Singapore – Roaming the world of Crypto

Cryptocurrencies, non-fungible tokens, the metaverse, and Web 3.0. Just a decade or so ago, this was science fiction. Yet today, these adolescent creations often hog the headlines, underpinning stories of rags to riches – or spectacular falls from grace.

Like the Wild West of the 1800s, the cryptospace remains a world uncharted. Plundering and thievery abound, and sheriffs struggle to enforce the rule of law. ‘Wanted’ posters are plastered on the walls of the public bar, but a huge question mark obscures the faces. 

Take, for example, the Squid Game Token (SQUID) creators. Just when SQUID rose astronomically by 23,000,000 per cent in a week and investors thought they struck the lottery, the anonymous creators pulled the rug on the project, absconding with some US$3.3 million. Or the mystery hacker who broke through Ronin network’s security in what may now be crypto’s largest breach, riding off into the sunset US$625 million richer. These fraudsters’ identities remain unknown.

Other times, the law just doesn’t have the right ammunition. Despite the recent LUNA/TerraUSD crash wiping out US$60 billion in May 2022 and causing many to lose their life savings, some speculate that criminal charges against creator Do Kwon are unlikely to stick. Or take the case of crypto-lender Celsius. Once touted as the ‘Best Cryptocurrency Wallet’ of 2021, Celsius suddenly left users unable to withdraw US$12 billion of their crypto assets. CEO Alex Mashinsky remains mum on when customers will be able to make withdrawals’ – Celsius filed for bankruptcy in July 2022. The target can be found, but are the bullets loaded in the chamber?

Establishing a Strong Foothold

Yet, like in the Wild West 200 years ago, the law is slowly but surely extending its boundaries and pioneering new territory in the cryptoverse. The shroud of anonymity offered by blockchain transactions is no longer as impermeable as it once was. Courts worldwide have shown their readiness to grant freezing and disclosure orders to prevent dissipation of cryptoassets, even where the beneficial owner of the relevant wallets remain unknown. 

In AA v Persons Unknown, the Plaintiff (an insurance company) found itself attacked by malware that encrypted all of its computer systems and paid US$950,000 in Bitcoin (BTC) as ransom for the decryption tool. The High Court of England and Wales granted an interim injunction against unknown hackers as well as the Bitfinex exchange, preventing further dealing with the ransomed Bitcoins stored in the hackers’ Bitfinex wallet. The Court also ordered that Bitfinex provide information to identify the hackers, piercing their cloak of anonymity.

The Singapore courts have responded similarly to the war on crypto theft. In CLM v CLN, the Plaintiff was enjoying a vacation in Mexico when he suddenly found himself short of 109.83 BTC and 1497.54 Ethereum (ETH), cryptocurrencies worth around US$5.7 million at the time of the theft. He suspected that someone had accessed his recovery seed phrases from the apartment safe – remarkably he thought it wise to ask an acquaintance to retrieve some cash from that safe, reading out the safe’s combination within the earshot of others! Ordering Singapore’s first ever ‘persons unknown’ injunction, the High Court in March 2022 granted a proprietary injunction prohibiting the unknown thief from dealing with the identified stolen assets, with orders requiring the disclosure of information by wallet providers in the hope of identifying the wrongdoer.

Such ‘persons unknown’ injunctions coupled with disclosure orders are becoming more prevalent. Sometimes, a ‘Spartacus’ order could also be granted, compelling wrongdoers to identify themselves. In PML v Persons Unknown, the English High Court ordered that the hackers who stole information and demanded ransom in BTC identify themselves. Similarly, in Zschimmer & Schwarz v Persons Unknown, the Kuala Lumpur High Court ordered self-identification of the creator(s) of a fake email account used to defraud the plaintiff into paying €123,014.65. While such orders may appear superfluous, wrongdoers may eventually be outed, and third parties who know their identities and abet non-compliance with the order could find themselves in contempt of court.

The Fog Remains

There is, however, still much for the law to do. Cryptocurrencies’ nature isn’t entirely settled, and that becomes relevant when determining whether a plaintiff who has lost cryptocurrency can be compensated in that cryptocurrency, or should be compensated in fiat currency – the former should be the case if cryptocurrency is currency, while the latter is possible if cryptocurrency is property. Also, broadly speaking, if cryptocurrency is currency, it is probably negotiable, but if it is property, the nemo dat rule applies as a default.

