The article argues that a court’s willingness to come up with new ideas is welcome when cybercrime grows more complicated and international.

International fraud committed by computer hackers is clearly a major headache for wealth managers and holders of great wealth, wherever they are, be it Asia, Europe, North America and other regions. The following article looks at some legal cases in the UK. Given the international nature of the matter, we hope readers in other regions finds these insights useful. They come from James Granby, associate, and Julie Engwirda, partner, in the litigation, restructuring and insolvency practice at Harneys, the law firm. 

The editors are pleased to share these views and hope they encourage debate. The usual disclaimers apply. To comment, email tom.burroughes@wealthbriefing.com and jackie.bennion@clearviewpublishing.com 

Recent years have seen a remarkable rise in the frequency and sophistication of international cyber fraud. In September 2019, the FBI estimated that some $25 billion had been lost to ‘business email compromise’ (BEC) fraud in over 165,000 attacks. The borderless, anonymous nature of modern cybercrime has forced Courts across the common law world to adopt innovative solutions for tracing stolen assets and identifying perpetrators. The judgment of HHJ Waksman QC in CMOC Sales & Marketing Limited v Persons Unknown [2018] EWHC 2230 (Comm) is an example of how a flexible and technologically savvy approach can assist in the fight against online fraud.

The background to the case illustrates the complexity of BEC fraud schemes. An unknown attacker gained control of the email account of a director and authorised signatory of CMOC. This allowed the attacker to send fake emails and forged payment instructions to the company’s bank, leading to the theft of $8 million from CMOC’s London bank account. However, identifying the perpetrators of the fraud was no easy matter.

From the outset of the proceedings, the court took an admirably bold approach. At the first hearing, which took place a mere 10 days after the fraud was initially uncovered, HHJ Waksman QC granted an interim worldwide freezing injunction against “persons unknown”, i.e. with no named defendant. This was believed to be the first instance of such an order having been made, with the court being satisfied that the grounds for granting injunctive relief had been made out. 

At the subsequent trial, the court confirmed that the jurisdiction to make a worldwide freezing order against persons unknown was “clearly established”. HHJ Waksman QC cited Bloomsbury Publishing Group Limited and JK Rowling v News Group Newspapers Ltd and Others [2003] 1 WLR 1633 in support of the court’s general jurisdiction against persons unknown. He then provided three reasons in favour of extending the Bloomsbury principle to apply to freezing injunctions:

1.    A freezing injunction can often be a “springboard” for ancillary relief in respect of third parties that might be impossible in the absence of a primary freezing injunction;

2.    Vital information is likely to be obtained from banks in particular pursuant to Norwich Pharmacal and/or Bankers Trust applications, which will allow the further identification and investigation of particular defendants; and

3.    There is a parallel to be drawn with injunctions against persons unknown routinely made in the Media and Communications list of the Queen’s Bench Division in the context of data ransomware attacks. The court cited PML v Person(s) Unknown [2018] EWHC 838 (QB) and Clarkson Plc v Person(s) Unknown [2018] EWHC 838 (QB) as recent examples of this.

The Court recognised the need to be responsive in a changing digital landscape: “[This decision] reflects the need for the procedural armoury of the court to be sufficient to meet the challenges posed by the modern electronic methods of communication and of doing business”.

The Court’s decision in CMOC was equally innovative in how it dealt with the issue of service on large numbers of unknown and uncommunicative defendants. As methods of alternative service, the court permitted service using the Facebook Messenger and WhatsApp messaging services, after it was established that several defendants were using these platforms. It was noted that WhatsApp, in particular, had the virtue of showing when a message had been sent and read by its addressee. More widely, the court concluded that it would “consider proactively different forms of alternative service where they can be justified in the particular case”.

The court also permitted the use of another novel method of serving the defendants, including banks caught up in the fraud, with the relevant background evidence that had been used to obtain various interlocutory orders. CMOC proposed a system, which the court approved, whereby the documents would be uploaded to a data room, and service would be effected by sending a link and access code to the relevant party by email or hard copy. The court noted that the bank defendants, in particular, had found this useful.

As a result of the court’s innovative approach, at least 30 individual defendants had been identified by the time of the trial, including the primary perpetrators to whom the funds were initially transferred and a number of other companies and individuals involved in the flow of funds from CMOC. Extensive investigations revealed that the funds were laundered through as many as 50 different banks across 19 jurisdictions. Ultimately the approach adopted by the court enabled CMOC to pursue the fraudsters in circumstances where the identity of the fraudsters was entirely unknown. Had the court required the identification of known defendants before granting the first relief it is likely that CMOC would have been left without recourse, or the inevitable delay in identifying the fraudsters, would have drastically impacted the prospects of successfully recovering the proceeds of the fraud.  

The court’s willingness to adopt an innovative approach is welcome in an age where international cyber fraud continues to grow in complexity and scope. We expect that, following CMOC, a similarly dynamic approach will be followed in other innovative common law jurisdictions such as the British Virgin Islands, Hong Kong, and Australia, in order to ensure that those courts are similarly equipped to meet the demands of the fight against modern cybercrime, and ensure that the perpetrators are pursued.