Blockchain Vulnerabilities – Crypto Hacks, Blockchain Forensics And Legal Challenges – Technology

Must read

It is often assumed that blockchain based digital currencies and
applications are safe and secure. In fact, blockchain ecosystems
including cryptocurrencies such as bitcoin and Ether, smart
contracts that power a plethora of transactions, and blockchain
exchanges have many vulnerabilities. Like many other financial
systems, blockchain based systems are subject to all manner of
hacks, frauds scams, and vulnerabilities. They happen at the speed
and anonymity of the Internet. There are, understandably, numerous
legal challenges when it comes to obtaining civil remedies for
these Internet based crimes. This is as true, and perhaps even more
so, for blockchain hacks, scams, and frauds as it is for a whole
host of other Internet crimes and wrongs.

I had the pleasure yesterday to participate in a McCarthy
Tetrault Masterclass on the subject of “Blockchain
vulnerabilities – crypto hacks, blockchain forensics and legal
challenges.” The other two panelists were Ari Redbord
from TRM
Labs and Ana Badour, partner and co-head of McCarthy
Tetrault’s Fintech Group. Ari, Ana, and I discussed the hacks,
frauds, forensic tools and countermeasures that are being used by
lawful authorities and businesses to address blockchain
vulnerabilities. Ana and ARI also provided an overview of
regulatory measures being adapted to address legal issues
associated with digital currencies including FATF guidance, AML
legislation, Travel rules, OFAC sanctions against particular
cryptocurrency exchanges, and FinCEN guidance on cybercrime and
ransomware. I also talked about the availability and practicality
of using civil remedies to address losses from the use of
blockchain based systems and some recent OSFI developments that
could impact blockchain applications.

Below are some prepared materials I drew upon in my talk on
blockchain vulnerabilities – crypto hacks, blockchain forensics and
legal challenges.1

Blockchain vulnerabilities, hacks, frauds and scams

There are trillions of dollars invested in blockchain based
digital currencies. Bloomberg recently estimated that the
cryptocurrency market is now worth more than U.S. $3 trillion.
There are well recognized financial risks associated with
cryptocurrencies volatility. But, this has not seemed to have
dampened the market for these items.

The technical vulnerabilities associated with blockchain are not
as widely recognized. Blockchain is often touted as being secure,
immutable and “unhackable”. There are, however, many
vulnerabilities associated with cryptocurrencies and their
ecosystems, some human and some technical. This should not be
surprising. We can learn a lot from history. As Jesse James showed
in the wild west, Charles Ponzi showed us in 1920, and as
hackers show us day in and day out, no matter how secure a
financial institution, financial application, or financial asset
is, someone will try to find a way to steal it, defraud or trick
people out of it, or hack it. Sadly, the same is true with digital
currencies.

While losses from hacks and vulnerabilities are hard to
estimate, by one account hackers have stolen nearly $2 billion
worth of cryptocurrencies in the two year period between 2017-2019.
Some hacks are by lone hackers, but many are by sophisticated
cybercrime organizations. According to a recent article In the MIT
Security review, the hype that these assets are unhackable are
“dead wrong”. According to the article:

In short, while blockchain technology has been long touted for
its security, under certain conditions it can be quite vulnerable.
Sometimes shoddy execution can be blamed, or unintentional software
bugs. Other times it’s more of a gray area-the complicated
result of interactions between the code, the economics of the
blockchain, and human greed. That’s been known in theory since
the technology’s beginning. Now that so many blockchains are
out in the world, we are learning what it actually means-often the
hard way. 2

A comprehensive article on the subject confirmed the many
vulnerabilities associated with blockchain technology saying:

Blockchains are relatively new and there are countless news
stories of people losing money through compromises in the
components of blockchain ecosystems. Blockchain technologies are
not invulnerable and have actually many known vulnerabilities, just
as with any software..3

Another recent article came to the same conclusion stating:

Until recently, blockchains were seen as an
“unhackable” technology powering and securing
cryptocurrencies – but that’s no longer the case.

In other words, forget what you heard from Bitcoin boosters -
just because information or currency is on a blockchain doesn’t
necessarily mean that it’s more secure than any other form of
storage.

In fact, the same qualities that make blockchain technology so
secure may also be the source of several unique vulnerabilities – a
stark reminder that despite the hype, cryptocurrencies can’t
entirely sidestep the vulnerabilities of any other banking
systems.4

One group of researchers recently concluded, as
“distributed ledger software by nature, blockchain inevitably
has software issues.” They found, among other things, by
studying the bitcoin, Ethereum, Monero, and Stellar blockchains
that some blockchain modules related to consensus, wallet, and
networking were “highly susceptible to
vulnerabilities”.5

As with every other financial system, there are opportunities
for fraud. One vector is fraud
associated with online marketplaces. An Ontario example involved
the downfall of crypto asset trading platform QuadrigaCX
(Quadriga). It resulted from fraud committed by Quadriga’s
co-founder and CEO Gerald Cotten. Clients entrusted their assets to
Quadriga, which provided false assurances that those assets would
be safeguarded. In reality, Cotten spent, traded and used those
assets at will. Operating without any proper system of oversight or
internal controls, Cotten was able to misuse client assets for
years, unchecked and undetected, ultimately bringing down the
entire platform and losses to customers of $169 million.
Approximately $115 million of the losses arose from Cotten’s
fraudulent trading on the Quadriga platform. He opened Quadriga
accounts under aliases and credited himself with fictitious
currency and crypto asset balances which he traded with
unsuspecting Quadriga clients. He sustained losses when the price
of crypto assets changed causing a shortfall in assets to satisfy
client withdrawals. He covered this shortfall with other
clients’ deposits, in effect, operating a Ponzi scheme. Cotten
also lost an additional $28 million while trading client assets on
three external crypto asset trading platforms without authorization
from, or disclosure to, clients. He also misappropriated millions
in client assets to fund his lifestyle.6

