Locating stolen cryptocurrency: how disclosure orders can help

In the latest word on cryptocurrency disputes, the English High Court in LMN v Bitflyer Holdings Inc and others granted a disclosure order against six cryptocurrency exchanges for know your client (“KYC”) and location information relating to cryptocurrency that had been siphoned away by hackers.  Again the court has shown it is willing to adapt the law to address the challenges of cryptocurrency and the exchange model, in order to protect the interests of victims of cryptocurrency fraud.

The brief facts

The Claimant is a cryptocurrency exchange incorporated in England.  The Claimant’s modus operandi is similar to the other exchanges from whom it was seeking disclosure: as an exchange, it holds customers’ cryptocurrency in its own wallets, but similar to a conventional bank, it owes a personal obligation to pay each customer an amount equivalent to their deposited cryptocurrency.  Some of the cryptocurrency held by the Claimant was stored on ‘Hot Wallets’, i.e., digital asset wallets connected to the internet.

Two years ago, hackers obtained access to the Claimant’s systems and transferred millions of dollars’ worth of cryptocurrency away from the exchange.  While the Cyber Crime Unit of the Metropolitan Police assisted the Claimant for three months, eventually they suggested that the Claimant consider civil proceedings.  That is how the current disclosure order application came to be.

On-chain but obscure

In the course of the proceedings, the Claimant instructed an expert to trace the transferred cryptocurrency.  Using details of the transactions executed during the hack and tracing tools, the expert was able to track the cryptocurrency on the blockchain.

A number of these chains of transactions ended with Bitcoin or Bitcoin cash been transferred to what the expert identified as ‘exchange addresses’, which are addresses owned and operated by an exchange.  At this point her ability to trace the assets stopped as exchanges often use the same digital wallet for multiple customers.  Transactions between customers on an exchange are often carried out “off chain” as ledger entries in the exchange’s ledger rather than being carried out on the blockchain.  Without the ledger, it is impossible to know who owns the relevant cryptocurrency currently.

In the application, the Claimant argued that it is impossible to trace the cryptocurrency any further without information from the exchanges about the individuals behind the transactions.  The Claimant sought any KYC and anti-money laundering (“AML”) information collected on the individuals from the exchanges.

Given the complicated and sometimes unknown holding structures of cryptocurrency exchanges, the Claimant pursued the various exchanges’ “topco” and then a person unknown representing the actual exchange entity holding the relevant wallet.

A modern approach to jurisdiction

The English court took a pragmatic approach to determining whether it had jurisdiction to make the disclosure orders sought.  Typically, the court would refrain from making such orders if the information sought is located in another country, or if it is asked to make orders against foreign defendants.

Here, the Court emphasised that it faces novel challenges of fraud in relation to cryptocurrency transactions.

When considering the location of the relevant information, the Court stated:

“Here, it is not known where the relevant documents are located. While there is clearly a possibility that the documents are in another or other jurisdictions, they may be in this one. Furthermore, it may well be that the location of the documents (which may be electronic) is of little significance.”[1]

The Court went on to say that the stringent approach previously adopted in 1985 for disclosure orders in relation to banks may no longer be apt.

The Court considered that requiring an alleged victim of fraud to “make speculative applications in different jurisdictions to seek to locate the relevant exchange company and then to seek disclosure” would be impractical and contrary to the interests of justice.  It would increase costs and delay and reduce the chances of the Claimant locating the proceeds.

In granting permission to serve out of jurisdiction, the court did not consider that the assets had to be in England at the time permission to serve out was sought.  Further, it found that England is the proper place to bring the claim because (i) the Claimant is an English company, (ii) there are good grounds to consider the situs of the cryptocurrency to be England, (iii) relevant documents are in England and (iv) the law of England and Wales arguably governs the proprietary claim.

Broad Scope of Court’s order

The court’s order required that the Defendants provide information in respect of any customer account which received the defrauded cryptocurrency in question, including the name, KYC information and documents and any other information that helps identify the account holder (email addresses, residential addresses, phone numbers, account details, etc).

The court also ordered the Defendants to provide, to the best of their ability: (i) an explanation of what has become of the relevant cryptocurrency, (ii) the balance in the customer account before it received the cryptocurrency and at the time of the Defendant’s response, and (iii) where transfers have been made from that customer account to another, the name and address of the other recipient accountholder.

All the Defendants (except one who did not express any views), indicated that they would comply with an order if made, and assist despite the Claimant’s hurdles in identifying the precise company of the exchange which was responsible.

Private hearing and confidential order, but public judgment

The court made confidentiality orders, directing the Defendants not to inform persons (other than its subsidiaries) of the proceedings, and allowed the first hearing to be held privately to avoid defeating the object of the proceedings by tipping off the fraudsters.

However, for the second hearing (at which the substantive disclosure order was determined), although it was held in private, an anonymised and redacted judgment was made public by the court given the  importance of the judgment in the area of cryptocurrency fraud.

Service by contact form

There must be ‘good reason’ for the court to grant permission to serve by alternative means.  Although it did not consider this case to be one of ‘hot pursuit’, given the considerable time between the fraud and the applications, this did not mean that expedition was no longer important.  As the court noted, “steps should be taken before the scent goes colder”. Accordingly, it made orders for service by alternative means by email and, in one case, by posting a link to the documents on an online contact form on the Defendant’s website.

Key takeaways

This judgment provides yet another example of how quickly the jurisprudence is evolving in the space of cryptocurrency disputes.

Key points that cryptocurrency exchanges, investors, and victims of crypto fraud should be aware of:

• The court’s modern approach to jurisdiction which allows the court to take a pragmatic approach to determining if it is the right forum in which to bring proceedings. The court will not be restrained by technical arguments regarding the location of electronic documents.
• The scope of disclosure can be very broad. Exchanges must be prepared to retrieve such information and provide it within limited time.