Fighting the fraudsters on two fronts

By Sam Roberts and Rosie Wild

In July 2018, we (as part of the team at Cooke, Young & Keidan LLP, led by partner Philip Young) obtained a landmark judgment for our client in a cyber fraud case against ‘Persons Unknown’. Our client, an English subsidiary of a Chinese mining company, had fallen victim to an email phishing attack which allowed fraudsters to transfer £7 million out of our client’s bank accounts and across the globe. We moved quickly to obtain a worldwide freezing injunction (WFO) against persons unknown – who included both the fraudsters on the ‘sending side’, and the owners of the accounts on the ‘receiving side’. One of the immediate difficulties we faced was that we did not know whether the initial recipients were part of the fraud, or innocent third parties caught up in it. Our job was therefore twofold – track down our client’s stolen funds, and find out as much as we could about who received them. We did this by using the WFO as a ‘launchpad’ to obtain disclosure orders (DOs) against the account-holding banks, who became the No Cause of Action Defendants (NCADs), and using the product of the DOs to start naming individuals and companies as fraudster Defendants.

There were a variety of ground-breaking aspects to this case. We’ve structured this article into a section for the legal geeks and another for the tech nerds – so take your pick!

For the Legal Geeks

The story from this angle is how we were able to obtain a Worldwide Freezing Injunction against people whose identity was unknown, how we obtained disclosure orders that were enforceable against overseas banks, and how we were able to obtain urgently a WFO against a person despite not knowing their asset position.


Who stole CMOC’s money?

In October 2017, CMOC learned that over £7m had been stolen from its bank account by way of a sophisticated cyber fraud. Then started the whodunit: the only information available to CMOC at the outset being: (i) the banks that received its money at the first level; and (ii) the payee names associated with those transfers (which, as is known, need not be the name of the person who holds the recipient bank account).

CMOC wanted to freeze the fraudsters’ money, but who was responsible for the fraud and who should the WFO be against? It is already established law that the Court can make orders, including injunctions, against “persons unknown”, the most well-known case in this area being Bloomsbury Publishing and JK Rowling v News Group Newspapers Ltd and Others[2003] EWHC 1205 (Ch) [2003], where a prohibitory injunction was made by Sir Andrew Morritt VC against the unknown distributors of a Harry Potter novel to prevent publication of a manuscript.

The key test for obtaining an order against those whose identity is unknown is to make sure that the description is sufficiently certain as to be able to identify both those who are included and not included in the description. The Court in Bloomsbury said if that test is satisfied, “it does not […] matter that the description may apply to no one or to more than one person, nor that there is no further element of subsequent identification…”.

We structured our initial definition by reference to the information that we did know, i.e. the amounts that were stolen (or were attempted to be stolen), when the fraud took place, and by referring to the (unknown) joint legal or beneficial holders of the bank accounts that received funds directly from CMOC. The bank account information was then listed in a schedule to the Claim Form.

Being able to establish the Court’s jurisdiction in substantive proceedings against persons of unknown identity in this way opens the gateway to obtaining other interim injunctions to be granted against that person, including disclosure orders that may lead to the positive identification of some or all of the fraudsters enabling the pursuit of justice. HHJ Waksman QC (as he then was) at the interim hearing decided that there was “strong reason” for extending the principle and granting a WFO against Persons Unknown, as this can often be a springboard for ancillary relief that can assist to obtain vital information about the fraudsters.


Where has CMOC’s money gone?

As set out above, the only information CMOC knew at first was the names of the banks, the account information associated with the first level of payments, and the payee names associated with those payments.  All of these accounts that received stolen money directly from CMOC were held at banks outside of the jurisdiction in Germany, Portugal, Spain, UAE and Hong Kong.  At the outset, CMOC sought ancillary relief in support of the WFO in the form of disclosure orders against these banks. The problem was that these banks were domiciled overseas…

When one considers obtaining disclosure of this nature from banks, familiar pathways such as Bankers Trust orders, or Norwich Pharmacal orders or the Court’s jurisdiction under CPR 25.1(1)(g) come to mind.  However, CMOC chose not to pursue disclosure under the Norwich Pharmacal route in the light of 2017 judgment of Mr Justice Teare in AB Bank Limited which suggested that the principle in this case did not have extra-territorial effect (and so could not be used to require the foreign banks to disclose the identity of their account holders or the onwards pathway of CMCO’s funds) (AB Bank Limited, Off-Shore Banking Unit v Abu Dhabi Commercial Bank PJSC[2017] 1 W.L.R. 810).