There are other types of fraud cases
as well. For example, in the U.K. case, Ion Sciences vs Persons Unknown and
Others
,7 Ion and
its Director were induced by persons unknown to transfer bitcoin in
the belief that they were investing in a legitimate initial coin
offering (ICO), but later discovered that the recipient was a scam.
They transferred £577,002 in the form of some 64.35 bitcoin
to the fraudster’s Coinbase account in the belief that they
were making investments in real cryptocurrency products. A
substantial part of the bitcoin transferred or their traceable
proceeds ended up at accounts held by the the Binance and Kraken
exchanges.

Private key security attacks are also a
known means of allowing malicious actors to steal cryptocurrencies.
A private key allows individuals to access funds and verify
transactions. An attacker who has discovered a vulnerability in an
elliptic curve digital signature algorithm, for example, can
recover a user’s private key. If a private key is stolen, it is
difficult to track any related criminal activity and recover the
relevant blockchain asset.8

There are several examples of private key security
attacks
. A recent one involved the cryptocurrency exchange
Cryptopia, a New Zealand exchange that operated globally. In
January 2019 Cryptopia’s servers were hacked and private keys
held by the exchange were used to transfer cryptocurrencies to an
undisclosed external exchange. Somewhere between 9 and 14 per cent
of its cryptocurrency was stolen, valued at around NZD $30 million.
Cryptopia temporarily suspended its operations and eventually was
put into liquidation. The case resulted in a lengthy decision by a
New Zealand Court in Ruscoe v Cryptopia Limited (in liquidation) [2020]
NZHC 728 (8 April 2020),  which had to decide how the
remaining assets of the exchange should be distributed as between
account holders and unsecured creditors. The court decided that
cryptocurrencies were property and that Cryptopia was a trustee of
separate trusts, one for each cryptocurrency with the beneficiaries
being all account holders holding currency of the relevant
type.

Another example of a private key security
attack 
was described in the U.K. case, Fetch.AI Lrd & Anor v Persons Unknown
Category A & Ors
 [2021] EWHC 2254 (Comm) (15 July
2021). It involved fraudulent trading using a person’s trading
account with the cryptocurrency exchange Binance. It was
perpetrated by unauthorized access to the plaintiff’s private
key. The hackers obtained access to the accounts maintained by the
plaintiff and were able to trade the crypto assets in the account
by adopting massive undervalues for the products traded with the
result that, in the aggregate, losses totaling in excess of US$2.6
million were sustained over a very short period.

Hackers have also been known to steal the keys to
cryptocurrency wallets.
9

Of course marketplaces, like almost every other organization in
Canada are subject to data breaches 
from a myriad of sources. One of the best known examples
is Mt Gox one of the first
bitcoin exchanges which was based in Tokyo. During its heydays in
the early 2010s, Mt. Gox was responsible for more than 70% of
global bitcoin transactions. In 2011 hackers used stolen
credentials to transfer bitcoins. Deficiencies in network protocols
also resulted in several thousand bitcoins being “lost”.
Reportedly, 850 million bitcoins, representing 6% of bitcoins in
circulation at the time, were stolen over several years.10

Despite all the security features blockchain offers, individuals
and organizations are still susceptible to phishing
attacks.
 This scam attempts to obtain a user’s
credentials without their knowledge through various tricks such as
email. For example, fraudsters send wallet key owners emails posing
as a legitimate source asking users for their credentials using
fake hyperlinks.11

SIM swap attacks are also not uncommon.
Earlier this week an Ontario teen was arrested for allegedly
stealing $46 million in crypto currency in a SIM swap
attack. Reportedly, the police, who were assisted by
the FBI and U.S. secret service, seized multiple pots of
cryptocurrency valued at more than $7 million. In another
case BlockFi which offers crypto services
for individuals and institutional clients was subject to
SIM swap attack. In this case, only
personal information and no funds were accessed.12 In another case hackers stole
data from Coinsquare, a cryptocurrency trading
platform also using a SIM swapping technique, but
the hackers were also unable to use the data to steal any crypto
assets.13

Hackers have also been known to exploit technical
weaknesses
 in blockchain systems. An example of this
is the Poly network hack which occurred In August 2021. Multiple
blockchains including Ethereum, Binance Smart Chain, and Polygon were attacked. The hack targeted
the Poly Network, a cross-blockchain interoperable bridge that
enables users to transfer crypto-assets from one blockchain to
another. Transfers are accomplished by locking tokens on a source
blockchain and unlocking them on a destination one. After a
transaction has occurred on a source blockchain, the Poly Network
Keepers sign blocks of the source blockchain that contain the
original transaction. The keeper then submits the signed block to a
smart contract manager on the destination blockchain. The smart
contract manager assesses the signatures’ validity, and if it
is valid then the contract executes the transaction on the
destination blockchain. The hacker exploited a vulnerability in the
EthCrossChainManager smart contract manager. Essentially the hacker
was able to create fake transactions that allowed him/her to
unlocked tokens on the destination blockchain without locking them
on the source blockchain. The hacker did this by changing and
compromising trusted entities called “keepers” stored in
the EthCrossChainData contract that
facilitate the cross chain transactions to unlock tokens on the
destination blockchain without locking the tokens on the source
blockchain, essentially managing to duplicate tokens across two
blockchain networks. By taking control of the keepers the attacker
was able to trick EthCrossChainManager contract into executing
cross-chain transactions that weren’t real on the source
blockchain. The hacker was able to duplicate over $600 million
worth of tokens across the networks by exploiting Poly
Networks’ cross-chain protocol, making the tokens still in
control by the original users uncollateralized and the valuable
tokens under the hacker’s control. People with tokens on the
source blockchain suffered losses. The hacker later returned funds
to the Poly Network.14

