Cyber criminals have been exploiting the ‘privacy’ features of crypto-assets to target businesses and individual accounts to steal and unlawfully demand the transfer of crypto-currencies through ransomware attacks. In addition to the distinctive features of cryptocurrencies which gives cyber criminals a false sense of anonymity, the rapid rise in cryptocurrency fraud and ransomwares are also the product of very lax or non-existent international regulation. In 2020, 57.9% of the organizations in the UK and 78.5% in the USA were affected by a ransomware. The targets of major ransomware attacks in 2021 included Colonial Pipeline and JBS meat processing in the US, Health Services Executive in Ireland and Hackney Borough Council in England. The business types targeted is an indication of the threat to critical national infrastructure. Some ransom demands are made in fiat currency while others are in cryptocurrencies. The average ransom paid by medium sized organizations was US$170,404 and the average costs to rectify and respond to a ransomware was US$1.85 million.
International and Government Response
Prior to the creation of the Ransomware Task Force in December 2020, there was no coordinated effort among states and the private and public sector to tackle the serious and growing threat from ransomware attacks.
Equally problematic is the lack of clarity on the legality of paying ransom / ransomware demands.
England and Wales
The payment of a ransom is not illegal in England and Wales provided they are not paid to or have any association with terrorist groups (s. 15 (3) Terrorism Act 2000), persons subject to economic sanctions or used to finance a criminal act and there is nothing illegal about the contracts between the parties. The National Cyber Security Centre in their guidance on mitigating malware and ransomware attacks emphasised that law enforcement does not encourage, endorse or condone the payment of ransom demands.
United States of America
The US has not outlawed the payment of ransoms but have issued an advisory on potential sanctions risks for facilitating ransomware payments. The advisory warned that companies including insurance firms, financial institutions and those specialising in digital forensics and incident response that facilitates the payment of ransom may risk breaching OFAC Regulations. These companies are encouraged to contact the relevant government agencies if they reasonably believe that the person making the ransom demand may be sanctioned or in connection with sanctioned individual or entity.
France has unofficially declared their refusal to pay ransomware demands. Consequently, AXA insurers in France announced they would temporarily halt writing cyber insurance with a clause to indemnify customers for ransom paid.
Efforts to recover cryptocurrency?
- Seizure / Recovery of cryptocurrency
Bitfinex: The authorities in the US have been able to successfully trace and recover crypto-assets stolen or paid for ransom. The most recent is US$5bn worth of stolen bitcoin seized by the US Department of Justice reported on Tuesday (08/02/2022). The bitcoin was stolen in 2016 after hackers breached the Bitfinex cryptocurrency exchange. The money was then transferred to digital wallets said to be operated by a couple in New York. At the time, the bitcoin valued about US$71 million but its current value is upwards US$5 billion. Various methods were employed by the couple to launder about US$25, 000 of the bitcoins. The couple will be charged for federal crimes of conspiracy to defraud the US and conspiracy to commit money laundering.
The length of the probe (5yrs) and the coordinated efforts of investigators from across the U.S and Germany highlights the resources governments and private investigators are willing to invest to ensure cyber criminals are not allowed to steal and launder cryptocurrencies gained unlawfully.
Colonial Pipeline: The authorities were also able to recover some of the cryptocurrencies paid as ransom by Colonial Pipeline Company following a ransomware attack in 2021. Colonial paid the cyber-criminals US$4.4 million in cryptocurrency to release the system, which they made a claim to recover from their cyber insurers. The U.S authorities recover US$2.3 million of the ransom.
