Search and find what you need faster.

Preparing for Cyberattacks: What Jaguar Land Rover Can Teach Modern Businesses

Posted on: September 9th, 2025 by Natasha Cox

Director Dominic Holden explores how businesses can protect themselves and mitigate the risks of a cyberattack, following the recent incident at Jaguar Land Rover, in Computer Weekly.

Dominic’s article was published in Computer Weekly, 9 September 2025, and can be found here.

A cyber-attack at Jaguar Land Rover has halted production lines and caused wide-spread disruption. How can businesses protect themselves and mitigate the risks of an attack?

A single cyber incident can halt production lines, dent customer confidence and wipe millions off a company’s share price – as Jaguar Land Rover (JLR) discovered after it was forced to shut down operations last week.

There is, though, much a business can do to prepare for a cyber attack to both reduce the prospect of falling victim to an attack and to mitigate the loss they can cause.

Preparation: A non-negotiable first step

Effective cyber resilience begins long before an attack occurs, and preparation can be key in mitigating the financial, technical or reputational damage. As such, many boards are now beginning to treat cyber security as a strategic priority, not a technical afterthought.

Effective preparation can encompass several aspects, and this can differ from business to business.

Often, this includes the creation of a clear, rehearsed incident response plan that identifies who does what in the first 72 hours and beyond, from isolating systems to briefing the regulator. The most effective plans are rehearsed by running crisis exercises and simulations so that staff know their roles, and leadership can practise decision-making under pressure.

Backing up your systems and testing that these systems can be restored quickly if compromised is also critical, with the JLR incident showing just how much damage a full shutdown of operations can cause.

Staff can also be more effectively trained to spot phishing attempts, unusual device activity and other red flags which may indicate an attempted breach of a company’s systems. Staff should also be made aware of the importance of ensuring that they install the updates that are rolled out by their IT team.

Cyber insurance is also key. There are many specialist brokers that can assist in tailoring a policy to the risks faced by the company. The process of obtaining the insurance often highlights issues with the company’s existing security and should provide essential support in the event of an attack.

Without such planning and preparation, a business will become more vulnerable to an attack and struggle to respond effectively when the pressure begins to increase.

The first 72 hours

If, despite your preparations, you fall victim to an attack, the first 72 hours are critical. This is where your planning pays off.

Where personal data may be at risk, the Information Commissioner’s Office (ICO) will need to be informed within 72 hours, and you may also need to notify your customers and suppliers of the risk. A PR team with expertise in crisis communications can be an important ally to avoid lasting reputational damage to the business.

Engaging law enforcement at the earliest opportunity is also advised. Reporting the incident to the police and Action Fraud creates a record that can support recovery and wider investigations. Notifying your insurers as soon as possible so you get support from specialist “breach response” advisers, including lawyers and computer forensic specialists, can avoid a misstep during a chaotic and stressful time.

A computer forensics team can move quickly to quarantine the affected systems and help you recover operations quickly, while also preserving evidence. A breach response lawyer will ensure you comply with your regulatory obligations and assist you in formulating a strategy to minimise the claims from suppliers and customers that can often follow.

The ransom question

One of the hardest decisions for businesses that fall victim to a ransomware attack is whether to pay a ransom – where one is demanded. While the National Crime Agency strongly advises against this, as there is no guarantee of restoration and payment encourages further crime, many organisations faced with operational paralysis may consider it a last resort.

Such ransom payments are often demanded in cryptocurrency, and their payment can be covered by insurance, so it is important for businesses to check their policies to see whether this forms part of their cover. It may also be possible to recover the ransom even after it has been paid. Specialist lawyers in crypto recovery can advise whether this is a possibility.

Lessons from JLR

The lesson from the JLR incident is simple: cyber security is no longer just an IT problem – it is a boardroom issue.

Boards must demand robust planning, allocate resources and ensure rehearsals are carried out. Only then can a business minimise financial and reputational damage when an attack occurs.

UK Crypto Regulation Update: HM Treasury’s New Rules Target Scams and Support Fintech

Posted on: July 28th, 2025 by Natasha Cox

In April 2025, HM’s Treasury published a long-awaited overhaul of crypto regulation, via a draft statutory instrument to bring certain cryptoassets into our financial services regime – The Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025.

