22 December 2022
Key methods to trace and recover digital assets under Bermuda law
This article gives an introduction to the legal position as well as the procedures that can be undertaken through the Bermuda court in order to trace and recover stolen digital assets, digital assets acquired with stolen funds and digital assets that have fraudulently been sold.
What are Digital Assets?
The Official Bermuda Definition
The definition of "digital asset" under Bermuda's Digital Asset Business Act 2018 ("DABA") is:
"anything that exists in binary format and comes with the right to use it and includes a digital representation of value that –
(a) is used as a medium of exchange, unit of account, or store of value and is not legal tender…
(b) is intended to represent assets…;
(c) is otherwise intended to represent any assets or rights associated with such assets; or
(d) is intended to provide access to an application or service or product by means of distributed ledger technology".
DABA marked the first time that a legislature gave legal meaning to an umbrella term for the many different types of assets that exist in this digital sector as well as the first time a legislature created a legal framework to regulate digital asset businesses, bringing a higher degree of certainty to the sector.
We have previously considered the latest legislative and regulatory developments affecting digital asset businesses in Bermuda which are set to provide further certainty for market participants and mitigation of risks, including (but not limited to) the creation of rules requiring that digital asset businesses actively manage and mitigate cyber risks as well as produce cyber risk returns to the BMA alongside senior management declarations confirming that firms have made accurate disclosures. DABA's enactment has led to an increased number of entities moving to Bermuda to benefit from operating in a sophisticated regulatory environment, which in turn has created a virtuous cycle of higher market confidence and business activity.
Digital Asset Tracing
The three most common crimes committed in relation to digital assets involve:
- Digital asset theft through the hacking of exchange wallets, personal wallets or any other methods of digital asset storage or transfer. Hacks are typically enabled by a failure to use dual and multi-factor identification software to manage the holdings of digital asset business. Insufficient management protocols are also often cited as the problem at a company level. The Bermuda regulator ("the BMA") guards against this by forcing digital asset businesses to disclose business plans and devise safety protocols to protect their clients.
- The acquisition (on-ramping) and trading of digital assets between unknown wallet holders using stolen funds, in an attempt to obfuscate the origin and final destination of the funds. Bermuda solves this problem by applying global AML/ATF standards to digital asset businesses which ensures that digital asset businesses in Bermuda store appropriate KYC information in relation to their clients. This is not the case in most other jurisdictions, whereby the relevant authorities will not know who is behind each wallet.
- Fraudulent entities that are designed to persuade retail investors, usually through advertisements, to participate in schemes that encourage investors to believe that they hold assets that are accruing value. When investors attempt to make withdrawals, their requests are rejected and their holdings are transferred out of the account. In Bermuda this is prevented by the BMA analysing each entity's business plans as well as actively monitoring their business activities to ensure that they only undertake legitimate business activities. The requirement that digital asset businesses produce audited accounts further helps reduce risk to their clients.
In certain cases where stolen digital asset holdings remain on the original platform and the holder can prove to the digital asset provider that they are the rightful owner, the platform's management may be willing to allow the holdings to be 'burned' (locked/disabled) and reissued to the innocent party. Digital asset 'mixing' and 'tumbler' services (such as Tornado Cash) add further complexity by attempting to break the record of transactions and hide the origin of the digital assets that exit the platform. Eventually, the thieves may sell these digital assets for fiat currency (off-ramping).
Centralised exchanges that allow for on-ramping and off-ramping often hold key information that enable successful tracing exercises. There are now numerous digital asset tracing experts that have proven records (as documented in case law) of utilising bespoke blockchain data analytics software and forensic analysis to trace digital assets, even where 'mixing' and 'tumbling' services have been involved.
The use of DLT (and similar technologies) creates a permanent and public record of transactions that digital tracing experts can utilise to determine the ultimate beneficiary account(s) of a digital asset theft. Where a digital asset provider does not use DLT (or similar technologies), the appointment of tracing experts may be of limited use, given there may not be a public ledger of transfers. Disclosure actions may instead be brought directly against the relevant entity.
Who Can Bring Recovery Claims in the Bermuda Courts
As intangible assets, it is certainly arguable that digital assets have no proper/definitive situs. English courts have asserted their jurisdiction to hear claims wherever the owner of the digital assets is domiciled in England and Wales, as confirmed by a raft of English case law since Ion Science Ltd v Persons Unknown (unreported). Applying this precedent in Bermuda, any digital asset owner (or related party) that is domiciled in Bermuda can seek a remedy via the Bermuda courts, regardless of whether or not any relevant digital asset businesses that are party to the proceedings are registered in Bermuda. Of course, where a digital asset business registered in Bermuda is involved in a dispute, the Bermuda court is highly likely to accept jurisdiction as the proper forum to hear a claim against that company.