AA v Unknown and others :The claimants were UK insurers whose customer, a Canadian insurance company computer system was hacked and encrypted. A ransom demands of US$950,000 in bitcoins to a specific address was made by the hackers. The Claimants agreed to pay the ransom. Some of the money was transferred into fiat currency while 96 bitcoin was sent to an address linked to an exchange operated by the 3rd and 4th defendants. The first Defendant was the persons unknown who made the demand. The second Defendant was the owner / controller of the 96 Bitcoins. The insurers retained the services of an incident response company that specialises in the negotiation of crypto currency ransom payments to negotiate with the hackers to regain access to the customer’s data and systems. The ransom was paid but further investigations were carried out by the insurers with the assistance of Chainalysis Inc, a blockchain investigations company who also provides software to track the payment of cryptocurrency. The investigations successfully revealed the location of the Bitcoins, 96 of which was found at an address operated by the 3rd and 4th Defendants while some was transferred to a fiat currency account. The insurers successfully made an application to the High Court for a proprietary injunction over the cryptocurrency. It was held by the court that cryptocurrencies are ‘property’ and could be the subject of a proprietary injunction as they met the four criteria of property; ‘being definable, being identifiable by third parties, capable in their nature of assumption by third parties and having some degree of permanence’. The decision was an adoption of points presented in the Legal statement on cryptoassets and smart contracts by the UK Jurisdiction Taskforce.
ION Science Ltd v Persons Unknown and others: The case concerned the fraudulent inducement of the claimants to make an investment equivalent to 64.35 bitcoin and pay for commission to receive profits from the said investment. The company referred by the Respondent was operating without Swiss authorisation. The bitcoins were transferred to two cryptocurrency exchanges each located in the US and Cayman Islands. The court granted orders against the first Respondent (Persons Unknown) in the form of a proprietary injunction, a worldwide freezing order and an ancillary disclosure against persons unknown. There was also a Bankers Trust order which could be served on two cryptocurrency exchanges outside of the Jurisdiction.
Remarks: These cases are examples of the instances where cyber-criminal are held responsible for the theft of or laundering of cryptocurrencies. Cyber criminals are subject to the application of money laundering and Terrorism. Crypto-assets illegally acquired can be the subject of an injunction, a worldwide freezing order and seized even if the investigation takes years to complete. Cyber insurance and incident response companies do have an obligation to ensure they are not facilitating the payment of ransoms to terrorists, sanctioned person or governments and their affiliates. The abovementioned orders are methods victims of a cryptocurrency fraud or ransomware attack can use in their effort to recover their crypto-assets. However while these methods have been successful for traceable currencies (Bitcoins and Ethereum), the same may not be very effective to recover non-traceable cryptocurrencies (Monero).
 Institute for Security and Technology, ‘Combating Ransomware A comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force’ (Ransomware Task Force, 2021) < Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force (securityandtechnology.org)> accessed 09 February 2022.
 Serious Crime Act 2007, ss 45- 46.
 Masefield AG v Amlin Corporate Member Ltd  1 Lloyd’s Rep. 509;  1 Lloyd’s Rep. 630 CA
 NCSC, ‘Guidance: Mitigating malware and ransomware attacks’ ( Version 3.0, 09 September 2021) < Mitigating malware and ransomware attacks – NCSC.GOV.UK> accessed 07 February 2022.
 The U.S. Department of the Treasury’s Office, ‘ Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (OFAC, 01 October 2020) < *ofac_ransomware_advisory_10012020_1.pdf (treasury.gov)> accessed 09 February 2022.
 The U.S Department of the Treasury’s Office of Foreign Assets Control.
 Frank Bajak, ‘ Insurer AXA halts ransomware crime reimbursement in France’ (AP News, 06 May 2021) < Insurer AXA halts ransomware crime reimbursement in France | AP News> accessed 07 February 2022.
 BBC News, ‘ Record-high seizure of $5bn in stolen Bitcoin’ (08 February 2022) < Record-high seizure of $5bn in stolen Bitcoin – BBC News> accessed 08 February 2022.
 Josephine Wolff, ‘ As Ransomware Demands Boom, Insurance Companies Keep Paying Out’ (Wired, 12 June 2021) < As Ransomware Demands Boom, Insurance Companies Keep Paying Out | WIRED> accessed 09 February 2021.
  EWHC 3556 (Comm);  2 All ER (Comm) 704.
  EWHC 3556 (Comm);  2 All ER (Comm) 704, paras [12-13] per Bryan J.
  EWHC 3556 (Comm);  2 All ER (Comm) 704, paras [55-61] per Bryan J; National Provincial Bank Ltd v Ainsworth  2 All ER 472, 494 per Lord Wilberforce.
 (unreported, 21 December 2020).