Another well known example of a technical weakness
exploit
 is The DOA, an unincorporated organization
called Slock.it UG (“Slock.it”). The DAO was a
Decentralized Autonomous Organization, a term that describes a
“virtual” organization embodied in computer code and
executed on a distributed ledger or blockchain. The DAO was created
by Slock.it and Slock.it’s co-founders, with the goal of
operating as a for-profit entity that would create and hold assets
through the sale of DAO Tokens to investors that would be used to
fund projects. After DAO Tokens were sold, but before The DAO was
able to commence funding projects, an attacker used a flaw in The
DAO’s code to steal approximately one-third of The DAO’s
assets. The hacker began to divert the cryptocurrency Ether (ETH)
from The DAO, causing approximately 3.6 million ETH, or 1/3 of the
total ETH raised by The DAO offering, to move from The DAO’s
Ethereum Blockchain address to an Ethereum Blockchain address
controlled by the hacker. Luckily, before the hacker could move the
ETH from that address Slock.it’s co-founders and others
endorsed a “Hard Fork” to the Ethereum Blockchain. The
“Hard Fork,” restored the DAO Token holders’
investments as if the hack had not occurred.15

Hackers can also engage in Routing
Attacks
. Blockchains rely on real-time, large data
transfers. Hackers can intercept real-time large data transfers
such as by hijacking IP prefixes or dropping connections
momentarily, preventing the system from reaching consensus.
Blockchain participants aren’t aware of the threat, but behind
the scenes, fraudsters may have extracted confidential data or
currencies. 16 There are
vulnerabilities in the routing information protocol that is used to
specify how IP packets are forwarded to their destinations over the
Internet (the Border Gateway Protocol (BGP)). Using a so
called BGP Hijacking Attack,  a hacker
can manipulate BGP and intercept the blockchain network to route
traffic to destinations determined by the hacker. 17

Other examples of technical weaknesses were
cryptographic flaw in the
cryptocurency Zcash that could have been exploited to make
unlimited counterfeit Zcash and in bitcoin’s main client,
Bitcoin Core, that had a flaw that could have let attackers mint
more bitcoins than the system was supposed to allow. 18

There can also be underlying cryptosystem
vulnerabilities
 in other components such as
blockchain wallets. They usually work with a public and private key
pair for signature and are as secure as the underlying cryptosystem
they use. The public-key algorithm used for these keys have known
attacks that can be applied. 19

Blockchains are also subject to other types of attacks to steal
crypto-assets. A well recognized attack vector is
the “51% vulnerability
attacks” 
which most cryptocurrencies are, at
least theoretically, susceptible to. Blockchains commonly
use proof of work as their protocol for verifying
transactions. This process, also known as mining, involves
nodes spending vast amounts of computing power to prove themselves
trustworthy enough to add information about new transactions to the
database. If a miner or pool of miners are able to gain control of
a majority of the network’s mining power they can
arbitrarily manipulate and change blockchain information such as by
reversing a transaction and initiating a double-spending attack by
creating an alternative version of the blockchain (a fork). These
attackers can make the fork the authoritative version of the chain
and proceed to spend the same cryptocurrency again (double
spending
). Examples of 51% attacks occurred on a series of
smaller coins including Verge, Monacoin, and Bitcoin Gold that
resulted in thefts of an estimated $20 million. There was also a
51% attack against Ethereum Classic, where an attacker who gained
control of more than half of the network’s computing power was
trying to rewrite the transaction to steal more than $1 million. In
another case, the mining pool “ghash.io” accounted for
more than 42% of the total bitcoin mining power. The fact that a
single mining pool represented such a high proportion was a serious
concern, and many miners dropped out of the pool.20

Research shows that there are also many
other security vulnerabilities associated with in
smart contracts
21 Other types of attacks
include the “Balance Attack” and
Sybil Attacks“. 22

Future developments in technologies will also undoubtedly
present new security challenges that blockchain systems will need
to address. For example, quantum
computing
 has the capability of breaking the
en­cryption deployed in blockchains and cryptographic codes,
upending basic security assumptions. It is expected that quantum
computers will one day be able to break a blockchain’s
cryp­tographic algorithms quickly and make the encryption
obsolete. To stay ahead, there will be a need to transition to
quan­tum-resistant schemes to mitigate potential security
risks.23

Regulatory

There are many provincial rulings by securities regulators that,
as set out in CSA Staff Notice 21-327 Guidance on the
Application of Securities Legislation to Entities Facilitating
the Trading of Crypto Assets 
(CSA SN
21-327
), securities and derivatives legislation may apply
to persons or companies that are in the business of trading
contracts or instruments that have an underlying interest in assets
that are frequently referred to as crypto assets such as bitcoin,
Ether, and anything commonly considered a crypto asset, digital or
virtual currency, or digital or virtual token that are not
themselves securities or derivatives because these contracts or
instruments satisfy the definition of a security or a derivative as
defined in securities legislation.24

For OSFI regulated FIs, there are some recent developments.

