Search and find what you need faster.

Matt Green discusses crypto assets disputes and recovery with the Government of Gibraltar

Posted on: May 8th, 2025 by Natasha Cox

Director and Head of Blockchain Matt Green presented to the Ministry of Justice, Trade and Industry of the Government of Gibraltar, outlining the evolving legal status of digital assets alongside Scott Pounder, Founder and CEO of Prometheus Insights. 

Looking to the current legal landscape and potential future developments, Matt and Scott explained why recognising digital assets as property is essential, considering:

  • The definition of digital assets
  • The canon of common law, including Matt’s own cases, and how asset recovery cases created precedents globally
  • The role of legal definitions of property, now ratified in the Court of Appeal, from case law through to the Property (Digital Assets etc) Bill
  • Considering a draft statutory instrument designed to bring dealing with crypto assets into the remit of regulated activity under FSMA 2000.

For more information on our digital assets expertise, please click here.

Dominic Holden explores the Home Office consultation on ransomware payments, in Law360

Posted on: April 10th, 2025 by Natasha Cox

Director Dominic Holden examines the recent Home Office consultation on cyber attacks and banning ransom payments by public bodies and critical infrastructure operators, and discusses the potential impact of such reforms on SMEs, in Law360.

Dominic’s article was published in Law360, 9 April 2025. 

On 14 January 2025, the Home Office opened a consultation on proposals to ban ransom payments by publicly owned bodies and operators of critical national infrastructure that have or may have suffered a ransomware attack[1]. The consultation runs until 8 April 2025, and the government seeks input from potential compliance stakeholders, industry, research, and the public.

The overall aim is to tackle the multi-billion-pound cybercrime industry, and the specific objective is potentially to make vital infrastructure like hospitals and the National Grid an unattractive prospect for hackers.

Yet, these proposals are not without their flaws.

The below article examines these plans, explores the development of the ransomware industry, and discusses how such reforms could impact UK businesses.

What is ransomware?

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system. Once infected, critical IT networks can become crippled and inoperable. The hacker then promises to provide the key to unlock the files in return for money, typically in cryptocurrency.

These attacks can be particularly harmful due to the associated financial losses, theft of potentially sensitive data and intellectual property, as well as significant business/service disruption and reputational damage.

Growing threats

One of the key triggers for this consultation exercise appears to have been the Synovis ransomware attack in June last year, which caused severe damage to the NHS with the postponement of over 10,000 outpatient appointments and around 1,700 elective procedures in London.[2]

Ransomware attacks are a growing threat. Over a period of twelve months which ended in August 2024, the UK’s National Cyber Security Centre’s (NCSC) became involved in managing 430 cyber incidents including 13 separate ransomware incidents which were “deemed to be nationally significant and posed serious harm to essential services or the wider economy”. According to the National Crime Agency, the number of UK victims appearing on ransomware data leak sites has also doubled since 2022[3].

As a result, ransomware is viewed by the National Crime Agency as one of the most serious organised cybercrime threats to the UK’s national security.

These attacks have now become highly profitable. In 2024, one study revealed that UK respondents paid an average of £870,000 with two organisations admitting to paying £10m-£20m in ransoms[4]. According to Sophos (which specialises in endpoint security), the median global ransomware payment made by victims over the past couple of years has also increased by 400% up from $400,000 to $2 million. Meanwhile the recovery costs to victims of a ransomware attack have also increased from $1.82 million to $2.73 million – a rise of around 50%[5].

Whether the ransom is paid or not, regulators and customers will very likely need to be notified of the attack under existing legislation, leading to the threat of an investigation, fines, claims and significant damage to an organisation’s reputation as their customers and suppliers learn of the attack.

The question of how to meet this threat faces governments across the globe.

Exploring the Home Office proposals

Banning ransomware payments

The idea of banning ransomware payment by certain organisations could be an effective deterrent to reduce ransomware attacks, with hackers looking elsewhere – hopefully overseas – for easier pickings that are permitted to pay out. The policy would follow the long-standing principle of the UK Government not to pay ransoms for its citizens taken hostage by terrorists.

However, a ban could be damaging to businesses. Paying a ransom can often be the fastest and most cost-effective way for an organisation to recover from these attacks.

The alternative to non-payment is trying to reset and restore an organisation’s system from backup (assuming regular backups exist) and a potentially catastrophic data loss. The business disruption that follows can be ruinous, both financially and reputationally.