In theory, this gives the UK an opportunity to now compete with other financial hubs by clarifying the rules on issuing cryptoassets. Other players have already taken the leap, notably in the European Union, Middle East and United States. For the UK, there is plenty of work needed to close this gap.

Head of Blockchain and Digital Assets Matt Green and BCB Group CEO Oliver Tonkin analyse HM Treasury’s overhaul of the UK crypto regime, and discuss whether this is too little too late in driving investment and innovation to the sector.

Matt and Oliver’s article was published in Thomson Reuters Regulatory Intelligence, 24 July 2025, and can be found here.

For more information on our blockchain, digital and cryptoassets services, please click here.

Digital Asset Law Reform: Key Takeaways for UK Advisers

Posted on: July 17th, 2025 by Natasha Cox

Following the Law Commission’s proposals for crypto and digital asset reform regime, Director Matt Green explores what these proposals mean for advisers – as well as those looking to recover stolen or hacked cryptocurrency.

Matt’s article was co-authored with Ashley Fairbrother, Partner at Edmonds Marshall McMahon.

Matt and Ashley’s article was published in FT Adviser, 16 July 2025, and can be found here.

In June 2025, the UK’s Law Commission proposed new powers to drastically help victims of fraud following the loss of cryptoassets where key details, like the bad actors’ details, are unknown. These proposals would allow courts to grant free-standing information orders at the outset of crypto fraud investigations, before the victim needs to commit to pursuing a substantive claim.

This may prove to be a vital legal reform and significantly increase access to justice, especially when victims have lost significant funds, and do not want to risk spending more money pursuing unknown parties who may or may not still hold funds.

The crypto fraud epidemic

Fraud concerning cryptoassets is a significant issue for consumers and businesses alike. Chainalysis’s “The 2025 Crypto Crime Report” notes that ‘pig butchering’ scams (i.e. scams via social engineering) have increased 40% year on year, and cost victims a total of $9.9 billion as of 2024. Separately, Chainalysis’s report notes that $2.2billion was stolen from crypto platforms across this period.

Last year, Action Fraud – the UK’s reporting centre for fraud and cybercrime – reported over 649,000 instances of investment fraud, with 66% attributed to crypto investment related schemes. Individuals are losing life savings, family homes and pensions, and taking out astronomical loans to pay fraudsters who demand more money to release funds already taken under the guise of investment profits.

Scams are often initiated by telephone calls, texts and emails from actors purporting to be from major cryptocurrency exchanges or banks who hold convincing personal data, usually obtained via data scraping, to harbour a victim’s trust and eventually extract funds. Assets are then typically laundered to facilitate human trafficking, drugs trades and organised crime.

Currently, victims can follow their funds across their respective blockchains by providing practitioners with their transaction identifiers, which show the funds being withdrawn or sent from their control to the fraudster. Following a traceable laundering process, funds can end up at centralised retail outfits like Binance, Kraken and Coinbase, offshore swapping services like SimpleSwap and ChangeNow, to purportedly decentralised outfits, who offer services without obtaining Know Your Client documents or Anti Money Laundering checks, performing permissionless transactions.

Once at these exchanges, victims need to know key information to consider the viability of pursuing a legal claim, including details of the exchange’s customer, information concerning internet-protocol addresses, trading histories and, of course, the balances held at accounts. Without this information, it is extremely difficult to consider whether a victim should spend good money chasing lost assets, and in most reported cases, victims have taken a high-risk approach in pursuing “persons unknown” with limited information.

To obtain this material, lawyers can use gateway 25(b) of the Civil Procedure Rules (which dictate the rules around litigation in England and Wales), which requires victims to start a substantive claim alongside an application for disclosure of information. This means they must be prepared to sue someone and detail the claim clearly at that stage.

As a commercial proposition, this might be extremely costly. The Law Commission recognises this at paragraph 3.78 of its report, where it states that “victims are not always able to say that they definitely intend to commence proceedings in England and Wales”

Similarly, to obtain wider reliefs against perpetrators, including a worldwide freezing injunction which prohibits the defendants from moving or dissipating their assets globally up to the value of the claim, the victim must also show from the outset that they have other assets to the value of the loss, on the basis that the injunction detriments the defendants unfairly. This is an enormous burden for any victim of fraud to overcome, without really knowing anything about the defendants.