Technology and Cyber Security Incident Reporting
Advisory (August 2021) The Advisory is intended to support
a coordinated and integrated approach to OSFI’s awareness of,
and response to, technology and cyber security incidents. It has
very broad criteria for reporting incidents including cyberattacks,
third party breaches, extortion threats, and impacts to financial
market settlements.

Technology and Cyber Risk
Management (Draft Guideline) (November 2021) The Guideline
establishes OSFI’s expectations related to technology and cyber
risk management. It deals with, among other things, cyber security
and technology operations. Cyber
Security:
 “Outcome: A secure technology posture that
maintains the confidentiality, integrity and availability of the
FRFI’s technology assets.” Technology
Operations:
 “Outcome: A technology environment that
is stable, scalable and resilient. The environment is kept current
and supported by robust and sustainable technology operating
processes.”

Both of these OSFI documents may be relevant to, among other
things, blockchain based trading systems and decentralized
finance.

Civil remedies

Obtaining remedies for Internet based wrongs are a continuing
exercise of wac a mol. Obtaining effective civil
remedies against blockchain hackers is, without doubt, challenging.
They act at the speed of the internet, anonymously, almost always
reside and act from foreign jurisdictions, and are notorious for
covering their tracks including by peeling their stolen crypto
assets to obfuscate recoveries. While it is possible to investigate
and trace transfers of cryptocurrencies from public blockchains,
recovering those assets or tracing those assets once converted into
fiat currency can be difficult.

There are however several cases that show that if the attacked
party acts quickly there are legal remedies that can be used to try
to recover stolen or transferred crypto assets.

Case study

An example is the U.K. case AA v Persons Unknown & Ors, Re
Bitcoin
 [2019] EWHC 3556 (Comm) (13 December 2019).
In this case a Canadian insurance company (the Insured Customer)
was subject to a ransomware attack that encrypted and locked up its
computer systems. It had cyber insurance from an English insurer
(the “Insurer”). The Insurer hired an incident response
company (IRC) which negotiated the decryption software for a ransom
of US $950,000 which was paid with 109.25 bitcoins to an address
that was provided.

Note, I could have chosen fact a fact pattern from other
reported cases because the problems in obtaining remedies are very
similar, only the alleged criminal behavior is different. For
example, in the U.K. case Fetch.ai Ltd and another v Persons Unknown
Category A and others
 (July 2021) the hacker used the
plaintiff’s private key to fraudulently trade cryptocurrencies
at massive undervalues using the plaintiff’s trading account.
In the U.K. case, Ion Sciences vs Persons Unknown and
Others
,25 there
was a transfer of bitcoin to a scam artist in a coin offering (ICO)
fraud.

In the AA v Persons Unknown case, the Insurer
hired Chainalysis Inc., a blockchain investigations company who was
able to track 96 of the bitcoins that were held by an exchange
known as Bitfinex. The rest of the funds were converted into a fiat
currency.

The Insurer then commenced legal proceedings in the UK (based on
its subrograted rights) against the unknown hacker that made the
ransom demand (the first defendant), the unknown person who
held/controlled the 96 bitcoins (the second defendant), and two
entities trading as the Bitfinex exchange.

The relief claimed and the court’s order are described
below.

An order that the hearing be conducted in private and
for an anonymity order

The Insured asked for an order that the hearing be conducted in
private and for an anonymity order. This order was granted. The
publicity would have defeated the object of the hearing. The
overarching purpose of the application was to assist the applicant
in its efforts to recover the 109.25 bitcoins that were unlawfully
extorted. If the hearing was held in public there is a strong
likelihood that the object of the application would be defeated
because it would potentially tip off the persons unknown to enable
them to dissipate the bitcoins. There would also be the risk of
further cyber or revenge attacks on both the Insurer and the
Insured Customer by persons unknown. There could also be a risk of
copycat attacks on the Insurer and/or the Insured Customer.26

Norwich, Bankers
Trust
 and Freezing
Order
 Application

The Insurer asked for disclosure orders requiring the operators
of the exchange to provide specified information in relation to the
crypto currency account owned or controlled by the second
defendant. The Insurer relied on the well
established Norwich Pharmacal disclosure
jurisprudence that permits courts to require innocent
intermediaries (in this case the exchange) that becomes mixed up in
a wrongful act to provide information necessary for claimants to
pursue their claims such as the identities of their account holders
and information about the accounts. The Insurer also relied on
the Bankers Trust jurisprudence which permits
orders to be made against financial institutions to disclose
confidential documents to support a proprietary claim in fraud or
to trace assets or their proceeds that are the subject of a
proprietary injunction.

The insurer also asked for a
worldwide Mareva  injunction order to freeze all
the assets of the hackers.

This part of the motion was adjourned at the request of the
Insurer because of uncertainty whether the Bankers
Trust
 and Norwich  orders could be
made and served against institutions outside of the UK. (In the UK
there must be a jurisdictional gateway before service of a claim
outside the UK can be ordered). This illustrates, in part, some of
the cross jurisdictional challenges of getting civil remedies
against rogue foreign persons.

Bankers Trust order was, however, made in
the Ion Sciences vs Persons Unknown and Others
(unreported) 21 December 2020
 (Commercial Court),
and Fetch.AI Lrd & Anor v Persons Unknown
Category A & Ors
 [2021] EWHC 2254 (Comm) (15 July
2021) cases.