According to Veeam’s 2024 Ransomware Trends Report, 96% of security professionals surveyed said that their backup repositories had been targeted, while a mere 15% were able to recover their data without paying a ransom[6].

That said, paying a ransom can be a risky business. The same report found that 27% of those organisations who had paid the ransom, were still unable to recover their data. In other words, while paying up might seem to offer a quick solution, there is no guarantee that it will resolve the problem.

‘Double dipping’ poses a further risk for victims. In such cases, a ransom is paid only for a further attack to follow a few days later. Or, even worse, an additional ransom is demanded to avoid the hacker publishing the compromised data or selling the information to the highest bidder.

This poses the question of whether the Government’s proposed limited ban goes far enough.

The focus on publicly owned bodies and operators of critical national infrastructure is a good start, given the obvious disruption that stems from the paralysis of these organisations. However, the policy risks hackers moving their attention away from these organisations, focusing their efforts on private companies who would still be permitted to pay a ransom. This could be particularly devastating for SMEs – which make up around 99.9% of the UK economy, but who lack the resources to mount an effective defence against, and response to, a ransomware attack[7].

A limited ban is not the only measure under consideration.

Reporting of all ransomware attacks

The mandatory reporting of all ransomware attacks by companies that meet a certain threshold is also proposed. This proposal is similar to that which has already been proposed in the Cyber Security and Resilience Bill, which is due to be put to Parliament this year.

The purpose of the reporting is to assist law enforcement agencies by giving them a better understanding of the scale and nature of attacks, in order to identify patterns and improve responses to such attacks, and stop them from spreading.

This would appear to be an obvious ‘win’. The more up-to-date information available, the better the future decision-making on how to combat the threat.

The question which then arises, however, is whether the Government will properly resource the authorities who will receive this data, to allow them to take effective steps to respond.

Decision to pay a ransom

Finally, the Home Office proposes that the decision to pay a ransom could be left to the authorities.

The idea of the authorities needing to approve (or not) the payment of ransoms, is likely to be unworkable. It assumes a level of dynamism and responsiveness from Government authorities that is unlikely to be achieved in practice. Taking this decision out of the hands of those who know the organisation and the data at risk best, would seem to be ill-advised.

It also remains to be seen how the Government proposes to enforce legislation against the payment of ransoms. Criminalising the victims of a ransomware attack for making a ransom payment would seem to be unduly punitive given that these organisations are the innocent parties in this situation.

The Government may consider substantial fines to be a more appropriate sanction in line with current legislation around data, such as the UK General Data Protection Regulation/Data Protection Act 2018.

Conclusion

It is clear that the time has come for decisive action to be taken in the battle against ransomware attacks, and the Home Office’s initial focus on critical infrastructure and the public sector is a welcome first step.

However, the consultation is light on detail as to the how the Government intends to enforce compliance, and around the resources that will be available to ensure the reporting of ransomware attacks informs an effective strategy to prevent these attacks from occurring and spreading.

If a limited ban on ransom payments is introduced, it is incumbent on the Government to ensure that support will be provided to soften the increased business interruption that will invariably follow in the private sector.

While these proposals rumble throughout Westminster, there are still steps businesses can take to improve their chances of avoiding an attack, or ensure they are able effectively to deal with one when it comes.

Training staff to identify potential ransomware and other cyber-attacks along with regular system checks, backups and patching, can be essential in mitigating against these threats. Cyber insurance can also provide valuable support and resources to deal with the consequences of an attack, along with a robust incident response plan which deals with how the business can operate in the face of a ransomware event.

For more information on our services relating to technology disputes, please see here

[1]                 https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime

[2]                  https://www.england.nhs.uk/london/synnovis-ransomware-cyber-attack/latest-media-statement-on-synnovis-cyber-attack/#:~:text=As%20a%20result%20of%20the,St%20Thomas’%20NHS%20Foundation%20Trust.

[3]                  https://www.gov.uk/government/news/world-leading-proposals-to-protect-businesses-from-cybercrime#:~:text=The%20NCSC%20managed%20430%20cyber,services%20or%20the%20wider%20economy.

