Dealing With Fraud In The World Of Crypto – Your War Plan For Asset Recovery

According to a report by blockchain data firm Chainalysis, cryptocurrency-based crime hit a new all-time high in 2021, with illicit addresses receiving $14 billion over the course of the year, up from $7.8 billion in 2020. 2022 is set to likely surpass these figures. The faceless nature of projects and wallets, the inability to verify project representations, the opaqueness behind valuations and the fragmented nature of cryptocurrencies and how they are held, lends itself to opportunities to dissipate, divert and defraud investors of money. The law has a suite of tools designed for asset recovery – freezing orders, disclosure orders, constructive trusts but the crypto world offers a novel challenge – of assets moving in the cyber world in turn raising the question of where to take the fight to and against whom?

The War Plan

Assets can be stolen in a variety of ways, from hacks, to rugpulls and spoofing attacks (see: Appendix). A victim’s recourse may lie against: (1) the owners or operators of a blockchain project (for e.g.: in instances such as a hacked project or rugpull scam); (2) the hackers and/or fraudsters themselves; and/or (3) the cryptocurrency exchange involved in the illicit transaction:

 

The main objective of any war plan is to get restitution, i.e., recover the assets. An important premise, therefore, is that assets on the blockchain (i.e. cryptocurrencies and/or NFTs) must be recognised as property in the jurisdiction in which an action for recovery is commenced, such that the victim becomes entitled to assert a proprietary claim for the stolen assets and pursue certain remedies for recovery at law. A growing consensus is developing in common law jurisdictions such as Hong Kong, Singapore, New Zealand and the UK in recent years that recognises cryptocurrencies as property – and this trend is only likely to continue as more users adopt, hold and deal in digital assets stored on the blockchain. Other jurisdictions such as China may not recognise cryptocurrency as property, thereby curtailing the tools available for recovery. Careful consideration needs to be given to where to take the fight to.

The Battlefield

Perhaps the biggest conundrum in pursuing an action against hackers or fraudsters and related parties in the transaction, such as exchanges, is where (i.e. in which Court or jurisdiction) to commence an action. Relevant factors would include the domicile of the victim, the jurisdiction with the closest connection to where the crime took pace, where the fraudsters and exchanges are located and where the stolen assets are themselves located.

In the case of cryptocurrencies, which are stored on an online decentralised blockchain, the English High Court in Ion Science Ltd v Persons Unknown (unreported) (“Ion Science Ltd”) observed that a crypto asset is situated in the place where the person or company who owns it is domiciled, which justified the English Court’s jurisdiction in that case.

In the Singapore High Court decision of CLM v CLN [2022] SGHC 46 (“CLM v CLN”), the Court took jurisdiction over a dispute involving, among others, a victim who was a US national and exchanges in the Cayman Islands and Seychelles on the basis that the exchanges had business operations in Singapore and had complied with disclosure orders, and other parties had subsidiaries in Singapore and were likely to comply with future disclosure orders. This is despite the fact that Singapore had nothing to do with where the crime or hack took place, or even where the cryptocurrencies are ‘located’ (which would be USA by adopting the decision in Ion Science Ltd) and where the hackers may be physically located. Conflicting guidance from different courts isn’t ideal but goes to demonstrate the difficulty of applying typical jurisdictional metrics to the multi-jurisdictional and borderless world of cryptocurrencies.

The Intelligence

It is a critical to uncover whether the fraudster has diverted assets to a cryptocurrency exchange, to ultimately cash out the stolen cryptocurrency as fiat currency. Even though transactions on the blockchain are cross-border, anonymous and irreversible, every transaction is recorded transparently on the blockchain. It is therefore possible to trace and map out how a victims’ digital assets have been transferred on the blockchain. Tracing is not only a technical exercise, but also a legal one, with the victim first having to establish a proprietary claim over the stolen assets for example, to justify the imposition of a constructive trust over the stolen assets. Time is of the essence, and the sooner a victim takes steps to investigate, map out the flow of cryptocurrencies and obtain interim relief, the greater the victim’s chances of successfully recovering the stolen assets.

The Pincer Attack

Once the assets have been traced to an exchange (or other third parties involved in the illicit transaction), the next stage involves applications for disclosure orders such as the Norwich Pharmacal and/or Bankers Trust orders to obtain disclosure critical to the victim’s exercise to trace the flow of the stolen assets such as the names of individuals connected to the stolen assets by leveraging on AML and KYC information held by exchanges.  

The Nuclear Bomb

Disclosure orders help to identify the movement of stolen assets and identify where possible, the preparators behind them – this lays the groundwork for one of law’s most lethal weapons – the freezing injunction. Often likened to a nuclear weapon, the freezing injunction, while a personal remedy against the preparator, effectively prevents assets from moving, whether in the hands of the fraudster or third parties holding assets on behalf of the fraudster. The need to freeze even before identifying the preparator has created a new genre of freezing injunctions against ‘persons unknown’ at an interim stage. In CLM v CLN the Court observed that ‘persons unknown’ must be described with sufficient certainty to identify both those who are included, and those who are not, with the Court accepting the definition of “any person or entity who carried out, participated in, or assisted in the theft of the Stolen Cryptocurrency Assets, save for entities involved in the provision of cryptocurrency hosting or trading facilities in the ordinary course of business.”