Proprietary injunction

The Insurer also sought a proprietary injunction in respect of
the bitcoin held at the account of the exchange. The claim for
which the relief was sought was in restitution and/or constructive
trust against all four defendants. The Insurer claimed that the sum
of $950,000 that was paid out belonged to the Insurer. That money
was used to purchase bitcoin and the proceeds of that money could
be traced into the accounts with Bitfinex and Bitfinex was
constructive trustee of those funds on behalf of the Insurer.

This claim raised a number of issues.

A central issue was whether bitcoin is “property”, as
proprietary remedies can only be granted in respect of property.
There are some cases that held that to be property a thing had to
be a “chose in possession” or “chose in
action”. While the issue was not free from doubt, the court
concluded that “for the purpose of granting an interim
injunction in the form of an interim proprietary injunction that
crypto currencies are a form of property capable of being the
subject of a proprietary injunction”. In coming to this
conclusion the court relied on Lord Wilberforce’s classic
definition of property in National Provincial Bank v
Ainsworth
 [1965] 1 AC 1175 as being definable,
identifiable by third parties, capable in their nature of
assumption by third parties, and having some degree of permanence,
and a decision of a Singapore court in B2C2 Limited v
Quoine PTC Limited
 [2019] SGHC (I) 03. He also relied the
UK Jurisdictional Task Force (“UKJT”) which published a
legal statement on Crypto assets and Smart contracts. The court
also relied on two prior English authorities where crypto
currencies were treated as property, Vorotyntseva v Money
-4 Limited t/a as Nebeus.com
, [2018] EWHC 2598 (Ch) where a
worldwide freezing order iwas made in respect of a substantial
quantity of bitcoin and Ether, and the case of Liam David
Robertson 
(unreported 15th July 2019)
where an asset preservation order over crypto currencies was
made.

The court also concluded that it was a proper case to make the
proprietary injunction.

Although as noted above, the court adjourned the request for
the Norwich and Bankers
Trust
 order, some of the relief asked for was granted as
ancillary relief to the proprietary injunction. Specifically, the
Court ordered that information be provided of the identity and
address of the exchange operators and the hackers. This included
that the exchange identify the hackers and provide any information
they had about them and that the hackers identify themselves. The
court was satisfied that that information was necessary to police
the proprietary injunction and would also be appropriate to be
provided by way of pre-action disclosure in the action.

There was no follow up decision, so it is not clear whether the
crypto assets or any of the fiat currencies were actually
recovered.

Other Commonwealth cases have reach similar results on whether
crypto currencies are property. For example, the New Zealand
case, Ruscoe v Cryptopia Limited
(in liquidation)
 [2020] NZHC 728 (8 April
2020),  concluded that cryptocurrencies were
“property” “within the definition in s 2 of the New
Zealand Companies Act and also probably more
generally”. The Court also held that these digital assets,
being property, are capable of forming the subject matter of a
trust.

This conclusion was echoed in the more recent U.K.
case, Ion Sciences vs Persons Unknown and Others
(unreported) 21 December 2020
 (Commercial Court). There
Ion Sciences and its sole director, Duncan Johns, were victims of
alleged initial coin offering (ICO) fraud. The court stated it was
“satisfied that there is at least a serious issue to be tried
that cryptoassets such as bitcoin are property within the common
law definition of that term.” The court granted a proprietary
injunction and a worldwide freezing order against persons
unknown to preserve the transferred bitcoin or their traceable
proceeds and an ancillary disclosure order to identify the alleged
fraudsters. The court also made a Bankers
Trust
 order against two cryptocurrency exchanges
operating outside of the U.K. and an order to trace the transferred
bitcoin or their proceeds that were the subject of the proprietary
injunction.27

Another recent U.K. case reached the same conclusion and made
orders similar to those made in the Ion
Sciences
 case in Fetch.ai Ltd and another v Persons Unknown
Category A and others
 (July 2021). The
plaintiff’s private key was somehow accessed in breach of
confidence and used to fraudulently trade cryptocurrencies at
massive undervalues using the plaintiff’s trading account. The
court, relying on a breach of confidence legal claim, granted a
proprietary injunction including against non-UK residents, a
worldwide freezing order, and a Bankers
Trust
 disclosure order. The injunction was based on the
“simple proposition that, when property is obtained by fraud,
equity imposes a constructive trust on the fraudulent recipient,
with the result that the fraudulent recipient holds the legal title
on constructive trust for the loser”.

Further the court held it had the jurisdiction to make the order
against the defendants even though they resided outside of the
jurisdiction based on the nuances of the U.K. jurisdictional
gateways.

Is the civil law adequate to address blockchain security and
vulnerabilities?

Many of the legal remedies discussed in the U.K. AA v Persons Unknown  and other U.K.
cases are likely available in Canada. The Supreme Court recently
confirmed in Google Inc. v. Equustek Solutions Inc.,
2017 SCC 34 that Canadian courts have broad jurisdiction to
grant orders “where just and equitable” to do so. This
includes the following types of orders discussed in the U.K. cases
that could be useful in a digital currency
security/vulnerability/hacking or ransomware case.

Norwich orders:Norwich  orders can be
used to compel non-parties to disclose information or documents in
their possession required by a
claimant. Norwich  orders have increasingly been
used in the online context by plaintiffs who allege that they are
being anonymously defamed or defrauded and seek orders against
Internet service providers to disclose the identity of the
perpetrator. Norwich  disclosure may be ordered
against non-parties who are not themselves guilty of wrongdoing,
but who are so involved in the wrongful acts of others that they
facilitate the harm. Norwich  also supplies a
principled rationale for granting injunctions against non-parties
who facilitate wrongdoing.28

Bankers Trust ordersBankers
Trust
 orders, named after the English Court of Appeal
case Bankers Trust Co. 
v. Shapira, [1980] W.L.R.1274 (C.A.) are also
available in Canada.29 These
orders can be made in a proper case to make a discovery order
directed to a financial institution to be used for the purpose of
following and tracing the lost or surrendered crypto assets.

