The cyber-fraud case to be discussed here is CMOC Sales & Marketing Limited v Persons Unknown [2018] EWHC 2230 (Comm) (“CMOC”). HHJ Waksman QC, sitting as a High Court judge, delivered the judgement in response to argument put forward by Paul Lowenstein QC and Matthew McGhee, two barristers from 20 Essex Street Chambers in London. My analysis will focus on three core sections roughly correlating to the history, present, and future of this specific case. Firstly I will outline how the case related to prior precedents. Secondly, I will discuss its contemporary significance for cyber-fraud law. Lastly, I will evaluate both sections to examine what legal trends I foresee for the future, grounded in recent policy developments.
Context and Precedent
The judge in question HHJ Waksman QC of the High Court argued he was building on established law that held the court had jurisdiction against “persons unknown” in specific cases. Yet what does this rather mysterious label mean?
The term itself originates in a legal controversy over a Harry Potter book. More specifically it refers to a 2003 court decision by Sir Andrew Morritt VC in Bloomsbury Publishing Group Limited & J.K Rowling v News Group Newspapers Limited (No. 2) [2003] EWHC 1205 (Ch) (“Bloomsbury”). This case concerned the restraint of the early publication of a Harry Potter manuscript by an anonymous group of people who removed copies of a Harry Potter book without the author’s consent.
In paragraph 179 of CMOC, HHJ Waksman QC cites paragraph 21 of Bloomsbury to confirm his view that the court did have jurisdiction “in general against persons unknown”. In particular, the description must be “sufficiently certain as to identify both those who are included and those who are not”. He establishes further that Bloomsbury established that an interlocutory injunction might be granted against those “persons unknown” responsible for publishing the documents. Yet there is no report of the Court having ever fused its jurisdiction to make such interlocutory injunctions against persons unknown with the jurisdiction to make freezing orders. “Persons unknown” were traditionally encountered in online libel, theft, property, trespass, and possession cases. This raises the question of why there was a need for change.
Contemporary Significance for Cyber-Fraud Law
To answer this question more precisely it will be helpful to first explicate the facts of the case. In October 2017, CMOC Sales & Marketing Limited discovered it was the victim of a business email compromise fraud where the perpetrators of the fraud hacked its email and sent misleading messages causing its bank, the Bank of China in London, to pay US$6.91 million and €1.27 million out of an account through twenty distinct transfers.
In the reasoning of HHJ Waksman QC himself, the difference between Bloomsbury and the present case was that the present case concerned a “freezing” injunction, not just an interlocutory injunction. The justification (at [183]) used for this innovation was that it might act as a “springboard” for the grant of relief in respect of “third parties” who could not succeed without a “primary freezing injunction”. Pressure could in turn be placed on such banks through a Norwich Pharmacal Order, a court order for third parties to disclose relevant documents pertaining to criminal wrongdoing.
Here, the implication is that a bank could then act quickly to freeze the accounts before the money was dissipated across the world, and then go on to investigate the identities in question. After the freezing injunction, the banks could take steps to discover the identities of the perpetrators provided the claimant drafted the injunction in time. Furthermore, the banks in question are often best placed to uncover the relevant information about the identities of the perpetrators, not least as they have direct access as well as cybersecurity technology of their own.
This is exactly what happened as a result of this case. In the aftermath of the worldwide freezing order (“WFO”), more concrete information was received in response to disclosure orders and by the time of the return of the WFO over eight natural and corporate defendants emerged out of anonymity.
Therefore, the use and value of the “persons unknown” jurisdiction apply to cases where there are multiple accounts in different jurisdictions where funds are transferred, the identities of the defendants are unknown according to the definition laid out in Bloomsbury, and the nature of the crime (hacking) prevents their identities from being immediately uncovered.
Yet, one must evaluate the current cyber fraud legal regime and the actual impacts of this case. As a result of CMOC, it is now possible to grant freezing orders against “persons unknown” under English law, an anonymous person or group of people. Beyond this, English courts can now serve documents through WhatsApp or Facebook messenger, along with data rooms that can serve background documents. The case law has further evolved as the Supreme Court has set out in Cameron v Liverpool Victoria Insurance Co Ltd [2019] 3 All ER 1 (SC) where greater definition is given to the defendant as someone who can actually be located or communicated with.
Despite the further growth and evolution of the doctrine of “persons unknown”, there are some limitations. One such limitation is that a freezing order does not give security for a claim, and there are no proprietary rights against the assets covered by the order. Therefore, there is no guarantee that the sum total of the assets can be recovered. Nevertheless, there are promising signs of growth and expansion for this jurisdiction. One example is from the Malaysian High Court, where the “persons unknown” jurisdiction was applied to a case in 2021, Zschimmer & Schwarz GmbH & Co KG Chemische Fabriken v Persons Unknown & Anor [2021] 7 MLJ 178. This case closely follows the jurisdiction laid out in CMOC, demonstrating the broad, global appeal of the concept as well as its practical value to courts dealing with the issues raised by cyberfraud. Even as the global nature of cybercrime makes it increasingly complex and difficult to identify perpetrators, there are signs that courts through a process of learning and borrowing from far-away jurisdictions might develop legal doctrines to challenge cyber criminals and take steps to uncover their anonymity.
Future Impact
There is one case that clearly highlights the impact of this judgment. This is World Proteins KFT v Persons Unknown [2019] EWHC 1146 (QB), which held a freezing injunction should continue against persons unknown. In this specific case, one fraudster was able to send malware emails from what appeared to be a long-time supplier that led to payments of €1.5 million and €500,000 being paid into the fraudster’s bank account with Barclays. Indeed of the €500,000 transferred to the account, €141,000 were dissipated to three Dubai accounts. The remaining balance of €359,000 was subsequently frozen. This shows HHJ Waksman QC’s “springboard” mechanism in action, as the freezing order enabled much of the funds to be identified and some of the perpetrators to be accounted for. The fact there have been two such “Persons Unknown” cyber-fraud cases seems to suggest the concept is popular and useful to claimants, though it would be wise to watch patiently for further developments to confirm whether it emerges as established practice and where it takes hold.
The “persons unknown” jurisdiction is one sign of many that the judicial system in London continues to adapt to ongoing cyber-fraud and have some degree of (global) success and influence in doing so. One example is the 2018 announcement of the establishment of a flagship court in London designed to tackle fraud, cybercrime and economic crime. It is hoped the court will be in full service from 2025. The reasons behind the construction of this court include the sheer cost suffered by British businesses each year, particular SMEs which are often less capable of absorbing the costs. In 2018, the Business ISP provider Beaming estimated that the total cost of cybercrime across all UK small businesses in 2018 was an estimated £13.6bn. This constituted the vast majority of such cyber-attacks and hence, one likely motivating factor behind recent developments. The fact such a court is being built in London attests to both the global nature of such crimes, alongside a desire to make London remain competitive, assuaging concerns over its uncertain global role after Brexit. The “persons unknown” jurisdiction and the global reach it increasingly possesses is one small sign that suggests London will remain central to the future of cyber fraud law.