[4]                 Over Half of Breached UK Firms Pay Ransom – Infosecurity Magazine

[5]                  https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf

[6]                  https://www.primesys.co.uk/wp-content/uploads/2024/10/Veeam-2024-ransomware-trends-report.pdf

[7]                  https://www.gov.uk/government/statistics/business-population-estimates-2023/business-population-estimates-for-the-uk-and-regions-2023-statistical-release

Crypto recovery – navigating the first 72 hours

Posted on: April 8th, 2025 by Natasha Cox

When a person goes missing, the first 72-hours are mission critical.

The same urgency applies if you have been hacked, scammed or are the victim of a theft- even more so if the loss are crypto assets. Quick and decisive action in the immediate hours will significantly mitigate the risk of those assets being obfuscated and dissipated and assist with recovery.

Crypto scammers are particularly ruthless, often deploying all manner of sophisticated tactics. From straightforward account compromises and theft with no direct interaction, to elaborate social engineering, often gaining trust through dating websites, fake investment platforms, or social media, their ultimate aim is to deprive a rightful owner of crypto assets.

Discovering that you have been the victim, regardless of the methodology used, can be emotionally draining as well as financially devastating. Clarity of thought and rational action can often give way to absentmindedness. This can lead to victims continuing to pay the bad actors, or fake recovery firms who are one and the same.

In the circumstances this is entirely understandable.

The appropriate next steps can vary depending on the specific circumstances, however our recommended action plan is detailed below and applies to most scenarios:

  1. Secure your communications

Often, particularly in cases where victims have been socially engineered, your email addresses and social media accounts will likely have been compromised as the result of the hack.

Most mainstream email providers will allow you to see a log-in history which details the IP address and location of all log-in attempts. Consider if any are unrecognisable.

If there are any suspicious log-ins, it is likely that your email address has been compromised and your communications may be monitored by the scammers. This could also impact other personal and financial accounts linked to your email, such as online shopping accounts, bank accounts and social media profiles. Credit ratings and access to future baking facilities may also be affected.

In this case, it is vital that you immediately change the password for your email, and then for all other accounts held online.

In addition, we recommend that you set up a new, secure email address immediately and avoid logging into any accounts you suspect may have compromised. You should divert any personal and critical emails to your new account, and ensure that you update your email address across your online shopping, social media and bank accounts.

It is important that you notify your bank and or cryptocurrency exchange of your new email address, which replaces the old one, and ensure to communicate that no instructions are to be taken from the old email address.

  1. Cease communications strategically

In cases where scammers have maintained prolonged contact, they may continue to reach out to you. Let them remain unaware you know this is a fraudulent scheme. If they know that you are aware, there is a heightened risk that they will take steps to obfuscate their trail and dissipate assets, which can make asset recovery more complicated.

If you can, you should look to cease communication strategically without encouraging further interaction. One approach might be to indicate you will be unavailable or away for a few weeks. This will hopefully give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action.

In short, the longer the scammers believe that their scam is undetected, the better.

You should then immediately begin collating a detailed record of all previous communications, including requests for payments, emails, phone calls, text messages, social media interactions, transaction details, wallet addresses and transaction hashes etc. Accurate records are crucial for any subsequent legal action and investigations. If you have been directed to a webpage during your interactions with the scammers, you should ensure to take screenshots of these pages in case they disappear.

Evidence of what jurisdiction they may be in is also vital. For example, note of their telephone number and dialling code (e.g. +44 for UK) or mention of a registered office (even if untrue) will help dramatically.

  1. Report to law enforcement

As soon as possible, you should report the theft to the police and Action Fraud – or equivalent law enforcement agencies. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible, and obtain a direct liaison and contact details. Action Fraud is only a database, and your query will not progress unless the police investigate.

Try not be discouraged or frustrated if the police cannot offer much help. Police resources, expertise, and capacity to deal with crypto related crimes can vary considerably, and officers may lack immediate familiarity with blockchain technology, or the complexities involved

Even if the police are unable to offer much direct assistance, formally reporting the incident is a crucial step as it creates an official record that supports any subsequent legal and recovery actions you may take with the support of your legal team.

  1. Device management and evidence preservation

Given that so much of our lives are conducted online and contained within personal devices such as laptops and mobile phones, it is crucial to exercise heightened caution if these devices may have been compromised.

If you notice unusual behaviour or unexpected activity on your devices (for example, unprompted command prompt windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much) then this may be an indication your device may be compromised.

This is more likely if the scammers have previously taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

As tempting as it may be, avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets. Formatting or resetting the device risks destroying potentially valuable evidence which often indicates the attack vectors used by the scammers and can be a useful part of the puzzle in identifying who they may be.

