The perils of suing crypto exchanges after ransomware attacks

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


In October 2019, unknown hackers infiltrated a Canadian insurance company by installing the malware BitPaymer, which encrypted the firm’s data and IT systems. The hackers demanded a ransom of $1.2 million be paid in Bitcoin (BTC) in return for the decryption software needed for the firm to regain access to its systems. 

The firm’s United Kingdom-based insurer — known only as AA — arranged to pay the BTC ransom, and the firm’s systems were back up and running within a few days. Meanwhile, AA started the process of seeking legal avenues to recover the BTC obtained by the hackers. It engaged the blockchain investigations firm Chainalysis, whose investigations revealed that 96 of the 109.25 BTC paid had been transferred to a wallet linked to the Bitfinex exchange.

So far, this story is (unfortunately) far from unusual. Bitcoin accounts for the vast majority of ransomware payments due to its anonymity, accessibility (making it easier for victims to pay the ransom) and verifiability of transactions (allowing criminals to confirm once payment has been made). What is unusual about this story, however, is that it sparked a 14-month-long legal battle between AA and Bitfinex, one that only recently concluded after AA discontinued its claim against Bitfinex in the U.K. High Court.

Having traced the stolen BTC to Bitfinex’s platform — and with the identity of the hackers still unknown — AA started its litigation against Bitfinex in December 2019. Again, this is not unusual: U.K. courts have a wide range of remedies at their disposal to assist victims of fraud in trying to recover their assets. In instances where banks, exchanges or other intermediaries may find themselves unknowingly receiving or holding misappropriated or stolen assets, victims of fraud have been able to rely on:

  • Norwich Pharmacal orders, which require a third party to disclose certain information to the applicant that will assist in recovery efforts. In this context, the information would be the identity of the wallet holder to which the BTC was traced, and/or details of any other transactions involving the BTC since receipt by the wallet linked with the exchange.
  • Freezing orders that prevent defendant…

Source…