. the recipient of the coins). However, the ledger is not concerned with the legality of an underlying transaction, and there is no intermediary whose job it is to protect a consumer against a (potentially much more sophisticated) fraudster. Consequently, transfers of cryptocurrencies have far fewer protections and checks than, for example, a bank transfer of traditional currency.
Fraudsters may seek to target owners of cryptocurrency in various ways, including:
- Hacking wallets (or entire exchanges) and stealing private keys;
- Sending out fake "spear-phishing" emails which appear to offer attractive business proposals that require an up-front transfer of coins; or
- Setting up fake cryptocurrency exchanges (or even whole fake currencies like OneCoin).
Cryptocurrencies may also be involved in more traditional forms of fraud; for instance, ransomware attacks (which are effectively a digital form of blackmail) usually require payment in cryptocurrency (often using privacy coins that make it harder to identify their transferees).
What remedies are available to victims of cryptocurrency fraud?
Although the popularity of cryptocurrencies is a relatively recent development, the English High Court has already handed down several decisions that clarify the potential remedies available to victims of theft and fraud.
Freezing and recovering assets
In a number of recent cases, the English courts have found ways to allow victims of cryptocurrency theft and fraud to freeze or recover their stolen assets, including in cases where the identity of the Defendant was unknown. For example:
- In Elena Vorotyntseva v Money-4 Limited t/a Nebeus.com and Others,4 the Claimant, a successful cryptocurrency investor, had transferred about £1.5 million worth of Bitcoin and Ether to a relatively new trading platform run by the Defendant. When the Defendant suddenly froze her funds and refused to give her any information about its reasons for doing so (or even to confirm whether it still held the funds), the Claimant brought a claim against the Defendant company and two of its directors. The Court granted an order freezing the relevant quantities of cryptocurrency.
- In Robertson v Persons Unknown,5 the Claimant had been targeted by a spear-phishing attack, in which the fraudsters pretended to represent a start-up in which the Claimant had previously invested. He transferred 100 Bitcoin to the fraudsters, 80 of which were subsequently transferred to a wallet hosted by Coinbase UK. The Court granted a protective order prohibiting any dealings with these coins.
- In AA v Persons Unknown,6 the Claimants were the providers of cybercrime insurance, who had made a substantial transfer of Bitcoin as a result of a ransomware attack against one of the Claimant's customers to a wallet hosted by Bitfinex. The Court granted an asset preservation order over the Bitcoin.
Third party disclosure orders
The English courts have also allowed victims of cryptocurrency theft or fraud to obtain disclosure of confidential information from third parties – notably cryptocurrency exchanges – in order to support their claims (under so-called Bankers Trust orders). For instance, in both Robertson and AA, the Court ordered the exchanges hosting the wallets that contained the stolen cryptocurrency to provide identifying information about the owners of the wallets. Obtaining this kind of information allows a claimant to pursue a fraudster personally, rather than just targeting the stolen assets, which is a useful additional tool in case the relevant cryptocurrency is moved or converted into fiat currency.
Cryptocurrency – the future
Although cryptocurrencies are a relatively new development – and their popularity with retail investors is even more recent – there is a growing body of English law providing remedies to Claimants in cases of cryptocurrency fraud and theft, and Courts have demonstrated readiness to grant both asset preservation orders and other orders and injunctions, such as orders for third party disclosure. This is to be welcomed. However, in many of these cases, the key question is whether the victim can actually trace their assets. A victim will need to take action and instruct investigators and lawyers as soon as the fraud becomes evident, before the fraudster converts assets multiple times or moves them outside the reach of the English Court, at which point they may well become impossible to trace.
On a more general level, recent examples of cryptocurrency fraud continue to follow similar patterns to "conventional" fraud involving cash or bank transfers: attackers impersonate third parties to obtain confidential information or prompt their victim to send them cryptocurrency, make "too-good-to-be-true" business proposals, or exploit weaknesses of a victim's cybersecurity infrastructure. Businesses dealing in cryptocurrency will therefore need to develop a comprehensive fraud prevention strategy and a fast-response plan in the same way as they would for conventional forms of investment