AA v Persons Unknown
Written by Jim Patterson and Amanda McLachlan
The frequency of ransomware attacks has increased in 2020, including in the wake of the COVID-19 pandemic. Further, ransomware attacks have become more sophisticated as their perpetrators seek to leverage new and emerging technologies. Such efforts include the selection of novel forms of ransom, with digital assets and cryptocurrencies becoming the new ransom of choice for many hackers and extortionists.
Notwithstanding the pervasiveness of requests for cryptocurrency in ransomware attacks, few courts have considered the nuances of digital asset recovery. In this regard, the English High Court's recent decision in AA v Persons Unknown,  EWHC 3556 (Comm), provides an opportunity to consider the Canadian law implications for the use of civil proceedings to prevent the dissipation of digital assets and facilitate their ultimate recovery.
AA v Persons Unknown
In AA v Persons Unknown, a Canadian insurance company (the "Insured Customer") was the subject of a ransomware attack that successfully bypassed the Insured Customer's firewall and anti-virus software to encrypt its computer systems. Shortly after encrypting the Insured Customer's computer systems, the hackers demanded that a ransom be paid. The Insured Customer in this case had purchased coverage with a UK-based insurance company (the "Insurer") against cybercrime attacks and advised the Insurer of the incident. The Insurer contacted an Incident Response Company to negotiate the payment of the ransom and the receipt of the relevant decryption software. Ultimately, the Insurer agreed to pay US$950,000 in Bitcoin (109.25 Bitcoins) to the hackers in exchange for the software required to decrypt Insured Customer's 20 servers and approximately 1,000 desktop computers.
After paying the requested ransom, the Insurer retained the services of an industry consultant to facilitate a tracing of the Bitcoin transferred to the hackers. This investigation revealed that a substantial number of the Bitcoins transferred to the hackers had been sent to an address linked to a digital asset and cryptocurrency exchange. In an effort to recover the digital assets, the Insurer sought a proprietary and/or a freezing injunction in respect of the Bitcoin held in accounts with the cryptocurrency exchange.
In determining that the proprietary injunction sought by the Insurer should be granted, the English High Court considered whether:
- the Bitcoin at issue constituted property;
- there was a serious issue to be tried;
- the balance of convenience favoured the granting of the injunction; and
- damages could serve as an adequate remedy if the injunction were not granted.
Following a developing line of authority, the Court found that cryptocurrencies such as Bitcoin are a form of property capable of being the subject of a proprietary injunction. The Court went on to consider the remaining elements to determine that the test was met, concluding that there was a serious issue to be tried and, in light of the risk of dissipation of the remaining Bitcoin, the balance of convenience favoured granting the relief sought, as damages would not be an adequate remedy.
While the anonymity of Bitcoin may create further hurdles in the pursuit of recovery, the decision in AA v Unknown Persons demonstrates that in appropriate circumstances, the Court will apply existing legal principles to permit the tracing of payments made in Bitcoin, just as it would do in dealing with attempts to recover other forms of property or currency.
Application to Asset Recovery in Canada
Canadian courts have not yet considered the issues raised in AA v Unknown Persons in any reported decisions. Accordingly, AA v Unknown Persons may be instructive to Canadian litigants seeking to trace and recover cryptocurrency transferred to hackers or extortionists. Specifically, AA v Unknown Persons demonstrates the impact that timely efforts to trace cryptocurrencies can have on the preservation and recovery of assets, and the importance of engaging experienced legal and expert advisors. The decision also illustrates that courts are cognizant of the ease and anonymity with which cryptocurrency can be transferred and dissipated. This is a factor that may be important for parties seeking to persuade Canadian courts to grant a proprietary or Mareva injunction (i.e., a “freezing order”) or an interim order for preservation of property pursuant to Rule 45.01 of the Ontario Rules of Civil Procedure in circumstances similar to those in AA v Unknown Persons. Among other things, a party seeking a Mareva injunction must establish a strong prima facie case of fraud and a real risk of dissipation (Chitel v Rothbart,  O.J. No. 3540 (CA)). As AA v Unknown Persons makes clear, the latter factor should be readily apparent when dealing with ransom paid in cryptocurrency or other digital assets.
AA v Unknown Persons, viewed narrowly, is a significant English decision insofar as it affirms that cryptocurrencies are in fact property to which the legal principles governing tracing can be applied. Moreover, it is a testament to the speed at which digital assets can be transferred and dissipated to preclude recovery, and the need to act quickly and at times creatively to pursue recovery of the ransom payment, even if made in cryptocurrency. The unique public nature of Bitcoin transactions (recorded in the public blockchain, even if the transacting parties are anonymous) makes the involvement of advisors with specialized expertise at an early stage even more important.
Viewed broadly however, AA v Unknown Persons offers a number of practical lessons for the pragmatic protection of IT assets, and the pursuit and recovery of cryptocurrency. The decision highlights the importance of developing an action and training plan to prevent such attacks at the outset and for investigating and responding to instances of potential ransomware attacks when they arise.
The authors thank Joshua Foster for his assistance in the preparation of this article.