Currently, the bar to entry is very high. Only those with deep pockets, and a high appetite for risk, can pursue their funds via the courts.

The Law Commission’s proposal

The Law Commission has recently published the “Digital assets and (electronic) trade documents in private international law, including Section 72 of the Bills of Exchange Act 1882, consultation paper” to assist victims, by allowing the court to grant a “free -standing information order to assist a claimant at the initial investigations stage of the proceedings”.

Should the proposal be successful, this would allow victims to assess the viability of the claim and consider the facts at hand without starting a formal claim. The costs might be substantially lower, and without the risk associated with formal litigation.

The proposed test for granting one of these orders is provided at paragraph 4.92 within the consultation paper, and summarised as:

  1. The case has a certain strength, in that the claimant must evidence a wrongdoing;
  2. The disclosure of this information is necessary to allow the victim to bring legal proceedings or other redress;
  3. The court must be satisfied that there is no other court in which the claimant could reasonably bring the application for disclosure;
  4. The court must be satisfied there is an adequate link to England and or Wales. For example, that the victim resides, domiciles or is a national here. This might also include (though not explicit in the paper) that the defendant purports to have an adequate connection to this jurisdiction – for example where a scam investment website says the company is registered in England.

Effect and next steps

In principle, this initiative will drastically lower the obstacles to recourse by giving victims a cost-effective solution to assess a claim’s viability and mitigate litigation risks early on. A consultation period for this paper is open until 8 September 2025, and many law firms and individuals have already backed the Law Commission’s above proposal, including both of us as authors of this piece as well as our peers including Nathan Capone at Fieldfisher.

This reform is vital in widening access to justice by revolutionising the initial stages of crypto asset recovery by removing substantial financial and procedural barriers that currently prevent many victims from commencing a claim.

To find out more about our Blockchain and Digital Assets services, please click here

 

Lawrence Stephens & Howden Unveil Innovative Crypto Theft Recovery Solution

Posted on: July 7th, 2025 by Natasha Cox

Lawrence Stephens has partnered with Howden, the global insurance intermediary group, to launch a first-of-its-kind solution for the cryptocurrency sector. This innovative facility combines robust crypto theft insurance with expert legal asset recovery services, offering clients a comprehensive and credible response to digital asset theft.

The new solution delivers more than just insurance – it provides clients with a fully integrated approach that includes legal expertise, access to leading crypto vendors, and forensic recovery capabilities.

“At Howden, we believe in delivering solutions that go beyond traditional insurance,” said Freddie Palmer, Head of Digital Assets and Blockchain at Howden. “By partnering with Lawrence Stephens, we’re empowering our clients with a seamless, end-to-end service that combines technical insurance advice, legal recourse, and access to the broader crypto ecosystem. It’s a powerful response to one of the industry’s most urgent challenges.”

Key features of the facility include:

  • Specialist legal support from Lawrence Stephens to initiate asset freezing and recovery proceedings.
  • Insurance coverage that includes partial reimbursement of legal recovery costs when engaging Lawrence Stephens.
  • Access to a trusted network of crypto vendors and forensic experts to trace and recover stolen assets.

“We’re delighted to offer our legal expertise to the insurance market through this collaboration with Howden,” said Matt Green, Head of Blockchain, Digital Assets and Technology Disputes at Lawrence Stephens. “After all, the legal process began helping an insurer reclaim payment following a ransomware attack.”

This launch marks a significant step forward in institutionalising crypto asset protection, offering clients a credible, structured, and responsive solution in an increasingly complex digital landscape. As digital assets become more mainstream, institutional-grade protection is essential to build trust, reduce risk, and support the long-term growth of the crypto economy.

To find out more about our Blockchain, Digital Assets and Technology Disputes services, please click here

How the UK Can Back Crypto Innovation with Action

Posted on: June 27th, 2025 by Alanah Lenten

We now find ourselves at a critical crossroads in the evolution of financial technology. While the UK once made bold proclamations about becoming a global crypto asset hub, real progress has stalled, and the lack of regulatory clarity is beginning to weigh on investment, innovation, and job creation. In an era where blockchain, artificial intelligence, and quantum computing are converging to reshape global economies, the UK must act decisively or risk falling behind forward-thinking jurisdictions such as the US, Singapore, and the UAE.