CMOC therefore focused on the Court’s jurisdiction under Bankers Trust v. Shapira. However, this was not a clear path either: Mackinnon v Donaldson[1986] Ch 482 (and subsequent cases following this decision) essentially say that only in exceptional circumstancesshould an English court make an order requiring overseas banks to provide disclosure. The main justification for this being because that bank (or branch of a bank) would be subject to local legal and regulatory requirements which might conflict with the English view of the matter. However, helpfully, Mackinnon itself provides an example of an exceptional case being when a claimant is chasing international fraud. At the interim hearing, the Judge granted CMOC the disclosure orders, being satisfied that the English Court had jurisdiction to grant disclosure orders against overseas banks under Shapira, and that this was an appropriate case to do so.

Six months later, CMOC had sought and obtained disclosure orders against more than 35 overseas banks, obtaining vital information about the fraudulent network and its operation. However, obtaining the orders was only the start of the journey, enforcing compliance with these orders is a separate story in itself…


What if you don’t know whether the respondent has any assets?

As the case progressed, the evidence of fraud was overwhelming and the pattern of distribution of the funds became more complicated and interesting. We located parcels of CMOC’s money being used in a sophisticated money laundering operation that had been used to buy perfumes from Nigeria, nappies from Cyprus, trucks from Nigeria, and pharmaceutical products from Italy, amongst other things. The recipients we contacted provided mixed responses to refunding CMOC’s money.

In mid-April 2018, thanks to the operation of the Disclosure Orders, we obtained evidence that showed a portion of CMOC’s funds had been transferred to a Puerto Rican bank.  After further investigation, we found that the ultimate recipient of this portion of CMOC’s funds was a Swiss incorporated company, whose shareholder and director was Swiss citizen with an INTERPOL Red Notice issued against him.

Upon learning this information, we applied urgently for a WFO before a hearing the following day, despite not knowing the asset position of the respondents in question (the company and its shareholder). Despite not being able to show evidence of assets that the WFO would operate to freeze, the Judge granted the relief sought.

One of the key points we put before the Judge was that that the facts of this case are not those of an ordinary commercial case.  This case is an example of the new types of fraud that are becoming prolific now.  The fraudsters, with the benefit of the internet, are equipped to move large amounts of money around the world, the asset position changing on the accounts they operate every tenth of a second. If having money in a bank account was a precondition of granting a WFO in this sort of case, the Court would not be able to assist, and in effect the fraudsters would prevail.

At trial, HHJ Waksman QC (as he then was) observed that the Commercial Court must develop to fight sophisticated international fraud, saying that granting such a WFO against Persons Unknown “reflects the need for the procedural armoury of the court to be sufficient to meet the challenges posed by the modern electronic methods of communication and of doing business.”

For the Tech Nerds

The story from this angle is how we used innovative service methods to reduce the paperwork burden and speed up the asset tracing.


Mountains of documents

There are at least three aspects inherent to a sophisticated international payments fraud that make managing the document side the bane of a solicitor’s life:

1. Stolen money tends to “fan out” to increasing numbers of destination accounts until the money is laundered. The means a lot of accounts, a lot of banks, and a lot of parties to the litigation.

By the beginning of trial, we had 29 Defendants (having settled against two) and 51 NCADs.

2. It’s easier for fraudsters to send money overseas than it is for the victim of fraud to keep up with it. The more the money fans out, the more jurisdictions tend to be involved.

By trial, the money had been traced to 25 different jurisdictions and the  parties to the litigation hailed from 14 jurisdictions.

3. Similarly, the pace of both the payments as they fan out and also the victim’s investigations tends to be much quicker than the ability to communicate with parties by traditional means.

Frequently, we would find that by the time we had served a party with a letter by post or by courier, events had overtaken our letters, sometimes significantly.

We started off with just 11 parties on the other side of the proceedings – Persons Unknown, and the NCAD banks.