As a matter of private international law and contract law, Bermuda courts generally uphold choice of jurisdiction clauses (as contained in terms of sales) where the parties can be said to have expressly chosen them. The exception to this general rule is where there are public policy grounds to avoid enforcing a choice of law clause. This exception may be useful in circumstances where the digital asset purchaser was not made aware of the digital asset's terms of sale and where a particular jurisdiction was effectively chosen simply to make it more difficult to enforce legal rights against a seller (i.e. the digital asset business or otherwise). Where there is no express governing clause, the Bermuda courts have the discretion to imply a Bermuda law governing clause based off the parties' conduct. Where a governing law cannot be implied, the Bermudian courts still have discretion to determine if Bermudian law is the proper law of the contract (i.e. regulating the rights and liabilities of the digital asset purchase) if Bermuda can be said to have the closest and most real connection to the transaction.
There is also precedent for Bermudian courts to accept jurisdiction in tortious claims (e.g. involving conspiracies) and claims for restitutionary relief (e.g. involving claims for equitable fraud and relief of constructive trust), arising in cases where certain relevant acts took place overseas. Similar claims should also therefore be actionable in the digital asset recovery context.
The Merit of Actioning Recoveries in the Bermuda Courts
The first and most obvious point is the fact that the Bermuda court has a long-standing and respected legal tradition of handling high-value and complex matters with international scope. Equally the Bermuda court has the capacity to cooperate with foreign courts to enable the enforcement of Bermuda judgments in other jurisdictions, wherever necessary. Lastly, the Privy Council's presence as the highest court of the Bermuda judicial system gives litigants further confidence that they will be given due process.
Globally digital asset recovery cases are rare, which is unsurprising given this is ultimately a new and emerging sector. Bermuda is yet to see a publicly reported digital asset recovery case. This fact likely speaks towards the quality of digital asset companies registered in Bermuda and/or potentially a preference for digital asset businesses to settle such claims outside of court, rather than face concurrent disciplining from the BMA and/or public embarrassment. Bermuda courts are likely to view common law precedents as being persuasive and informative when such cases arise, although the Bermuda court already has powers and experience in making court orders with world-wide effect as well as orders against persons unknown, which tends to be the case at the outset of these cases prior to an investigation being completed.
Bermuda's regulatory regime serves to encourage digital asset providers to be responsive to claims, whereby failure to do so may result in regulator action. The BMA has statutory powers to order that Bermuda based digital asset businesses must take certain actions "to protect [the] interest of clients" with failure to comply with any part of such an order resulting in a fine upon conviction on indictment of up to $2 million. The BMA also has the power to freeze certain (or all) of a digital asset provider's accounts, which may also increase the likelihood of a recovery.
DABA requires that licensed digital asset businesses maintain net assets of at least $100,000 (or a higher sum as the BMA may direct if the business's nature, size and complexity warrants it), which must be evidenced annually via the filing of audited financial accounts with the BMA. DABA also requires that all licensed businesses maintain an insurance policy covering the risks of its business (in such form and amount as the BMA instructs). Additionally, where licensees hold client assets, they must also maintain a surety bond, trust account or indemnity insurance (in such form and amount as the BMA instructs) for the protection of their clients. These factors make it more likely that recoveries can be actioned successfully and with greater ease in Bermuda (where they involve DABA Bermuda licensed entities), rather than in other jurisdictions, assuming that the risk/fraud is covered by the aforementioned insurance policies.
The Bermuda courts have powers to make certain orders that can aid recovery pursuits significantly. Notably the orders discussed below can be made without giving the other party notice that the applications were made, in turn decreasing the likelihood that third parties dissipate the assets in question. Common law precedents also confirm that courts have granted service via alternative means (e.g. via email and even via NFTs) in a number of cases, after recognising the urgency of these recoveries whereby digital assets can be transferred away with just a click.
A. Bermuda courts can order world-wide freezing orders
A freezing order is an interim injunction which restrains defendants (including 'persons unknown') and third parties (for example, digital asset custodians/exchanges) from disposing of or dealing with assets in any way. Such orders are often made in respect of vehicles and bank accounts, however they have also been made against digital assets. The Bermuda court can make such orders in respect of assets that are situated abroad.