If your budget permits, obtaining new, uncompromised devices for interim use is recommended.

  1. Secure remaining cryptoassets

It may be that the scammers have only targeted or been able to target specific parts of your crypto holdings. However, if your devices or email/social media accounts have been compromised, it is likely they know much more than you think – including what centralised exchange accounts and wallet addresses you have that they may wish to target next.

As such, you should immediately access and review all centralised exchange accounts you may hold online, and cold storage where applicable. Update your details held at these accounts, including email, contact information and passwords.

It is also crucial to strengthen your two-factor authentication and carefully review transactions to identify any activity you do not recognise which may be indicative of that account being compromised.

If you are holding any assets on these accounts, consider creating new, secure self custodial wallets on uncompromised devices and transferring remaining assets between multiple wallets.

If you have previously staked assets, check to see whether these remain staked or have been unstaked without your knowledge and are in any cooldown period. If unstaking has been initiated, try to take steps to ensure the unstaked assets can immediately be sent to your new, secure wallets as soon as possible.

  1. Engage with experts

Engaging promptly with specialist lawyers experienced in crypto asset disputes, particularly asset tracing on blockchains and recovery, can be vital ensuring the swift tracing and recovery of your assets.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets (such as statements) as well as relevant transaction hashes or addresses as this will form the basis of asserting your proprietary claim to those assets. This is essential in recovering such assets.

Scammers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. These exchanges will have established payment rails which allow them to enable the transfer of fiat funds and are crucial to their business operations. 

As these payment rails exist within a regulated environment, banks must be comfortable with the funds handled by these exchanges. Consequently, exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Once an investigator can identify exchanges which have received the stolen assets, your legal team should then enter into dialogue to place them on notice that they have received the proceeds of crime and request they take specific actions. These include freezing the relevant accounts to secure any assets held within, as well as requesting disclosure of any onward transfers and withdrawals from that account which can be used to further trace the stolen assets with a view to recovery.

This draws a line in the sand – the exchange is now aware of the issue and any funds held at or subsequently deposited at that account must now be frozen.

  1. Seek emotional support

Recognising that you have fallen victim to a scam can trigger intense emotional distress, anxiety, and feelings of isolation. It is important to recognise you are not alone and that these feelings, while overwhelming, are a common response to what can be a very personal breach of privacy, trust and security.

If you find yourself in such a position, consider reaching out to supportive friends and family. Whilst there are also online communities offering support to victims, you should treat these with caution, as these can present attractive hunting grounds for scammers seeking to exploit those at their most vulnerable.

If you find your emotional state severely impacted or you are feeling persistent low, anxious or overwhelmed, it is essential to seek professional medical or mental health support.

As outlined above, acting quickly and methodically within the immediate hours and days after discovering a scam or can significantly improve the prospects of recovery and limit the broader financial and emotional damage.

For more information on our services relating to technology disputes, please click here. For our cryptoassets services, please click here

Dominic Holden discusses encryption in The Times

Posted on: March 6th, 2025 by Natasha Cox

Director Dominic Holden explores the recent dispute between Apple and the Home Office over the use of end-to-end encryption and potential backdoors into user data, in The Times.

Dominic’s article was published in The Times, 6 March 2025, and can be found here. 

Apple refuses to open the backdoor, but at what cost?

The Home Office’s demand for Apple to provide them with a ‘backdoor’, allowing access to users’ encrypted data, has been met by simple refusal by Apple. In protest, the tech giant instead opted to entirely withdraw from UK users the ability to protect their data using Apple’s most advanced encryption feature.

End-to-end encryption is double-edged – and the arguments on both sides are compelling.

On the one hand, it allows users to better protect their private data from hackers and other prying eyes. On the other, it can allow criminals to avoid law enforcement’s digital surveillance. It can also be a minefield for prosecution lawyers hampering their ability to obtain disclosure of the documents they need to build a case against terrorists and others who have threatened national security.

Like many tech companies, Apple faces a dilemma. It must respect the laws of the jurisdiction in which it operates. However, security and privacy are at the heart of its offering. Kowtowing to the UK government, risks opening the floodgates to other governments making similar demands in spite of Apple’s privacy commitments to its customers.

As this debate rages on, it remains to be seen whether Apple’s solution sufficiently placates the UK Government, or whether the next round will involve a demand that a backdoor is provided for all data.