While recent developments from the Financial Conduct Authority (FCA) – including the publication of a crypto roadmap and the UK Treasury preparing draft legislation to provide clarity on qualifying crypto assets, including stablecoins, which will fall under the remit of the Financial Services and Markets Act 2000 –  indicate progress, the pace of change remains too slow.

The UK has a golden opportunity to define a forward-looking, globally competitive framework for digital assets, but this demands bold leadership, joined-up policymaking, and a clear national strategy that puts emerging technologies at the centre of economic growth. In a joint letter to government, Matt Green, Head of Blockchain and Digital Assets and Technology Disputes at Lawrence Stephens, together with leading industry bodies, outlined a series of proposals to help the UK realise this potential. The article below explores their key recommendations in more detail.

Laying the groundwork for growth

According to the FCA, around 12% of UK adults, approximately seven million people, now own digital assets. Despite this, only 8% of global venture capital funding in the space went to UK-based firms in the past year. The US, by comparison, attracted a staggering 76%. If the UK is serious about becoming a leading force in the digital economy, it must close this investment gap with urgency.

At present, a fragmented approach to digital asset regulation is inhibiting progress. A new wave of global strategies led by national governments eager to capture the economic benefits of blockchain and Web3 is leaving the UK at risk of playing catch-up. From Dubai to Washington, governments are launching clear action plans, appointing envoys, and rolling out incentive programs to attract high-potential digital firms.

A clear path to digital leadership

That’s why a coalition of leading trade bodies, including the UK Cryptoasset Business Council, Global Digital Finance, The Payments Association, techUK and Lawrence Stephens has come together to call on the Government to implement a clear digital asset strategy. Representing both pioneering start-ups and established multinational firms, we believe the UK can and should be at the forefront of responsible innovation.

There are four key steps the UK can take to realise this ambition:

1. Appoint a blockchain special envoy

Just as the US government has appointed a high-profile blockchain envoy to spearhead policy alignment and investment attraction, so too must the UK. A dedicated envoy would serve as a strategic bridge between government, regulators, and industry, driving consistency, championing innovation, and positioning the UK as a premier destination for blockchain-related investment. The envoy would also play a crucial global role, representing the UK on the international stage and securing collaboration opportunities with leading digital nations.

2. Launch a government-led Digital Asset Action Plan

Like the coordinated approach seen in artificial intelligence, the UK should implement a comprehensive strategy for digital assets and blockchain technology. This could include a white-glove concierge service to support scale-ups, integration of blockchain into public services, and the development of a globally competitive tax and investment landscape. Targeted incentives would enable the UK to attract and retain the world’s most promising digital firms, ensuring job creation and long-term economic benefit.

3. Recognise the convergence of emerging technologies

Emerging technologies rarely operate in silos. Blockchain, quantum computing, and AI are increasingly interdependent, and together they promise to redefine industries from finance and defence to supply chains and public healthcare. For example, blockchain can add transparency and trust to AI systems, while AI can optimise blockchain functionality. These technologies working in harmony offer the potential to deliver transformative public services, from decentralised property registries to secure NHS data transfers. The UK must actively foster collaboration across these disciplines to maximise impact and support innovation at scale.

4. Create an industry-government engagement forum

Effective policymaking must be informed by those at the forefront of innovation. To that end, we propose the creation of a high-level industry-government-regulator taskforce, designed to ensure close collaboration and continuous dialogue across sectors. This would enable agile policymaking that reflects the rapidly evolving nature of digital technologies and ensures the UK remains ahead of the curve.

Unlocking long-term economic value

The potential economic impact of digital assets and blockchain is immense. A recent PwC report projects that blockchain could add £57 billion to the UK economy over the next decade. Globally, it could boost GDP by £1.39 trillion by 2030. Sectors like logistics, finance, health, and public services stand to gain the most, particularly through improved transparency, faster data transfers, and streamlined transactions.

