Sam Roberts is a Senior Associate at law firm Cooke, Young and Keidan, with a particular focus on fintech disputes and the application of psychology to dispute resolution. Here he advises on the reality of crypto theft, and how to locate it.
While the recent asset preservation order (APO) over stolen cryptocurrency in Robertson v Persons Unknown is encouraging for businesses dealing in cryptos, businesses must know what they are up against in trying to trace stolen cryptoassets. Businesses accepting payment in cryptos should also be aware of what they might be in for if they get tangled up in frauds.
The English Court has always been a friend to victims of fraud trying to trace their stolen assets. Worldwide freezing and disclosure orders are invasive tools that can give victims wide-ranging access to information and put recalcitrant respondents in prison. The Court has shown itself to be adaptable and pragmatic in the face of a fraud occurring in a new medium.
Liam Robertson, a sophisticated trader in Bitcoin, was the victim of a spear-phishing attack who lost 80 bitcoin from his wallet, first to a new address and then to an address belonging to the well-known crypto exchange, Coinbase. The Court granted Mr Robertson an APO, which prohibits the onward transfer of the stolen bitcoin.
Robertson should be a stark reminder of the importance of robust security. Unlike with traditional bank payments, there is no stopping payments in cryptos. No one is monitoring the network for fraud or going to compensate victims under legislation. No one will force network users to adopt prudent security standards. For anyone serious about investing in cryptos, private keys, the alphanumeric string that allows cryptos to be spent, must be guarded with a level of security bordering on paranoia. Equally, however, private keys are also irrecoverable once lost, so businesses must learn to balance accessibility and durability.
An even greater technical challenge is what to do if good security isn’t good enough and, like in Robertson, a theft occurs. Tracing through a public blockchain is both easier and much more difficult than a traditional asset-tracing exercise. It’s easier because the ledger of transactions from address to address is immutably readable by anyone. Browser services offer real time visualisation services showing every payment ever made.
A significant caveat to this is however the use of tumbling and mixing services. These are effectively laundering operations which will accept a transfer from an address and spin it off into tiny fractions to any number of new destination addresses (unlike bank accounts, anyone can generate any number of new bitcoin addresses at any time – the available number of addresses is in practical terms limitless). Following the WannaCry ransomware attack in 2017, the ransomed bitcoin moved into tumblers and then percolated across the network.
The flipside to this legibility is, of course, anonymity – and it does no good to a victim of fraud if assets can be traced for eternity but never recovered. Currently, the only ways to unmask a crypto fraudster are with luck, or very advanced mathematics.
The luck element involves following stolen cryptos through the blockchain into a legitimate business, ideally a crypto-exchange. Exchanges like Coinbase are, insofar as they provide traditional payment services, regulated. They are obliged by legislation to collect KYC on their customers and this information – names, addresses and photo ID – is highly valuable to victims. However, dozens of retailers now accept payment in bitcoin too. If a fraudster uses stolen bitcoin to pay for goods, then the retailer should have a delivery address and potentially a genuine name. One day, crypto thieves might be caught buying fried chicken and spiced lattés with bitcoin from KFC and Starbucks. Particularly sloppy thieves might even advertise their bitcoin addresses online.
The mathematical approach involves probabilistic analysis to map public bitcoin addresses to IP addresses, which in theory means that a fraudster is just one court application against his ISP away from being unmasked. However, these methods have only reached an academic stage so far and require a string of monitoring nodes to have been set up around the globe before the fraud occurs.
The use of mixers can also conceivably be negated through disclosure applications. It is difficult to see a Court wanting to help them much when they positively invite money laundering. There may be jurisdictional issues in enforcement, but equally, presumably none wants to become the next Bestmixer.io, which was shut down by European authorities in May 2019 for facilitating financial crime. This is unlikely to identify a fraudster, but it should tell a victim which threads to follow.
What all of this should tell Fintechs is that, in a crypto fraud, information is incredibly powerful to a victim, and even more than in a ‘traditional’ bank payment fraud, claimants will be looking to all manner of businesses for intelligence. Popular exchanges, ISPs, fried chicken outlets and everyone who has so much as glanced at a bitcoin can expect to find defrauded claimants knocking at their doors.
More so than with a bank payment fraud, victims may also be looking to third party ‘enablers’ for compensation. Unlike with banks, public blockchain transactions are irreversible without a private key for the receiving address, or more than 50% of the entire network agreeing to reverse it. It is also impossible to enforce a judgment in bitcoin against a third party – unlike a bank balance, the balance of a wallet isn’t owed to the defendant and cannot be intercepted by the judgment creditor. Together, these might mean that a court order requiring a defendant to return the stolen cryptos might go unheeded. If the third party wrapped up in the fraud turned a blind eye to it (perhaps not that difficult to prove if the third party were a mixing service), then it might find itself liable to compensate the victim in damages, even if it never received the stolen cryptos. These businesses are also likely to be seen by claimants as having “deep pockets”, making them attractive targets.
Altogether, the Robertson case shows that the English Court will not allow cryptos to move in a lawless vacuum. But as positive as it is to see the courts doing their bit, both despite this, and because of it, significant risks exist to businesses operating in this space on the right side of the law.