Armed with the nuclear weapon, a victim would need to serve the injunction on parties that may be connected to the stolen assets. In theory, this would apply to exchanges as well who may at one point become a “persons unknown” if the stolen assets eventually resurface onto third party exchanges that were initially unconnected to the hack, but subsequently have the stolen assets traded on their platform.

Service of court papers on a person that has yet to be identified can itself be conceptually tricky. Courts have begun adopting innovative solutions to the issue of service on unidentified persons holding wallets on the blockchain, with the English High Court in D’Aloia v (1) Persons Unknown (2) Binance Holdings Limited and others [2022] EWHC 1723 (Ch) permitting service by transfer of a NFT on the blockchain to the wallet address belonging to wrongdoers.

The Main Assault

Freezing or proprietary injunctions however are only interim measures, and the victim must still obtain final relief against the wrongdoers in Court. This final relief can be in the form of a return of the stolen assets or for damages arising out of the breach. In the former category, where a person misappropriates the property of another without consent, a constructive trust arises by operation of law over the stolen assets, as it would be unconscionable for the misappropriating party (i.e. the hacker or fraudster) to assert any beneficial interest in the property or their traceable proceeds. Damages are also another form of relief but this would involve an assessment of the monetary value of the tokens which may not always be straightforward.

Collateral Targets

Apart from the hackers or fraudsters, victims may also pursue recovery against the owners of the blockchain project involved in the crime, for the platform’s breach of contract and/or negligence or failure to implement proper security measures to prevent a hack from taking place. The victim may also explore recourse against the exchange, banks and/or other third parties involved in the illicit transaction for dishonest assistance, for permitting the transfer and subsequent dissipation of the stolen cryptocurrencies. The primary hurdle to succeeding in such an action would be demonstrating that the parties had knowledge that the illicit transaction concerned assets that have been stolen or misappropriated.

Falling victim to a hack or cryptocurrency scam can be a costly and harrowing affair. Fortunately, however, Courts across the world have begun to fashion pragmatic and robust solutions to tackle the novel issues that arise in the recovery of stolen assets stored on a blockchain.

A well-considered war plan, swift action and collaborative approach with forensic investigators can make all the difference for a successful recovery exercise.

Appendix: Types of Hacks, Scams & Spoofing Attacks
 

Hacked Blockchain Projects
There has been a string of mass cryptocurrency heists with hackers exploiting security vulnerabilities in popular blockchain projects and cryptocurrency exchanges. For instance, in October 2022:

  • DeFi trading platform Mango Markets lost USD 117 million in a hack, which was apparently caused by price manipulation on the native MNGO token.
  • The BSC Token Hub, a cross chain bridge (which enables the transfer of assets from one blockchain to another) was exploited with hackers draining USD 570 million. According to Chainalysis cross-chain bridges remain a major target for hackers with three bridges breached in October 2022 and nearly $600 million stolen, accounting for 82% of losses this month and 64% of losses in 2022.

Rugpulls
A rug pull is a malicious manoeuvre in the cryptocurrency industry where a developer attracts investors to put funding into a new cryptocurrency project, but pulls out after getting the money, leaving the investors with a worthless cryptocurrency.

  • A prime example of a rugpull scam is the Squid Game rug pull. Anonymous actors launched the Squid token on 26 October 2021. The ensuing hype caused the token to gain over 23,000,000% in a week, peaking at around $2,862 before falling to a fraction of a cent in a matter of minutes. The scammers behind this project made off with about $3.4 million in funds.

Deception / Spoofing attacks
In the cryptocurrency industry scams come in various shapes and sizes – but there is often the shared common element of ‘spoofed’ emails or websites, and deception where fraudsters impersonate the owners or operators of a particular blockchain project:

  • Phishing emails: This type of scam involves an email being sent to bait recipients into clicking links and inputting their personal details, including information relating to a crypto wallet’s recovery phrase. 
  • Airdrops & giveaways: Fraudsters create fake groups on telegram, impersonating the legitimate owners or operators of blockchain projects. Once the victim’s wallet is connected to a fake or spoofed website, the fraudsters are able to drain all of the victims’ assets from the wallet.
  • Fake DeFi staking websites: Similar to airdrops, some fraudsters claim that by staking their tokens on a spoofed website, masquerading a part of an authentic blockchain project, victims stand to earn a sizeable return on their staked tokens. Victims are directed to a fake website, but once they connect their wallet and stake their tokens, they are prevented from withdrawing their tokens.
  • Fake cryptocurrency exchanges: Scammers have been targeting users on Discord, in particular, promising free bitcoin or Ethereum in exchange for creating an account on a fake exchange platform called “withEREUM”. Claiming the free crypto appears to work as intended, but any attempts by the victims to withdraw their crypto fails, with the cryptocurrency ultimately being diverted to other wallets owned by the fraudsters.

Insights

Asset Recovery in Commodities: Know your Tools
International Trade: The Anti-Money Laundering Achilles’ Heel
Webinar: Fraud, Fictious Trades & Letters of Credit – Where does the buck stop?