Chasing the unknown
Malicious actors in cyber space
30 November 2020
Malicious actors in the cyber space have the ability to cause massive damage from behind a smokescreen. If victims cannot identify the hackers, one might expect that there would be no prospect of legal recourse against them.
Surprisingly, however, a lack of knowledge as to the identity of a cyber-attacker is not necessarily a barrier to relief in English law. Details such as an unidentified fraudster's IP address or a destination bank account may assist Courts in helping claimants to recover funds from a malicious actor. Indeed, where cybercrime is concerned, the Courts have on occasion led with their chins – ordering interim relief in circumstances where such orders can then be used to find out more about the unknown attackers and to seek to recover the stolen proceeds.
Relief against Persons Unknown
World Proteins KFT v Persons Unknown  4 WLUK 35 is the latest in a string of recent cases in which interim relief (and in particular freezing injunctions) has been ordered against unknown online fraudsters, with a view to preventing the dissipation of assets which have been stolen - in this case, by an imposter interposing itself between a company and its supplier's correspondence, causing the company to pay €500,000 into the imposter's UK bank account.
The phrase "Person(s) Unknown" derives from Bloomsbury Publishing Group and JK Rowling v News Group Newspapers Ltd  1 WLR 1633, but, whilst the concept is not entirely novel, the extent of the power granted by it was relatively limited until recently. Further, whilst it provides for potential recourse where a victim does not know the identity of its cyber-attackers, the English Court has been clear to restrict claims against Persons Unknown to claims against those whose description is sufficiently certain that it is clear who falls within the class of Persons Unknown and who does not (Brett Wilson LLP  EWHC 2628).
The seminal development came in the case of CMOC Sales and Marketing Ltd v Persons Unknown  EWHC 2230, in which a worldwide freezing and proprietary injunction was granted against "Persons Unknown". An international commodities business was the victim of a BEC fraud in this case, and approximately 20 payments were made from the company account and were immediately sent to jurisdictions around the world. It was not known who had perpetrated the fraud or who had received its proceeds, but the destination banks and account numbers were known.
Clearly, in this case there was no identified person who could be sued, and there was little prospect of obtaining disclosure from foreign third parties to ascertain the facts. Ultimately, however, CMOC undertook a three-stage process: issuing a claim against persons unknown, obtaining a worldwide freezing and proprietary order against those unknown persons, and then using that order as a springboard to obtain internationally enforceable disclosure orders. Ultimately, and clearly in the absence of the defendants to the action, damages were ordered for the full amount of the loss in the substantive case.
Serving an unknown respondent
In CMOC, the Judge was persuaded that it would be preferable for the Court to "consider proactively different forms of alternative service where they can be justified in the particular case". In Clarkson Plc v Person or Persons Unknown  EWHC 417 (QB), the Defendant had gained unauthorised access to the claimant’s IT systems and threatened to publish information unless a large sum was paid. Following an application for interim relief by Clarkson, the Court was persuaded to exercise its discretion to grant an interim injunction against Persons Unknown and allowed Clarkson to serve the claim form on the email address used by the Defendant to make the blackmail threats.
Digital service of documents is increasing in popularity, and, in particular, the Courts have been willing to countenance new methods of alternative service. The English Courts have, for example, expressed some positivity towards the use of encrypted online data rooms – these save significant costs and time, can be updated regularly, and benefit from allowing the Court direct access to the data room and its contents.
Alternative service can extend to social media, such as WhatsApp and Facebook Messenger. Parties may (and have) apply under CPR 6.15 and Practice Direction 6A for alternative service by social media wherever there is "good reason" for doing so, and this applies as much to unknown respondents as to those whose identities are known. Indeed, as early as October 2009 the English Court allowed a claimant to serve an injunction against an anonymous Twitter user by sending a Twitter direct message containing a link to the injunction, which ordered the defendant to refrain from impersonating the claimant on Twitter.
This is a worldwide movement. The Indian Courts are recently reported to have authorised service by WhatsApp and identified the "double blue tick" function (used to identify a person's having read a message) as an acknowledgement of receipt, and the State Court of Singapore accepted as early as 2016 that an Australian-based games developer could be notified of civil action through Facebook. We can certainly expect further reported cases before the English Court acknowledging alternative service by social media.
More and more, we are seeing a willingness by the Courts to adapt civil remedies to the world of cybercrime and its impact on businesses and their rights in civil proceedings. According to the UK Government's Cyber Security Breaches Survey of 2018, 72% of large UK companies experienced cyber-attacks last year – potential claimants will be pleased to know that despite the opacity surrounding the criminals perpetrating such attacks, they are not entirely without legal recourse. Rather, if they act quickly, they may be able to obtain crucial further information to enable funds or information stolen to be identified and, ultimately, recovered.