A Virgin Islands-incorporated company recently convinced the Commercial Court to back a novel approach in trying to track down people involved in an alleged theft of digital currency and seek compensation for reputational damage.
In a global first, Commercial Court Justice Adrian Jack recently granted a worldwide freeze order against unnamed defendants identified only by the personal “digital wallets” used in the alleged hack.
ChainSwap provides a service that allows cryptocurrency tokens to be transferred between different blockchains — the ledgers for recording digital financial transactions.
When a user wants to transfer a token, the company redirects it to a “digital wallet” that acts as a vault. The company said hackers manipulated the system twice in one week to hijack cryptocurrency.
Mr. Jack heard the matter on March 15 and continued the freeze injunction he originally granted on Feb. 12. He provided a written judgment at the applicant’s request given the “novel aspects” raised.
Christopher Pease and Megan Elms of Harneys, who are representing ChainSwap, said in a statement that as the VI increasingly serves as a base for financial technology and blockchain companies, digital crimes are becoming more common and will likely make the VI a key jurisdiction for similar rulings in the future.
The ChainSwap decision could be a landmark case that “demonstrates that the BVI, including its courts, are on top of the issues posed by digital asset fraud and offers a variety of tools to overcome them,” the statement said.
Wallet ID
The judge explained that the freeze order is against those “allegedly responsible for cybercrime consisting of the theft of digital assets.”
ChainSwap, he noted, sought permission to serve its claim against those unknown people and requested that the court send a letter to Croatian authorities “seeking the provision of evidence from a cryptocurrency exchange located in Croatia, including information that will identify the unknown defendant or defendants.” During the initial Feb. 17 ex parte hearing, ChainSwap originally sought to sue the unknown people based on their alleged involvement in the theft.
However, the judge said he found it more appropriate to reference the defendants as owners of the unique digital wallets “that are alleged to have been used by the defendants to receive and dissipate stolen tokens.”
The court ruling lists identification numbers associated with four owners of such wallets, each with a unique identification number. It also includes the owner of the email trumanbroughton@gmail.com and “other persons unknown.”
Hijacked tokens
ChainSwap’s computer programme works by taking a token from one blockchain, registering the receipt of the token in the digital vault, and “minting” a new token of equivalent type and value that a user can access through a second blockchain.
The programme keeps a tally of disabled tokens and newly minted tokens to ensure they correspond, the judge explained.
“In July 2021, unknown hackers were able, without authorisation, to exploit vulnerabilities in ChainSwap’s computer programmes and amended the open-source code on which ChainSwap’s bridge operates,” the ruling states.
The document added that digital attacks happened twice, about a week apart. The first time, the alleged hackers sent all the tokens that would have gone to the “vault wallet” instead to their private digital wallets, according to the allegations.
The second time, they allegedly altered the number of new tokens that could be minted. Instead of allowing a one-to-one transfer of disabled and new tokens, the computer programme was allegedly altered to allow “unlimited” new tokens to be issued, according to the judgment.
After that, the highjacked tokens went into two separate digital wallets, the judge stated. He added that some were traded for different cryptocurrency tokens, including tokens linked to the US dollar.
“Quantities of tokens with substantial value were subsequently transferred from these two wallets, some routed via a third wallet, to Tornado Cash, which describes itself as a fully decentralised protocol for private transactions,” the judgment states.
Confusing origins
Mr. Jack explained that Tornado Cash confuses the origin of a token by temporarily holding it and then allowing a user to transfer it out of a different wallet than the original.
Kalo Advisors, the VI firm hired by ChainSwap to track down the token, found 24 transfers of 100,000 DAI — a decentralised currency that attempts to maintain a value of one US dollar — from three different wallets to Tornado Cash on Sept. 5, 2021, according to the judgment.
Less than 24 hours later, Tornado Cash allegedly made 24 transfers of a slightly lesser amount to a fourth wallet. The ruling stated that the difference could be because a small number of tokens went to a “relay wallet” as commission for the service.
“Kalo’s report concluded that it is more likely than not, given the number and size of payments in and out of Tornado Cash and the relatively short time between transfers in and out, that the 24 transfers from the three hacker wallets are linked to the 24 transfers made to the fourth wallet,” Mr. Jack wrote. “In my judgment, ChainSwap has established a good arguable case that this fourth wallet, the wallet that received the tokens from Tornado Cash, was owned or associated with the hackers for the purposes of the application before me.”
In Croatia
This fourth wallet allegedly interacted with a Croatia-based centralised cryptocurrency exchange called Electrocoin that could identify the client’s name and address, the judge stated.
“The pseudonymous nature of crypto ownership means that whilst bad actors can hide behind obscurity, if and when their real identity is revealed, all transactions associated with them will be laid bare,” the Harneys lawyers wrote in a joint statement, adding, “Obscurity can be a hacker’s greatest asset; revealing their identity their greatest weakness.”
Increasingly a base for companies dealing in digital assets, the VI has had to adapt quickly to facilitate innovation in the digital currency realm.
In 2020, the Financial Services Commission announced new guidance on the regulation of virtual assets in the territory.
The “regulatory sandbox” adopted that same year aims to enable companies to test out new models for fintech businesses within a supervisory framework.
And in March, the FSC announced that an Asian exchange focusing on digital securities has been admitted to the territory’s list of recognised exchanges.
Reputational damage
ChainSwap is seeking compensation for the reputational damage caused by the attacks.
“The tokens that were misappropriated following the hacking incidents were not owned by ChainSwap,” the judge wrote. “However, ChainSwap claims that the actions taken by the hackers have damaged its reputation and caused it to suffer loss, including loss of income due to confidence in the security of the cross-chain bridges being undermined.”
He noted that the company compensated users and projects affected by the hacks and is making a claim, at minimum, for the amount it compensated.
‘Good arguable case’
He added that he found a “good arguable case” for the claim. The respondents have not yet made an appearance in the court proceedings, Mr. Jack stated, and the claim for the freeze remains uncontested.
“There is an obvious risk of dissipation if no freezing order is granted,” he said, adding that ChainSwap is also starting investigations in other jurisdictions “in hopes of speeding up the recovery process.”