Mareva Injunctions: Mareva  injunctions are also
available in Canada. They are used to freeze assets in order to
prevent their dissipation pending the conclusion of a trial or
action. A Mareva injunction can require a
defendant not to dissipate his or her assets and often requires the
assistance of a non-party such as a financial intermediary which
can be ordered to assist if it is just and equitable to do so.
Banks and other financial institutions have, as a result, been
bound by Mareva  injunctions even when they are
not a party to an underlying action.30

Proprietary Remedies: Some causes of action such as the
torts of conversion and detinue, and remedies like tracing orders
and constructive trusts depend on digital currencies being
“property”. It is likely that they will be recognized as
such in Canada as they are in the U.K., New Zealand, Singapore, and
elsewhere. The issue arose in the B.C. case Copytrack Pte Ltd v Wall,  [2018]
BCSC 1709 where the plaintiff had mistakenly transferred to the
defendant 530 Ether tokens valued at the time at $495,000 instead
of 530 CPY tokens valued at $780. When the defendant failed to
return the Ether tokens Copytrack sued the defendant alleging the
torts of conversion and detinue and asked for “An order that
Copytrack be entitled to trace and recover the 529.8273791 Ether
tokens received by Wall from Copytrack on 15 February 2018 in
whatsoever hands those Ether tokens may currently be held.”
The judged noted the difficulty in characterizing them, but
nevertheless concluded that “regardless of the
characterization of the Ether tokens, it is undisputed that they
were the property of Copytrack, they were sent to Wall in error,
they were not returned when demand was made and Wall has no
proprietary claim to them. While the evidence of what has happened
to the Ether tokens since is somewhat murky, this does not detract
from the point that they should rightfully be returned to
Copytrack”.

Copytrack  adds to the developing jurisprudence
throughout the commonwealth which has recognized digital currencies
as being a form of property and in which proprietary remedies have
been ordered

There are however, significant challenges even with these
remedies.

There is always a problem of being able to determine the cause
of a loss, to be able to trace the transactions to particular
sources where crypto assets can be frozen, and to move quickly
enough before the digital currencies are traded or converted to
fiat currencies and dissipated without a trace. Tracing assets also
gets more complicated when the asset is transferred from one crypto
currency to another one, especially when the fraudsters engage in
“peeling” to obscure or hide digital
currencies obtained illicitly.

Tracing the transfers of cryptocurrency assets is something that
experts have been able to do. In the Colonial Pipeline case, the FBI was able
to track multiple transfers of bitcoins and identify that
approximately 63.7 bitcoins, representing the proceeds of a
victim’s ransom payment, had been transferred to a specific
address. This tracing was also done by experts in the AA v
persons Unknown
Ion
sciences
 and Fetch  cases. An expert
in tracing transfers of cryptocurrencies from CipherTrace also gave evidence in a 2019
Canadian case involving $1.4 million bitcoins confiscated in a
crypto seizure by Canadian police.

Worldwide freezing orders are also not particularly helpful
where the fraudsters are anonymous and operate in foreign (and
non-friendly) countries, particularly once stolen crypto currency
has been dissipated.

A significant issue in all these cases is whether relief can
effectively be obtained where the unknown defendants or innocent
intermediaries such as cryptocurrency exchanges have no connections
to Canada. Under Canadian law for a court to assume jurisdiction,
there must be personal jurisdiction (also known as territorial
competence) over the defendant. For the common law under the
Supreme Court case Club Resorts Ltd. v. Van Breda, 2012
SCC 17, various presumptive connecting factors are applied to
determine if there is personal jurisdiction over a person. There is
also a framework for identifying new factors. One of the
presumptive connecting factors is a tort committed in the
jurisdiction. For cases of fraud committed in a Canadian province,
the test is likely to me met. For blockchain based cryptocurrencies
there is a question as to where the situs  of
the asset or tort may be. This has not yet been resolved in Canada.
Two U.K. decisions, however, have suggested that the lex
situs
 of a crypto asset is the place where the person or
company who owns it is domiciled.31 This would often be enough
for a Canadian court to assume personal jurisdiction over a
perpetrator of a fraud. However, in a complicated case the courts
might struggle as did the U.K. courts in the AA v Persons
Unknown
Ion Sciences,
and Fetch cases.

The more challenging issue is when a Canadian court will grant a
remedy against a foreign based defendant or innocent third party
such as a cryptocurrency exchange. As
the Equustek case confirmed, common law courts
can make worldwide orders against defendants (depending on the
cause of action). Orders can also be made against innocent
intermediaries who get “mixed up” in the tortious or
other wrongful acts of others. However, Canadian courts are often
reluctant to exercise their enforcement jurisdiction outside of
Canada.32 There will likely,
therefore, be cases where the courts will have to decide how far
they can go in making extra-territorial orders. There will also be
cases where even if orders are made, or are made on terms that
protect foreign entities (such as the
“Babanaft” Mareva injunction
orders),33 the orders will
not be immediately enforceable or be enforced by foreign
courts.