Serving Overseas Banks

But although we only had 11 parties, we had to make sure our WFO was effective. We didn’t expect our fraudsters to heed the WFO out of their own good nature, so the priority was to get our ex parte WFO and DOs served on our NCADs ASAP (we had a lot of acronyms, too). Each of the initial 10 NCADs was located outside the jurisdiction, with a near even split between EU and non-EU. Most of these banks did not have an English-speaking ‘shop window’ and many of them did not exactly advertise how to report a fraud. To maximise the chances of someone seeing and acting on our WFOs, we also served on any English branches of the same bank (and although the response was universally that the account in question wasn’t located at the English branch (true) and couldn’t be frozen that way (debatable), it did at least get attention within the NCADs).


Serving Persons Unknown

There was another problem posed by suing Persons Unknown. How do you serve a fraudster whose identity you don’t know? On the ‘sending side’, we only had two fake email addresses set up by the hacker to perpetrate the initial fraud – but both of these had been taken down by the time we tried to use them for service. The only other way we could do it – at least, until we learned more information about the fraudsters – was to serve Persons Unknown on the ‘receiving side’ at their account banks. While it might seem like an artificiality (particularly if there are AML ‘tipping off’ offences in those jurisdictions), we wanted an enforceable judgment, and we needed to be able to show the Court that we had served the Defendants.


Alternative Service vs. The Service Regulation

Although we had the right to sue and serve the EU-based NCADs out of the jurisdiction without the permission of the Court under CPR 6.33 and Article 7(2) of Brussels Recast,1 and CPR rr. 6.40 and 6.41 and the Service Regulation,2 the means by which you can do so are not all that compatible with an urgent cross-border asset-tracing exercise: documents must be translated (and occasionally apostilled), and the Foreign Process Section at the RCJ must be involved.

We therefore obtained orders for alternative service under CPR 6.15 which allowed us to serve the NCADs by email where we had been able to find a suitable email address, and failing that, by international courier to both the branch and head office. This allowed us to start firing off Court orders around the globe without having to wait for translations. As far as the English Court was concerned, those banks had been served. Inbox size limits, however, meant that this was hardly a panacea.

Although this simplified things in one respect, it complicated in another. Our experience was that no amount of explaining alternative service would persuade the sophisticated recipient of an emailed WFO or DO that we had actually given good service. We therefore found ourselves, at least as EU parties were concerned, doing “double service” – once by whatever means the English Court said we could do, and a second time satisfying the requirements of the Service Regulation.


Service by Data Room

This meant that, almost immediately, we were slowing down under the weight of paperwork. Adding to the complexity was a Court-ordered confidentiality ring which put the personal details of the recipient account holders into confidentiality silos until we (and the Court) could be sure that they were fraudsters.

In order to make the WFO and the asset tracing effective, it was clear we needed to make a change. What we did was to seek the Court’s permission to serve by web-based data room (the service we chose is called Tresorit, an EU-based provider similar to Dropbox).

Once the service was up and running, we were able to upload everything to a folder structure that mirrored our growing set of real lifereal-lifehearing bundles. It made complying with our confidentiality ring easier, too.

We had to put evidence before the Court detailing several rounds of expensive, painful service, in order to persuade the Court why we should try something better. Bad news for anyone looking to do something similar: before you can tell the Court how an army of associates and paralegals spent their past few weekends, they’ll need to live those weekends.

There were a few other crucial elements to our data room strategy that we explained to the Court. The first was the security of the platform and its compliance with data protection rules. The second was that this service wouldn’t give us access to any information we wouldn’t have with traditional methods of service, such as whether the documents had been accessed and what had been read. Finally, we also had to satisfy the Court that the recipients were likely to know how to use it. Fortunately, there wasn’t much doubt about this with banks and hackers.

The data room was revolutionary and transformative for our management of the case. It meant we were able to spend vastly less time stuffing bundles and more time hunting down fraudsters. It did not resolve everything: we still had to do a second round of service that satisfied the Service Regulation, and some banks had their IT infrastructure locked down which meant we either had to work with them to find a solution, or, in a couple of instances, revert to doing things the traditional way.

One final important point is to make sure your order includes a date of deemed service. The CPR does require it, but it is easily overlooked.

1 Regulation (EU) No. 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (recast)

2 Regulation (EC) No. 1393/2007 of the European Parliament and of the Council of 13 November 2007 on the service in the Member States of judicial and extrajudicial documents in civil or commercial matters (service of documents)

The flexibility of the Commercial Court to adapt previous tools to new facts is promising and it is hoped that the English Court’s jurisdiction can continue to evolve to respond to the ways in which technology can empower fraudulent operations such as those that targeted CMOC.