Ransomware attacks involving cryptocurrency are on the rise, and a new London lawsuit illustrates how the hackers are seeking to launder their ill-gotten gains.
Lawyers say the case is a landmark one as it is the first time the UK’s High Court has expressly stated that crypto-assets such as bitcoin constitute property.
In December the High Court issued a court order against unknown hackers and cryptocurrency exchange Bitfinex, which held nearly $1m in bitcoins that had been paid to the hackers as a ransom.
Details of the judgment were released by the High Court on 17 January, following a ruling delivered by Justice Simon Bryan on 13 December.
The court case reveals that in October last year, hackers had paralysed work at a Canadian insurance company by using a software bug to render over 1,000 company computers unusable.
The hackers then demanded $1.2m, paid in bitcoin, as a ransom in order to restore the victim’s computers to their pre-attack state.
After consultations with specialist intermediaries, the Canadian company’s insurer, which had covered its client against losses from cybercrime, agreed to pay the hackers $950k in bitcoin for a decryption tool.
The decryption tool arrived within 24 hours of the ransom being paid.
Ransomware attacks are on the rise worldwide
According to Andy Greenberg, author of a 2019 book on cybercrime called ‘Sandworm’, some ransomware operations are now so professional that they even offer live customer support.
This, says Greenberg, increases the likelihood of victims paying a ransom by reassuring them they would get their data back if they complied with the extortion demand.
The High Court judgement reveals it took ten days after receipt of the decryption tool for the Canadian insurance company to restore its systems, which included 20 servers and 1,000 desktop computers.
Following the incident, the victim’s insurer engaged Chainalysis, a blockchain investigations firm, to trace the bitcoins that had been transferred as a ransom.
Chainalysis found that whilst some of the bitcoins had immediately been laundered into fiat currency, most of the ransomware haul (96 bitcoins, worth around $800k at current market prices) had been transferred to a cryptocurrency address at an exchange, Bitfinex.
The London High Court injunction therefore covered iFinex and BFXWW Inc, two affiliated Virgin Island companies that are the legal owners of the Bitfinex exchange, in their capacity as the recipient of the ransom.
According to the judgement, Bitfinex had told the UK High Court it would require a court order to identify the owner of any account at the exchange. However, added the judge, Bitfinex had indicated it would comply with a court order issued by a national authority.
The judge said that, despite the fact that its company headquarters were located in the Virgin Islands, Bitfinex could be served with the court order by email. Earlier, Bitfinex had said it would only accept a court order served in person in the Virgin Islands.
In the injunction, the judge required Bitfinex to provide any information it held identifying its account-holder by December 18 2019.
New Money Review asked Bitfinex to clarify whether it has complied with the court order and whether the 96 bitcoins identified as ransom have been frozen.
Bitfinex did not respond regarding the status of the disputed bitcoin, nor whether it had identified its account-holder, as requested by the UK court.
However, the exchange said in a written statement that it “has robust systems in place to allow it to assist law enforcement authorities and litigants in cases such as this.”
“In this case we have assisted the claimant to trace the stolen bitcoin and we understand the focus of the claimant’s attention is no longer on the Bitfinex platform. It now appears Bitfinex is an entirely innocent party mixed up in this wrongdoing,” Bitfinex said.
Darragh Connell, counsel for the claimant, the insurance company, told New Money Review that, as the case was ongoing, he also could not clarify the status of the disputed bitcoin, nor whether Bitfinex had complied with the judge’s order to provide identity details for its account-holder.
“Return hearings of the interim injunction will be heard again in due course before Mr Justice Bryan who has reserved the case to himself,” Connell said.
“As this is only the interim stage, my client’s claim will need be determined after a trial in the Commercial Court in London.”
In December, Bitfinex said it had signed up to an industry initiative called Project Participate to help identify suspicious transactions and report them to regulators. Chainalysis is also part of the initiative.
Bitfinex is the subject of multiple legal actions in the US, where the New York prosecutor has accused the exchange of fraud and a number of individuals have accused it of manipulating the price of bitcoin.
Ransomware attacks are on the rise worldwide. According to Wired magazine, last year they caused over $12bn in direct losses, while the actual ransom money paid exceeded $5bn.
Chainalysis says such attacks are also leading to sharp rise in the amount of illicitly gained cryptocurrency being sent for laundering to exchanges.
The firm says around $2.8bn of bitcoin was sent by criminals to cryptocurrency exchanges in 2019, up from $1bn a year earlier. Two exchanges, Binance and Huobi, are receiving around half of these volumes, Chainalysis says.
“The need to launder funds is the common thread among all the forms of crypto crime we analyse”
Other destinations for stolen or extorted cryptocurrency are what Chainalysis labels as ‘risky services’ –peer-to-peer exchanges, mixing services, high risk exchanges, and gambling sites—and ‘illicit services’—ransomware addresses, sanctioned entities, darknet markets, and addresses associated with scams and stolen funds.
Exchanges increasingly the destination of illicit bitcoin flows
For those sitting on stolen crypto, there are still logistical challenges ahead before they can cash it out.
“Once a criminal has a pile of illicitly-gained cryptocurrency sitting in a wallet, the next question they have to answer is, ‘How am I going to turn this into cash without getting arrested?’,” Chainalysis wrote in a January 15 blog.
“The need to launder funds is the common thread among all the forms of crypto crime we analyse.”
But while cryptocurrency exchanges around the world have now largely moved into compliance with the anti-money-laundering framework used for the traditional financial system, there’s still a major weak point in the system, Chainalysis suggests.
“Many [OTC brokers] take advantage of this laxity”
Over-the-counter (OTC) cryptocurrency brokers play a major role in helping facilitate money laundering, the firm says, since OTC brokers may apply less rigorous know-your-customer (KYC) requirements than the exchanges they operate on.
“Many [OTC brokers] take advantage of this laxity and help criminals launder and cash out funds, usually first by exchanging bitcoin and other cryptocurrencies into tether as a stable intermediary currency before they presumably cash out into fiat,” Chainalysis says.
Tether is a so-called stablecoin, reportedly controlled by the owners of Bitfinex. Tether tokens are pegged one-to-one to fiat currencies like the dollar or euro, and are widely used across the world’s cryptocurrency exchanges.
The value of US dollar tether tokens in issue has recently expanded to a record $4.6bn.
Legal experts say the recent High Court case solidifies the status of cryptocurrencies and cryptoassets in English law as a kind of property. In November, a UK Jurisdiction Taskforce provided legal clarity regarding the status of cryptoassets for the first time.
It said cryptoassets are property and that smart contracts, which often use cryptoassets, are enforceable under English and Welsh law.
“In legal terms, cryptoassets and smart contracts undoubtedly represent the future,” Sir Geoffrey Vos, Chancellor of the High Court and member of the Taskforce, said in the introduction to its report.
Other legal systems, such as the civil law jurisdictions of Germany and Japan, have struggled to recognise non-physical assets like virtual currencies as subject to property rights.
In Japan’s case, the difficulty in recognising bitcoin as property led to problems in asserting ownership rights after the Mt. Gox cryptocurrency exchange failure in 2014.
Don’t miss any more New Money Review content: sign up here for our newsletter
This article was updated after publication to include responses from Bitfinex and Darragh Connell