In order to be granted a freezing order, the applicant must satisfy the Bermuda court that the relevant test under American Cyanamid Co (No 1) v Ethicon Ltd (as applied in Bermuda Cablevision Ltd v David Greene and Others) is met, including (but not limited to) proving that there is a serious issue to be tried and that “the balance of convenience” lies in favour of issuing the order. Failure to comply with freezing orders is a contempt of court which may result in a fine, imprisonment and/or confiscation of the relevant assets. Although the wrongdoers/hackers may currently be unknown, such orders are worthwhile as they bring legal certainty to proceedings once the individuals/entities are identified. These orders also force third parties (including digital asset service providers) to actively aid a claimant's recovery where their platforms are being used.
B. Disclosure Orders are readily available in Bermuda
Where relevant obfuscating transactions are traced to a particular wallet, ordinary discovery orders as well as (if necessary) Bankers Trust disclosure orders and/or potentially Norwich Pharmacal orders (as applied in Bermuda case law) can compel any digital asset holding company that has been identified as the custodian of the wallet to disclose certain payment related information about the account holders, including all of the KYC information they have in relation to those who control the wallets. Failure to comply with such an order is a contempt of court.
C. Service of Bermuda proceedings abroad
Service of court proceedings on parties that are located outside of Bermuda can be straightforward and is well-established under the External Companies (Jurisdiction in Actions) Act 1885. Alternatively a letter of request could be used (amongst other potential legal routes). Undertaking service abroad will be necessary to the extent that actions directly involve parties located abroad and where a wallet is traced to a foreign company's servers.
The Heads of Claim Once Successfully Traced
Where relevant digital assets are successfully traced to an account, then that account can be suspended by way of a court-sanctioned freezing orders in order to prevent dissipation of its value. The identity of the account holder may be disclosed through disclosure orders. Such disclosures are especially likely to be fruitful where they involve Bermuda registered digital asset businesses (for the reasons previously stated).
Once the assets are identified, claims can be brought directly against the relevant digital asset company/custodian/exchange, in whichever country they may be based, seeking compensation for restitution of unlawful gains and for the tort of conversion. If the ultimate beneficiaries are identified, claims for deceit and restitution can be brought directly against these parties to recover the sums due and/or digital assets, plus interest and any expenses incurred in the recovery process (including legal fees).
Pursuing crypto developers directly?
Decentralisation is frequently cited as a key advantage to digital assets however debate has remained as to whether developers are under a duty (or should be compelled) to help investors that have been wrongfully separated from their holdings. Many commentators have remarked that a simple software “patch” would enable victims of fraud, hacks or otherwise to repossess their holdings.
The recent English High Court decision of Tulip Trading Limited v Bitcoin Association for Bitcoin SV (BSV) et al has ended this debate for now as a matter of English law. Falk J rejected the argument that cryptocurrency developers owe a duty of care to holders, largely because it would be a duty with an open-ended scope requiring that developers investigate and address all claims (despite the system’s apparent and intended anonymity) and as such a duty would be impractical given the scope for off-chain transactions. Tulip Trading has been granted leave to appeal this decision to the Court of Appeal, therefore this position may change. Depending on how Bermuda's digital asset regulation develops, this position may be different in Bermuda given that digital asset providers are already required to maintain a sizeable volume of KYC information which could in theory allow them to resolve disputes quickly and easily, excluding cases where off-chain transactions are involved.
As Bermuda becomes home to larger number of digital asset businesses, the logic of bringing digital asset tracing and recovery claims in the Bermuda courts (as opposed to other jurisdictions) will continue to rise given that the Bermuda courts are ultimately best placed to make court orders against Bermuda registered entities and to assist an innocent party's recovery. Bermuda courts also have powers to assist claimants seeking to recover digital assets located on foreign servers. The domicile of the claimant is a relevant consideration in determining where to bring a claim, however the situs of the digital asset provider(s) may be the more important factor. Ultimately, asset tracing investigations should be commenced as soon as possible after an innocent party suspects theft involving digital assets. Applications for world-wide freezing and disclosure orders should be made promptly in order to protect the prospects of a successful recovery.
Carey Olsen Bermuda Limited is a company limited by shares incorporated in Bermuda and approved and recognised under the Bermuda Bar (Professional Companies) Rules 2009. The use of the title “Partner” is merely to denote seniority. Services are provided on the basis of our current terms of business, which can be viewed at: www.careyolsen.com/terms-business