news
The role of tracing in digital asset disputes
Digital assets have arrived and are here to stay. On-chain assets such as cryptocurrencies and Non-Fungible Tokens (‘NFTs’) have quickly become a discernible and popular investment category. Both are susceptible to hacking. As digital assets proliferate, we have seen a corresponding growth in their misappropriation.
According to research performed by blockchain data platform Chainalysis, it is estimated that 2022 was the worst year yet for the hacking of cryptoassets, with approximately $3.8 billion worth of cryptocurrency stolen worldwide. That is the reported figure. The real figure could be significantly higher. In this article, we take a look at how the market and the law in the UK are developing to help the victims of fraud to protect and trace their digital assets.
Prevention is better than cure
Recovering stolen digital assets, or obtaining compensation, is fraught with difficulty. As such, taking steps to prevent infiltration and expropriation is crucially important. In particular, private key details should be carefully protected. Digital assets can be stored in ‘cold’ storage wallets (which are not connected to the internet) or, alternatively, in a hardware wallet that has an encrypted private key. These methods offer a trade-off between maximizing security on the one hand and hindering the ease with which owners can deploy their assets should they wish to do so on the other.
There are service providers based in the UK dedicated to safeguarding data for the purpose of digital asset recovery. Nemean Services, for instance, operates its RaaS (recovery as a service) for institutional investors in cryptocurrency, typically acting as a trusted third party for clients alongside their choice of crypto custodian, placing private keys or shards in cold storage and providing regular audits and data integrity checks.
If quick dealing is desirable then it may be preferable to keep the asset on an exchange. If private keys or digital assets are to be kept on an exchange, however, careful due diligence should be performed in respect of the security features of the exchange. Terms and conditions should be checked to establish what rights of redress there may be if breaches of security occur.
If the worst happens, recent court decisions have shown that in order to take effective steps towards recovery, it is crucial for victims to act quickly.
Fraud example
How an individual or institution may be affected by digital asset fraud is perhaps best illustrated by a fictitious example. John, who lives in England, owns an NFT of a piece of art, which he holds in a digital wallet on a peer-to-peer NFT marketplace. A fraudster hacks into John’s wallet and removes his NFT, transferring it to his own wallet. When John next checks his wallet, he discovers his NFT is gone.
What should John do? He should immediately instruct lawyers and digital forensic/tracing experts. Such experts have the skills and software that provide the greatest chance of locating the NFT and building the case against the fraudster(s). On the face of it, blockchain technology aids this process by providing an immutable, public record of all transactions. The general rule with cryptocurrencies or other digital assets, as with traditional tracing, is to ‘follow the money’, linking transactions and addresses to individual actors.
Tracing service providers
There are a number of digital/forensic tracing experts in the market. Mitmark Intelligence, for instance, specialises in corporate intelligence, crypto-asset recovery and information risk assurance, focusing on legal and cryptocurrency work, with services ranging from fraud investigation to due-diligence vetting and the retrieval of digital funds.
Use of a tracing report
If the tracing exercise results in the discovery of a public key address which is hosted by a third party (typically an exchange), John can seek the Court’s assistance by applying for a Bankers Trust Order (‘BTO’) or Norwich Pharmacal Order (‘NPO’). Such orders (assuming compliance) would compel a third party to provide information in order to further the process of identifying and prosecuting a claim. For instance, exchanges typically have Know Your Customer (‘KYC’) information and other data from their clients to satisfy Anti-Money Laundering (‘AML’) regulations.
A BTO or NPO might help ascertain who owns the wallet in which John’s digital assets are stored. If their identity can be reliably established, other measures such as a freezing injunction may also be available to prevent the suspected fraudsters from dissipating assets.
The aim of the BTO, NPO, freezing injunctions and other procedural remedies is to facilitate the pursuit of a civil claim for recovery of the stolen asset and/or to obtain compensation for its loss.
Court are assisting victims
Recent decisions illustrate the English courts’ commitment to assisting victims of crypto-asset fraud and willingness to be pragmatic and innovative. Service has, for example, been permitted (at times exclusively) by NFT airdrop, and the courts have engaged substantively in providing remedies to victims that are tailored very specifically to factual circumstances.
Courts have also made the legal findings necessary in order to make such remedies possible (such as finding that digital assets constitute property (AA v Persons Unknown [2019] EWHC 3556 (Comm)) and are capable of being the subject of a trust (Ruscoe v Cryptopia Ltd (In Liquidation) [2020] NZHC 728). It remains to be seen, however, how effective these measures ultimately are.
The end of the beginning
Let us suppose that John has obtained a BTO. This results in the disclosure of key information about the identity of those involved in the fraud. What then? We have reached the end of the beginning. John then has to assess whether it is in his interests to pursue a civil claim: against whom? Where are they located? What are the costs? How long will it take? If he obtains a judgment, can he enforce it? Might he involve funders and/or insurers? Such questions can be addressed another day in another article.