The upshot of all of this is that if you or your clients are
subject to a loss of crypto assets stored on a public blockchain,
or paid out as a ransom in a ransomware attack, there are things
you can do to try and recover them, but you must act quickly and
with the right team. You will need a good forensic blockchain
investigator – some of the leaders in this area are being used
repeatedly in these cases. You will need to move very quickly to
obtain a proprietary tracing and constructive trust
injunction, Norwich and Bankers
Trust
 disclosure orders, a
worldwide Mareva  injunction, and an anonymity
and evidence sealing order. You will also need to reach out to
crypto currency exchanges or other entities that are holding
transferred assets to get their cooperation. You will also need
foreign counsel ready to help get a Canadian order enforced in
foreign jurisdictions. You will also need to be lucky.

This article was first posted on www.barrysookman.com.

Footnotes

1.  I would like to thank
the research assistance of Ella Hantho, an Articling Student with
McCarthy Tetrault and the usual fabulous research help from
McCarthy Tetrault’s research librarians and especially Martha
Stortz, Susan Caird and Jason Wong. Thanks also to Ana Badour for
reviewing and providing some comments on a prior draft of this post
(errors, if any, of course, are all mine.)

2.  Mike Orcutt, “Once
hailed as unhackable, blockchains are now getting hacked” (19
February 2019), online: MIT Technology Review (https://www.technologyreview.com/2019/02/19/239592/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/)
(“Orcutt”)

3.  Nils Amiet,
“Blockchain Vulnerabilities in Practice” (26 March 2021)
2:2 Digital Threats Research and Practice, online: (https://doi.org/10.1145/3407230)
(“Amiet”)

4.  Victor Tangermann,
“Blockchains Were Supposed to Be “Unhackable.” Now
They’re Getting Hacked” (17 May 2021), online: Futurism
(https://www.futurism.com/blockchains-unhackable-getting-hacked)
(“Tangermann”)

5.  Xiao Yi, et al,
“Diving Into Blockchain’s Weaknesses: An Empirical Study
of Blockchain System Vulnerabilities” (23 October 2021)
[unpublished, archived at Cornell University arXiv.org, online: (https://arxiv.org/abs/2110.12162)]

6.  Ontario Securities
Commission, “QuadrigaCX: A Review by Staff of the Ontario
Securities Commission” (14 April 2020), online: (https://www.osc.ca/quadrigacxreport/)

7.  (unreported) 21 December
2020 (Eng. Commercial Court) (“Ion
Sciences
“)

8.  Saurabh Singh, A.S.M.
Sanwar Hosen, and Byungun Yoon, “Blockchain Security Attacks,
Challenges, and Solutions for the Future Distributed IoT
Network” (26 January 2021) 9 IEEE Access 13938-13959,
online:(https://doi.org/10.1109/ACCESS.2021.3051602)
(“Singh et al”)

9.  Tangermann
(supra)

10.  Jake Frankenfield,
“Mt. Gox” (25 March 2021), online: Investopedia (https://www.investopedia.com/terms/m/mt-gox.asp);
Cameron Keng, “Bitcoin’s Mt. Gox Goes Offline, Loses $409M
– Recovery Steps and Taking Your Tax Losses” (25 February
2014), online: Forbes (https://www.forbes.com/sites/cameronkeng/2014/02/25/bitcoins-mt-gox-shuts-down-loses-409200000-dollars-recovery-steps-and-taking-your-tax-losses/?sh=5e5c7b6d5c16)

11.  Estevao Costa,
“The Benefits and Vulnerabilities of Blockchain Security”
(19 October 2021), online: CENGN ( https://www.cengn.ca/information-centre/innovation/the-benefits-and-vulnerabilities-of-blockchain-security/)
(“Costa”)

12.  BlockFi,
“Incident Report” (14 May 2020), online: (https://blockfi-s3-static-prod.s3.amazonaws.com/pdf/Incident+Post+Mortem%2C+May+14%2C+2020.pdf);
These articles discuss the steps BlockFi took following the breach:
Paddy Baker, “BlockFi Says Hacker SIM-Swapped Employee’s
Phone, No Funds Were Lost” (19 May 2020), online: CoinDesk (https://www.coindesk.com/markets/2020/05/19/blockfi-says-hacker-sim-swapped-employees-phone-no-funds-were-lost/);
Robert Anzalone, “BlockFi Hires New Chief Security Officer
After Last Month’s Hack” (16 June 2020), online: Forbes
(https://www.forbes.com/sites/robertanzalone/2020/06/16/blockfi-hires-new-chief-security-officer-after-last-months-hack/?sh=242bc5354c57)

13.  Joseph Cox,
“Hackers Plan to Use Stolen Cryptocurrency Exchange Data for
SIM Swapping” (2 June 2020), online: Vice (https://www.vice.com/en/article/n7wnvb/hackers-coinsquare-data-bitcoin-sim-swapping);
iZoologic, “Inside Job – Coinsquare Data Theft Facilitated by
Former Employee” (2 June 2020), online: iZoologic (https://www.izoologic.com/2020/07/02/inside-job-coinsquare-data-theft-facilitated-by-former-employee/);
JD Alois, “Coinsquare CEO Responds to Data Breach” (10
June 2020), online: Crowdfund Insider (https://www.crowdfundinsider.com/2020/06/162583-coinsquare-ceo-responds-to-data-breach/);
This article explains how SIM swapping is being used to by hackers
to gain access to personal information and cryptocurrency wallets:
Joseph Cox, “Hackers Are Breaking Directly Into Telecom
Companies to Take Over Customer Phone Numbers” (1 October
2020), online: Vox (https://www.vice.com/en/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh)