The creation of a backdoor is, by its very nature, a risk. It creates a vulnerability which could be exploited by hackers. It is perhaps for this reason that Apple has made this decision – either you have encryption (with no backdoor), or you don’t have encryption at all.

This approach, however, misses a nuance.

Permitting users to encrypt their data is an effective tool against hackers and will ward off the vast majority of opportunistic hackers. Although creating a backdoor may create a vulnerability for the most sophisticated of hackers to exploit, this must surely be a better option than a blanket removal of such a powerful weapon users have at their disposal?

Understandably, many will bristle at the idea of the Government being able to gain access to their encrypted data. However, given that we do not live in a police state and the vast majority of us are not up to no good, a backdoor could help to keep the public safe – provided that there is robust, considered legislation and supervision from the English Courts.

For now, Apple users should take stock of their data and consider that which they would most regret falling into the hands of a hacker. There are still, after all, many (non-Apple) services available that allow for the secure storage and transmission of your data.

For more information on our data privacy and data protection services, please click here

 

Dominic Holden comments on Apple’s end-to-end encryption in TechRound

Posted on: February 27th, 2025 by Natasha Cox

Director Dominic Holden comments on the news that Apple is set to withdraw its Advanced Data Protection feature from the UK, following a dispute with the Home Office over end-to-end encryption and enabling government access to user data. 

Dominic’s comments were published in TechRound, 26 February 2025, and can be found here.

Dominic’s comments are replicated below:

“Balancing privacy rights with the needs of national security is a tightrope that tech companies walk daily. In this case, it appears Apple have begun to teeter.

“End-to-end encryption allows users to more effectively secure their data and better protect it from hackers and other bad actors. However, it can also allow criminals to plot and conduct illicit activity.

“Aside from whether the public trust that a back door such as this will not be misused by the government, the danger of a back door is that it also creates a vulnerability which a hacker may be able to exploit.

“Apple’s decision to withdraw UK user’s ability to encrypt data removes an effective weapon to protect against hacking, whilst hackers and other bad actors will likely migrate to alternative encrypted services that the government cannot access.”

 

Dominic Holden explores cybersecurity for SMEs in Thomson Reuters Regulatory Intelligence

Posted on: February 24th, 2025 by Hugh Dineen-Lees

Director Dominic Holden explores the increasingly important role of cyber insurance for SMEs, and discusses how businesses can best ensure they are protected from cyberattacks, data breaches and hacking.

Dominic’s article was published in Thomson Reuters Regulatory Intelligence, 21 February 2025, and can be found here:

Cybersecurity_ a blind spot for SMEs – [regintel-content.thomsonreute

 

 

Dominic Holden comments on DeepSeek and data protection in The Lawyer

Posted on: January 29th, 2025 by Hugh Dineen-Lees

With Chinese AI platform DeepSeek rapidly becoming the most downloaded free app in the UK and the US, Director Dominic Holden comments on the potential cybersecurity and data protection concerns, in The Lawyer.

Dominic’s comments were published in The Lawyer, 28 January 2025, and can be found here.

“DeepSeek’s privacy policy makes clear that they will collect your personal data, use it for a broad range of purposes and store it in China. This data is very valuable especially when provided at scale by thousands of users. The same concerns which gave rise to the proposed TikTok ban seem to apply here.

“With China’s national security laws obliging Chinese firms to share data with government agencies, users cannot know what will ultimately become of their data or how it might be used. Great care should be taken by users in deciding what to share with the platform.”

Dominic Holden comments on the potential cybersecurity risks surrounding RedNote and TikTok, in Yahoo! News

Posted on: January 15th, 2025 by Natasha Cox

Director Dominic Holden comments on the potential cybersecurity and data protection risks of downloading RedNote, the social media platform which users are downloading before the potential US TikTok ban, in Yahoo! News.

Dominic’s comments were published in Yahoo! News, 14 January 2025, and can be found here

“Like TikTok, RedNote is owned by a Chinese company which potentially raises the same privacy and data concerns that led to TikTok’s possible ban. 

“Whilst the app itself does not appear to be dangerous, users concerned about their data privacy and how their data is to be used by RedNote, may be slow to adopt it until more is known

“There is also the further risk that as RedNote gains popularity, as a Chinese-owned company, it too may need to deal with the same regulatory issues TikTok has faced. Failure to do so could result in a future ban or legal action against RedNote.”

For more information on our technology disputes practice please click here