In Hot Pursuit of Stolen Crypto Assets: Risks, Mitigation and Options
This month's guest author is Jessica Lee, Partner at London firm Brown Rudnick, who contributes with an insightful article on the legal recourse in the case of theft of crypto assets.
Crypto and fraud; these two words sadly seem to come hand in hand lately, but how prevalent is crypto fraud and is the outlook as gloomy as regulators and mainstream media would have you believe?
The Chainalysis Crypto Crime Report 2024 estimates that a total of $24.2 billion in crypto was received into wallet addresses associated with illicit activity in 2023, equating to roughly 0.34% of total on-chain transaction volume. While the figures are staggering, fraud and illicit activities are not unique to crypto; other traditional assets such as cash and art are just as (if not more) likely to be used in fraud and illicit activity, since their movements are patently less traceable and transparent, unlike assets moving on-chain. The frauds and scams that we see in the crypto industry are nothing new either; phishing and ransomware attacks have been around since computers and the internet; fake ICOs, investment schemes and token sales bear striking similarity to Ponzi schemes in nature; and social engineering and romance scams have forever been a feature of human interaction. Perhaps crypto has unfairly gained a bad reputation and is merely a new medium for bad actors to continue to manipulate and exploit individuals and organisations for illicit gain.
In fact, the figures attributable to crypto scams and hacking fell significantly in 2023 compared to prior years. The decrease in crypto fraud may be attributable to the slower crypto market overall in 2022/2023, but could also be the result of better education, mitigation and increased regulation in the area. So how can crypto platforms and exchanges mitigate the risks of falling victim to a crypto fraud and what tools are available to recover assets following a fraud?
Mitigation measures
Crypto firms and platforms are likely to be the target of cyber-attacks including phishing, ransomware and software exploits designed to extract funds from the target, often in exchange for releasing funds or data compromised by the attack. In March 2023, DeFi lending platform, Euler Finance, suffered losses close to $200m when a hacker exploited a vulnerability within the platform’s underlying smart contract functionality.
To mitigate against the risk of such attacks, crypto platforms should prioritise robust security measures, including multi-factor authentication, cold storage for funds, regular security and code audits, and real-time monitoring for suspicious activity. Ensuring there is a strategic response plan in place for when such attacks do occur can also help minimise damage and maximise chances of recovery. At a minimum, crypto firms should ensure their incident response plans include:
Identifying internal points of contact and the immediate IT/security response to contain and mitigate damage and isolate affected systems;
The preservation of evidence and logs;
An escalation process, including instructing potential external cybersecurity, forensic and legal experts whose specialised knowledge can help identify the scope of a breach, assist with mitigation steps, preserve evidence to support subsequent inquiries, investigations or legal action, and formulate appropriate recovery strategies;
Notification obligations: are there any legal or regulatory obligations to notify affected parties or relevant authorities? Data breaches in many jurisdictions will often trigger notification obligations to authorities (e.g., in the UK, to the ICO) and may also prompt public relations considerations.
The FTX saga has also demonstrated a propensity for individuals within crypto exchanges and organisations to committing fraud and misappropriating assets. Crypto organisations should therefore ensure that they maintain robust internal processes and procedures and staying true to the ethos of blockchain, ensure control is not improperly concentrated in any one individual who might be able and willing to exploit such control for their own personal gain. The consequences of a fraud being perpetrated by an officer or employee are not just financial or reputational; there may be serious criminal consequences. For example, the UK recently introduced a new corporate offence for failure to prevent fraud under the Economic Crime and Corporate Transparency Act 2023. Essentially large crypto platforms and firms (meeting certain employee, asset or turnover thresholds) could be held criminally liable if an associated person (including an agent, employee or subsidiary) commits a specified fraud offence including false statements, fraud by false representation and false accounting. Importantly, the offence has extraterritorial scope; if an employee commits fraud under UK law, or targets UK victims, their employer could be prosecuted, even if the organisation and the employee are based overseas. The place of incorporation is therefore irrelevant in terms of the scope of the offence, as it applies to large organisations wherever incorporated or formed.
Crypto platforms should also remain alive to new threats, which in the immediate future is likely to include the use of AI by bad actors to facilitate fraud. In a recent example in Hong Kong, a finance employee was duped by deepfake impersonations of senior executives of the company during a video call, and transferred $25 million to fraudsters, believing the transfer to be a legitimate instruction by her superiors.
In hot pursuit of stolen cryptoassets
Even with the best risk mitigation, crypto platforms may still find themselves the victim of a fraud, so what then? Arguably the outlook of recovering misappropriated cryptoassets is more promising in instances of crypto fraud compared with other assets because of the unique traceability and transparency of transactions on-chain. However, time is of the essence since cryptoassets can literally move at the click of a button. Crypto platforms should move swiftly to identify the movements of stolen cryptoassets, including instructing blockchain analytics firms to assess the whereabouts of the funds and viability of recovery. For example, while tracing cryptoassets through mixers or tumblers is not always impossible, it can make recovery efforts more complicated and challenging and having expert assistance in following the on-chain movement of funds is critical to obtaining any necessary legal recourse.
In many jurisdictions, it is possible to obtain court orders seeking the freezing of stolen cryptoassets in the hands of third party crypto exchanges whose platforms are used by fraudsters to move and obfuscate the trace of stolen funds. It is also possible to obtain disclosure orders against those platforms in many jurisdictions with a view to revealing the identity of walletholders and accountholders through which stolen funds have passed. The English courts in particular have demonstrated a willingness and flexibility to assisting victims of crypto fraud and have made a range of novel orders to facilitate the recovery of stolen cryptoassets. In a number of cases, the English court has permitted the service of court orders and claims via the airdrop of an NFT into an unnamed defendant’s crypto wallet. In a case in February 2023, the English court sanctioned an ethical hack of a crypto platform which was being used to move cryptoassets stolen from a DeFi hack the year before in order to facilitate the return of stolen funds by permitting the exploitation of an existing smart contract vulnerability on the crypto platform which had recently been identified by white hat hackers).
Conclusion
The upshot is that it is possible to recover stolen cryptoassets following a fraud with the right expert assistance onboard who can make a quick assessment of the tools available and viable routes to recovery depending on the circumstances.
by Jessica Lee