Most courts seem to accept that some cryptocurrencies are property, like those in England and New Zealand. Commentators consider it a sui generis type of property, with some characteristics of property but not others. No doubt this will find further expression in case law as disputes inevitably arise. Here in Singapore the question isn’t entirely settled, though what is clear is that there is a sufficiently arguable case that Bitcoin is property for proprietary injunctions to be granted.

But how about stablecoins? Notwithstanding the dramatic fall of what was once the third largest stablecoin (TerraUSD), the UK continues to advance regulations that would recognise stablecoins as a form of payment. Does the world then intend to draw a line between two types of cryptocurrencies, with some stablecoins functioning as currency and the rest falling into the category of property? What then are the requirements for a cryptocurrency to be considered ‘stable’?

And if so, what would be the appropriate relief where a hacker has stolen stablecoins and has converted them into other cryptocurrency, just before the stablecoin implodes, like TerraUSD? Is the hacker only liable to repay a hundredth of a cent on the dollar (if stablecoins are currency) or should the hacker be made to restore the plaintiff the value lost at the time of the theft (if stablecoins are property)?

In that hypothetical, it might seem just to trace the stolen stablecoins into other cryptocurrencies and establish a constructive trust over the assets that those stablecoins were converted into: see the classic cases of AG v Reid and Sumitomo Bank Ltd v Thahir Kartika Ratna. But Wang v Darby has qualified whether and when a constructive trust may arise over ‘entirely fungible and non-identifiable digital asset’ (though perhaps this ought to be seen as dicta). Over and above this, the practical question of how far tracing can take a plaintiff remains, especially if the hacker has already broken up the stolen assets into multiple fragments and performed multiple trades. Or even worse, if the hacker proves savvy enough (as most hackers are) to run the assets through a cryptocurrency tumbler or mixer to further obscure traceability.

And if cryptocurrency is property, it should then, in theory, be possible to argue that crypto lenders such as Celsius and Babel Finance hold assets on trust for its customers, such that they should not be able to unilaterally suspend customer withdrawals indefinitely. But the courts do not speak with one voice on this issue – in Ruscoe v Cryptopia, the New Zealand Court held that the Cryptopia exchange held cryptoassets on trust for its customers. Yet the Singapore Court in Quoine v B2C2 reached the opposite conclusion, albeit on different facts. It appears more likely than not though that just as traditional banks ordinarily do not hold monies on trust for its customers (and what the customer has is an enforceable debt against the bank, or a ‘chose in action’), crypto lenders would not ordinarily hold assets on trust.

What could courts do if investors commence proceedings against the unknown SQUID creators, or LUNA/TerraUSD creator Do Kwon? Whether these will be regarded as cases of caveat emptor, or fraud or misrepresentation, also remains to be seen. Arguably, this is an area that requires informed regulation, akin to traditional stock exchanges, but the difficulty will be balancing innovation with protection. If it becomes extraordinarily difficult to list cryptoassets for sale, digital asset creators could ‘forum shop’ for the most accommodating jurisdiction that would allow them to launch their creation. It also opens up a can of worms as to what sort of digital assets should be regulated – should regulation extend to NFTs, especially fractional NFTs which could very well constitute securities under the US’s Howey Test? What about other digital assets like Dota 2 or CSGO skins, which perhaps aren’t so different from NFTs?

Braving New Fronts

These are only some of the new legal issues arising as a result of the rise (and fall) of cryptos. Many questions remain, like whether the traditional Spiliada test for determining a convenient (or non-convenient) forum has any utility in transactions done completely on the non-jurisdictional blockchain.

The task then falls to lawyers, lawmakers and judicial officers to chart the path ahead. Make no mistake however, the law is evolving to catch up with what commercial actors do. In the first of its kind, the New York Supreme Court has even allowed service of court process on hackers through NFT drops. Through informed regulation, creative court orders, and trailblazing counsel, it is only a matter of time before the rule of law reins in the wild world of crypto.

---

---