“Cryptofraud”: can the courts keep up?
On Wednesday 28 November 2018, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that it had taken action against two Iranian individuals for their roles in a major cyberattack using ransomware known as “SamSam” that targeted over 200 known victims.
The Treasury Department said it had sanctioned the two individuals for exchanging digital ransom payments (Bitcoin) into local Iranian currency. When adding Ali Khorashadizadeh and Mohammad Ghorbaniyan to its sanctions list, OFAC included the digital currency addresses associated with specific individuals for the first time in its history.
Whilst it is unclear how OFAC was able to associate Khorashadizadeh and Ghorbaniyan with the digital currency addresses, it raises the question of how are civil courts going to deal with digital currencies in cases of fraud?
Current remedies for “cryptofraud”: civil vs criminal
Over many years, English courts have developed a range of highly effective tools which can be deployed by the victims of fraud to identify, freeze and recover misappropriated assets. Arguably, civil remedies, rather than criminal, have two main advantages: speed (orders can be obtained very quickly, within a matter of hours if necessary) and control (the victim can decide what court orders to apply for, and where to focus time and resources).
For example, a worldwide freezing order can prohibit the alleged fraudster from disposing of any of their assets pending the outcome of the claim, or require a defendant to allow their home or business premises to be searched by the claimant for evidence. These orders can be obtained without notice to the fraudster and assets frozen even before they are notified of the order.
The court also has a huge range of powers to order defendants or third parties to disclose information and documents, for example property owned by the defendant. Information about payments can also be made, to enable the victim to trace the misappropriated money.
These powers are backed by severe sanctions in the event of non-compliance – anyone breaching a court order of this nature (or assisting a person to do so) may be imprisoned for up to two years.
Crucially, the effective implementation of these orders relies on individuals within the jurisdiction of the court who can be subject to sanction if they fail to comply. This is particularly true where the defendants may be abroad and can avoid the consequences of breaching an order by not returning to the jurisdiction. The system therefore relies on third parties (mainly banks) who are generally regulated and can be relied on to comply with an order and to tell the truth.
Applying current remedies to “cryptofraud”
Here is where the main challenge lies when cryptocurrencies are involved in a fraud. What if a fraudster uses the stolen money to buy cryptocurrency and then makes a series of transfers to their associates? In traditional fiat currency cases the answer would be simple: the victim could obtain a series of orders requiring each bank in turn to identify accounts to which the stolen money was transferred and the identity of each account holder.
But, in the corresponding cryptocurrency example, there is no middleman equivalent of the bank. Victims of fraud will therefore have to think creatively about using the court’s powers when cryptocurrencies are involved.
Creative ways to tackle “cryptofraud”
There are two main ways in which the courts will be able to adapt their existing powers to the new (in legal thinking) world of cryptocurrencies.
First, disclosure orders. Where the defendant is within the jurisdiction and susceptible to the court’s jurisdiction, an order for immediate disclosure of details of cryptocurrencies owned and associated passwords – backed by an immediate custodial sentence if not provided – might be effective. In an appropriate case, the court may also make an order permitting independent lawyers to change passwords to relevant accounts, effectively “locking-out” the fraudster from the account pending the outcome of the case.
If the defendant is not within the jurisdiction, but is believed to have used particular cryptocurrency exchanges or wallet holder providers, disclosure orders can be sought against them, in this case almost acting as the equivalent of banks who hold standard “know your client” documents for all of their accounts. Of course, until such providers are regulated, the information about their customers which they may be able to provide is going to be variable, but even basic information such as address and bank details maybe helpful.
Secondly, in extreme cases where there is a real risk of relevant documents or evidence being destroyed, the court will make a search order. This requires the defendant, or even an innocent third party, to allow the claimant to search their premises under the supervision of an independent solicitor. Historically, search orders were used to secure physical, hard-copy, documents. In more recent years, the main focus has shifted to electronic documents and the courts have had to develop new practices to account for this, such as permitting IT specialists to image hard drives and requiring defendants to reveal passwords on the spot.
Where it is suspected that a fraudster owns cryptocurrency – and particularly where it is part of an attempt to hide assets by using associates to hold assets on their behalf – it may well be possible to ask the court to grant a search order with the express aim of identifying whether the defendant or their associates own cryptocurrencies. From a practical perspective, this would involve searching for communications (text messages, Whatsapp etc) which might reveal the existence or use of cryptocurrencies, if not the private keys themselves. Immediate follow up orders could then be obtained to try and prevent the dissipation of any identified assets.
As cryptocurrencies increasingly feature in fraud cases, the courts will inevitably adapt their existing procedures and practices to accommodate the needs of victims. Faced with the twin problems of no regulation (yet) and the pace of technological change, judges must be particularly inventive in their approach to tackling “cryptofraud”.
By Jason Woodland, partner, Peters & Peters Solicitors