14.  For more detail about
the Poly Network hack and a technical analysis of how exactly the
hack occurred and the inherent vulnerability of the cross-chain
protocol, see: Mudit Gupta, “Poly Network Hack Analysis -
Largest Crypto Hack”(11 August 2021), online
(blog): Mudit Gupta’s Blog (https://mudit.blog/poly-network-largest-crypto-hack/);
Mudit Gupta and Laura Shin, “Why did the Poly Network Attacker
Return Half the Money They Stole” (13 August 2021), online
(podcast): Unchained Podcast  (https://unchainedpodcast.com/why-did-the-poly-network-attacker-return-half-the-money-they-stole/);
Harry Robertson, Poly Network says all $610 million stolen by a
hacker has been returned after Tether released the final $33
million”, (27 August 2021), online: Markets Insider, (https://markets.businessinsider.com/news/currencies/poly-network-hack-610-million-tether-mr-white-hat-defi-2021-8);
Sumejja Muratagic-Tadic, “Tether Frozen in Poly Hack Return to
Owners, Fueling Centralization Debate” (26 August 2021),
online: Cryptonews.com (https://cryptonews.com/news/tether-frozen-in-poly-hack-returned-to-owners-fuelling-centr-11569.htm)

15.  US, Securities and
Exchange Commission, Report of Investigation Pursuant to
Section 21(a) of the Securities Exchange Act of 1934: The DAO
,
Release No. 81207 (25 July 2017), online: (https://www.sec.gov/litigation/investreport/34-81207.pdf)

16.  Costa
(supra)

17.  Singh et al
(supra)

18.  Orcutt
(supra)

19.  Amiet
(supra)

20.  Singh et al
(supra); Orcutt (supra); Amiet
(supra)

21.  Singh et al
(supra); Orcutt (supra); Amiet
(supra)

22.  These are described in
Singh et al (supra); see also: Orcutt (supra) and
Amiet (supra). See also, “A Survey on the Security of
Blockchain Systems”, Xiaoqi Li et al, Future Generation
Computer Systems, Volume 107, June 2020, Pages 841-853,
online: (
https://www.sciencedirect.com/science/article/abs/pii/S0167739X17318332)

23.  Nicole Smith,
“Quantum’s Potential Impact on Blockchain Computing”
(August 2020) ISSA Journal 12-16, online:( https://cdn.ymaws.com/www.members.issa.org/resource/resmgr/journalpdfs/feature0820.pdf);
Joseph J. Kearney, Carlos A. Perez-Delgado, “Vulnerability of
blockchain technologies to quantum attacks” (July 2021) 10
Array 100065, online: (https://doi.org/10.1016/j.array.2021.100065)

24.  As an example,
see Netcoins Inc. (Re), 2021 CanLII
113607 (MB SEC)

25.  (unreported) 21
December 2020 (Eng. Commercial Court) (“Ion
Sciences
“)

26.  According to the
Court:

If the hearing were to be held in public there is a
strong likelihood that the object of the application would be
defeated. First of all, there would be the risk, if not the
likelihood, of the tipping off of persons unknown to enable them to
dissipate the Bitcoins held at the second defendant’s account
with Bitfinex, the real possibility of reprisal or revenge cyber
attacks on either the Insurer or indeed the Insured Customer by
persons unknown, the possibility of copycat attacks on the Insurer,
and/or the Insured Customer and the revealing of confidential
information considering the Insurer’s processes and the Insured
Customer’s systems which will be necessary on this application,
in circumstances where the vulnerability of those very systems form
the basis for the blackmail itself. Ultimately, the applicant
contends it is necessary for the court to sit in private to secure
the proper administration of justice…

I am satisfied that this is an appropriate case for the
hearing to be heard in private, as I indicated at the start of the
hearing saying I would give reasons in due course. My reasons are
given now. First of all, I am satisfied for the purpose of CPR
39(3) that publicity would defeat the object of the hearing. It
would potentially tip off the persons unknown to enable them to
dissipate the Bitcoins; secondly, there would be the risk of
further cyber or revenge attacks on both the Insurer and the
Insured Customer by persons unknown; there would be a risk of
copycat attacks on the Insurer and/or the Insured Customer and I am
satisfied that in all the circumstances it is necessary to sit in
private so as to secure the proper administration of
justice.

27.  For a summary of the
case, see Scott Nodder, “Propriety Injunction and Bankers
Trust Order made in fraud case involving crypto currency” (3
April 2021), online (blog): Womble Bond
Dickinson
 (https://financialinstitutionsnews.com/2021/03/04/proprietary-injunction-and-bankers-trust-order-made-in-fraud-case-involving-cryptocurrency/);
Ben Packer, Michael Munk and Rose Lynch, “In Ion Sciences, the
English courts take a traditional approach to determining governing
law and jurisdiction in a dispute relating to cryptoassets”
(19 March 2021), online (blog): Linklaters (https://www.linklaters.com/en/insights/blogs/fintechlinks/2021/march/the-english-courts-take-a-traditional-approach-to-determining-governing-law-and-jurisdiction)

28.
 Equustek at para. 31

29.  Alberta Treasury Branches v. Leahy,
2000 ABQB 575

30.
 Equustek  at para 33 citing Aetna Financial Services Ltd. v.
Feigelman
, [1985] 1 SCR 2,1985 CanLII 55 (SCC)

31.  Ion
Sciences 
(supra); Fetch.ai Ltd and another v Persons Unknown
Category A and others
, [2021] EWHC 2254 (Comm)

32. R. v. Hape, 2007 SCC 26

33.
 Babanaft  International
v. 
Bassantne, [1990] Ch. 13 (C.A.)

To view the original article click here

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Credit: Source link

- Advertisement -spot_img

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Weekly Updates