My NFT has been stolen, what do I do? : Avoiding Crypto / NFT fraud and theft (Part 2 of 2) - Boodle Hatfield

Your lawyers since 1722

20 Sep 2022

My NFT has been stolen, what do I do? : Avoiding Crypto / NFT fraud and theft (Part 2 of 2)

As we outlined in Part 1 of this 2-Part series, cryptocurrency and NFTs increasingly offer opportunities for scammers to profit from unsuspecting victims.

Often promising large returns with a sense of urgency, and with often little to no information about the creator or seller, crypto assets can offer an opportune vehicle for fraudsters.

In February 2022, over 200 tokens with an estimated value of $1.7 million were stolen from NFT marketplace OpenSea when a fraudster used a fake email purporting to be from the platform itself. A significantly larger attack took place in April 2022, with hackers using a phishing post on Instagram to steal an estimated $3 million worth of high-value Bored Ape Yacht Club NFTs, which frequently sell for six-figure sums.

Blockchain research firm Elliptic estimates that over $100 million worth of NFTs have been stolen in the period January to July 2022.

Part 1 of this series set out some strategies that can be put in place to reduce the chances of falling victim to such frauds. This article explores the options for enforcement where fraud and theft has already occurred.

Instructing your team

It goes without saying that victims should act quickly once they realise an asset has been misappropriated.

Key documentation and evidence should be gathered and provided to the legal team, including crypto wallet information, details of the relevant crypto assets, a timeline of events around the theft of the asset, and copies of all correspondence with the fraudster.

The legal team should have an existing relationship with an expert who can start work in tracing the stolen crypto asset, to figure out what has happened and maximise later chances of recovery. The advantage of the blockchain is that there is a record of where the crypto asset has been moved to, unless it is taken offline and put onto an external hardware device. Even in that scenario, it is usually possible to trace it again when it comes back online.

Who to sue? For what?

The legal team will need to consider who you will bring proceedings against and on what basis. This will usually involve urgently seeking injunctive relief against the fraudster (whose identity will, generally, be unknown), freezing their crypto account to prevent further dissipation of the NFT.

As we set out below, the fraudster will generally be unknown, and so a disclosure order will likely be needed against the crypto exchange, to obtain information about the fraudster which will allow the claim to be brought against them.

Jurisdictional issues

Given that wallets and exchanges are often based outside of the UK (and there is a good chance that the fraudster will also be based overseas), it is important to consider the correct place to bring proceedings. The Courts will normally look to the domicile of the victim. If the victim is resident in England and Wales, then the Courts here seem generally happy to accept jurisdiction of the dispute.

Disclosure orders

As alluded to above, a key issue here is that, generally, the identity of the fraudster will not be known.

Where a claimant wishes to gather information on a wrongdoer who has committed a tort, breach of contract or breach of confidence, an application for a type of 3rd party disclosure order called a Norwich Pharmacal Order (established in Norwich Pharmacal Co. & Others v Customs and Excise Commissioners [1974] AC 133) would usually be made.

This is an equitable remedy used to request that a respondent (usually a company), who has – innocently or not – been mixed up in wrongdoing (eg facilitated or participated in it), provides full information on – including the identity of – the wrongdoer in order to assist the claimant in bringing their claim.

In the Norwich Pharmacal case, the claimant company brought a claim against the Commissioners of Customs & Excise for information on an importer who had breached the claimant company’s intellectual property, but whose details were known only to the Commissioners. Unfortunately, the English and Welsh Courts’ current rules do not currently allow Norwich Pharmacal Orders to be served out of the jurisdiction (although this may change in the near future as crypto litigation develops) and so they are of limited use in NFT fraud cases involving overseas parties.

Crypto litigators have therefore turned to an alternative form of 3rd party disclosure order, and equitable remedy, known as a Bankers Trust Order (established in Bankers Trust Co v Shapira [1980] 1 WLR 1274). Bankers Trust Orders are used where there is strong evidence of fraud and require a party in proceedings to disclose certain confidential information to a claimant to enable it to trace the existence of (and to protect) assets claimed, and where delay might result in dissipation of funds before a case can go to trial.

A claimant must demonstrate a real prospect that the information sought might lead to the location or preservation of assets for which they may make a proprietary claim (i.e. the claim must attach to property). A party applying for a Bankers Trust Order must also give an undertaking not to use the information obtained other than in the course of proceedings.

In the Bankers Trust case, a defendant was required to disclose confidential information on co-defendants, including correspondence and cheques, to enable the applicant to trace assets. Crucially, the English and Welsh Courts allows Bankers Trust Orders to be served out of the jurisdiction.

Most exchanges (should) retain Know Your Client information, or at the very least an email address, for their users. So this information can be sought.

In order to prevent onward transfer of the stolen NFT, a victim should also seek a freezing order against the owner of the wallet in which their NFT is currently held.

Service issues

It is a requirement of the Civil Procedure Rules for claims (and most applications) to be served on a defendant or respondent within a certain period of time. Given that the wrongdoers in an NFT theft or fraud claim are usually Persons Unknown, it is difficult to know where or how to properly serve proceedings/applications.

Where appropriate, the English and Welsh Courts allow for parties to apply for an order for service by alternative means, for example by email. However, the Courts have recently shown willing to allow victims to serve by new means, such as in the case of D’Aloia v (1) Persons Unknown (2) Binance Holdings Limited & Others. In that case, the Court granted an Order permitting service of court proceedings via the transfer of an NFT into crypto wallets (as well as by email).

The key take away must be that it is possible to take steps to find out where your stolen Crypto asset has been moved to. That is the advantage of the blockchain. You should act quickly as soon as you are aware of a fraud or theft.

Did you miss part one?

Cryptocurrency and NFTs increasingly offer opportunities for scammers to profit from unsuspecting victims. In part one of this series, Kellie, Rosie and Alex set out some strategies that can be put in place to reduce the chances of falling victim to such frauds.

Find out more.