A Binance hack ends up in London’s High Court

A UK-based Binance user turned to the High Court in London after its Binance accounts were allegedly hacked by unknown persons. The judge pondered over legal questions such as: are crypto-assets ‘property’ under the laws of England & Wales? What is the legal classification of a private key? Which Binance entity should a legal order be served on, especially when its corporate structure is so murky? And where are crypto-assets ‘located’ for the purposes of determining the jurisdiction of an English court and applying the laws of England & Wales?

The facts

A Binance user allegedly lost $2.6 million worth of cryptocurrencies held in its Binance account after a hack in June. The Binance user is Fetch.ai, a Cambridge-based tech company. The crypto-assets held in its Binance account were USDT (stablecoin Tether), BNB (Binance Coin), BTC (bitcoin) and FET (the token issued by the claimant company). The Binance account operated as a trading account, the court said. The hackers allegedly gained access to the Binance account and, unable to take out the crypto-assets, sold them at a significant undervalue to another account controlled by them.

A private hearing was held in July and a transcript of the judgment was released only recently. The judgment is only an interim step in the proceedings: the judge found the claimant has ‘reasonably arguable claims’ that warranted the order to be issued at this point in time. The merits of the case will need to be argued at a later stage.

Claims

The plaintiff applied to the High Court in London to make an order against Binance entities and persons unknown (targeting the hackers and their accomplices), asking for a proprietary injunction, worldwide freezing order and information disclosure order, among other things.

Causes of action (the legal basis for the claims) for which the claimant had ‘reasonably arguable claims’ included breach of confidence and unjust enrichment. The court found the claimant was also entitled to maintain an equitable proprietary claim based upon constructive trust in respect of crypto-assets taken from it dishonestly.

The first category of defendants were ‘persons unknown’. Judge Pelling QC was reluctant to issue the order against this broad category to the extent it could cover innocent third parties receiving the stolen funds. The category was qualified for the proprietary relief claim, narrowing it to those persons unknown who ‘either knew, or ought reasonably to have known’ that the crypto-assets they received belonged to the claimant or at least did not belong to them, the receivers.

The second defendant was Binance Holdings Limited, a Cayman Island entity. Binance Markets Limited (BML), a UK entity, was the third and final defendant. The judge made some comments on the ‘remarkably opaque’ structure of the Binance Group (see below).

Crypto-assets are property

The crypto-assets held in the plaintiff’s Binance account

“are to be regarded as property for the purposes of English law. They are, to put it no higher for present purposes, a chose in action, and a chose in action, as a matter of English law, is generally regarded as property.”

This is not (or no longer) surprising, giving the suggestions of the Jurisdictional Taskforce and earlier case law.

Private key as confidential information

“It is perfectly clear that the key was confidential information because it was supplied to the applicant for the purpose of enabling the applicant to operate its own account,” according to the court.

As the key was ‘confidential information’, the court found claimant reached the evidentiary threshold, for the type of order requested, that the hackers who gained unlawful access to the private key and manipulated the claimant’s accounts breached the duty of confidence.

The judgment does not give any further details as to who held the private key(s) to the crypto-assets in question (Binance, the claimant or a third party?). The court appears to assume the claimant held the private key itself.

Cross-border legal issues: Rome II Convention

If crypto-assets are stolen from a Binance account, where does the crime take place? Which laws should apply and which courts should have jurisdiction?

The court looked at cross-frontier issues and applied the Rome II Convention to the causes of action in the present case.

For the breach of confidence, the court found sufficient evidence, for the purposes of the order sought, that such claim is capable of falling under Art. 4.1 of the Rome II Convention as a tort/delict. England would be the proper place to litigate such claim, the court found, as it is the country in which the damage occurs.

When crypto-assets get stolen from an online account with a crypto-exchange, where does the damage occur? What is the lex situ?

The court relied on the earlier unreported judgement of Butcher J in Ion Science v Persons Unknown (21 December 2020):

“…lex situs of a cryptoasset is the place where the person or company who owns it is domiciled.”

In that earlier case, the judge referenced prof. Andrew Dickinson’s analysis in the book Cryptocurrencies in Public and Private Law. There was the minor complication that there were actually two Fetch.ai entities acting as plaintiffs: one headquartered in the UK and the other one in Singapore. Either way, the court found that England was the appropriate place to litigate.

As to the other potential claims, an equitable proprietary claim (the crypto-assets obtained by fraud result in the fraudulent recipient holding the assets on constructive trust) could also be duly litigated in the English courts: “that, too, is an issue where the English court would have jurisdiction by operation of the Rome II Regulation, either applying Article 3 or Article 10, or possibly Article 11.”

The final cause of action raised by the claimant, unjust enrichment, “plainly comes within the scope of Article 10 of the Rome Convention.”

Binance corporate structure

When analysing whether proceedings could be served on the unknown defendants out of the jurisdiction, the court tried to piece together Binance’s corporate structure:

“[t]he material generated by the Binance Group concerning which entities conduct what business is remarkably opaque.”

The judge concluded that “there is sufficient material online that suggests that Holdings, which is, as I have said, a Cayman entity, is the main parent company within the Binance Group.” According to the court, “it is probable on the information available, or at least realistically arguable, that Holdings is the ultimate holding company for the Binance Group.”

The court found the position of Binance’s UK entity BML “much less clear”. BML was the Binance entity explicitly mentioned by the UK Financial Conduct authority in a warning published in June. The FCA wrote at the time: “Binance Markets Limited [BML] is not permitted to undertake any regulated activity in the UK. This firm is part of a wider Group (Binance Group).”

The court even resorted to a tweet from the official Binance (@Binance) twitter account, which stated that BML “is a separate legal entity and does not offer any products or services via the binance.com website.”

However, the court concluded overall that it is “at least possible” that the Binance accounts of the claimant were not administered by BML but by either Binance Holdings or another Binance entity. Therefore, if the claimant wanted to obtain information from Binance on the hack and the stolen funds, “the best chance of obtaining the information that is needed in order to enable the claimant to advance its claim is likely to come from the second respondent”, Binance Holdings.

Since Binance collects personal data, there is at least “a real prospect that the information sought will lead to the location or preservation” of the stolen crypto-assets. In other words, the fact that the funds were stolen from a centralized crypto-exchange like Binance made it possible to require the exchange to help the claimant reclaim their funds. If the funds would not have gone through a centralized exchange, but a decentralized exchange instead, the analysis would obviously have been different.

Finally, the court found that Binance Holdings and BML “have given mixed messages concerning what they propose to do in relation to an account which they claim to have frozen”. The risk existed that either one would unfreeze the allegedly stolen funds, the court found, which supported the claimant’s request for an order against both the Binance entities and ‘persons unknown’.

Conclusion

The legal questions that the court faced, for this type of order, were not novel. Neither was the court’s overall approach. It builds upon earlier reports (such as the UK Jurisdiction Taskforce, which suggested crypto-assets are property under the laws of England & Wales) and earlier cases.

A few facts remain unclear (was there indeed only one private key, and was it held by the plaintiff rather than Binance, as the judgement seems to suggest?) and the analysis would certainly get more complicated if the funds were no longer held in Binance accounts but were siphoned off through crypto-mixers, for example, or had been sold in decentralized exchanges.

Contact us

Subscribe to our news Letter

Subscribe to our news Letter

Subscribe to our newsletter

Thank you!