Meanwhile, the UK’s legal infrastructure is increasingly ready to support these developments. The Law Commission’s recent endorsement of a new ‘third category’ of property to account for digital assets is a significant step forward, strengthening the legal foundation for cryptoassets, tokenised securities, and carbon credits. In doing so, the UK is proving it has both the legal and technological credibility to lead on digital assets.

Now is the time to act

The UK’s digital asset economy is already the largest in Europe, with £172 billion in on-chain transactions last year. Yet without bold, strategic intervention, we risk being eclipsed by more proactive nations. As innovation accelerates and geopolitical dynamics shift, the UK must seize its moment.

With the right leadership, a coherent regulatory environment, and an ambitious vision for innovation, we believe the UK can cement its status as a global hub for digital assets and blockchain technology.

Now is the time to move from ambition to action.

If you have queries on the above, please contact Matt Green

Read the other articles in this edition here : The Fineprint – Edition 1 – July 2025 – Lawrence Stephens

How to protect your crypto assets

Posted on: May 30th, 2025 by Natasha Cox

Director and Head of Blockchain and Digital Assets, Matt Green, comments on the recent series of attempted kidnappings of crypto entrepreneurs and discusses how to best protect assets stored on the blockchain, in The Next Web.

Matt’s comments were published in The Next Web, 29 May 2025, and can be found here.

“Despite the industry pining for decentralisation, much of the data points towards identifiable individuals with either massive wealth or access to third parties’ wealth. Simple blockchain analytics openly identifies addresses holding fortunes, and once those addresses are associated with named individuals (data triaging and clustering can unmask a pseudonymised  address), then criminals can see very clearly that a person holds significant wealth. Imagine your bank balances are posted online and through analysing open source data, the world can see it’s your account.

“In terms of crypto holders, the only thing stopping criminals gaining access is human error or force so kidnapping aims to break down the integrity of that human led security.

“The nature of blockchains means balances and addresses are public. In the same way van stickers read “no tools are kept in this vehicle”, it might be worth making a conscious effort to show a single person under duress is incapable of giving access to crypto holdings. Having clear statements about Multi-Sigs (Multi-Signature wallets) would likely deter kidnappers, who would have to pursue multiple individuals to make gains.”  

To out more about our work on blockchain, crypto and digital assets, please click here

Matt Green co-authors article on crypto-asset recovery for Oxford Law Pro’s Expert Essentials, Oxford University Press

Posted on: May 28th, 2025 by Natasha Cox

Writing for peer reviewed Oxford Law Pro’s Expert Essentials, Head of Blockchain and Digital Assets Matt Green and Outer Temple Chambers’ barrister Henry Reid provide a practical guide on the recovery of misappropriated crypto-assets.

Matt and Henry’s article was published in Oxford Law Pro, 14 May 2025, and can be found here.

Following the $1m loss of the stablecoin Tether, Matt and Henry explore the practical issues of asset recovery – including the use of blockchain analytics reports, dealing with crypto exchanges and pursuing persons unknown – as well as the legal considerations.

The article begins by discussing an example of a scam in which the claimants transfer one million Tether to persons unknown, considering the movement of these assets across the blockchain and their subsequent deposit at crypto exchanges. 

Matt and Henry then analyse the viability of potential legal proceedings, discussing potential routes to recover the misappropriated assets, and outline how to approach cryptocurrency exchanges at a pre-action stage.

Their article concludes with a narrative on preparing an ex parte application against these persons unknown, as well as seeking a worldwide freezing injunction to prevent the dissipation of the stolen crypto and seeking disclosure from the crypto exchanges to identify customers who have received the traceable proceeds.

Dominic Holden discusses proposed ransomware ban in Law 360

Posted on: May 23rd, 2025 by Natasha Cox

Director Dominic Holden discusses the UK government’s proposals for a ransomware ban in Law 360.

Dominic’s article was published in Law 360, 22 May 2025, and can be found here. 

Ransomware ban move could push hackers to private sector

The government’s bid to crack down on ransomware payments could heap pressure on companies in crisis without any guarantee that it will pull the plug on the billion-pound cybercrime industry, lawyers say.

Proposals by the Home Office to ban public entities from making ransom payments and to require other bodies to consult with the authorities before they consider sending money to their attackers are intended to undermine the ransomware business model by making the U.K. a less profitable target.

But lawyers warn that the proposals, set out in a wide-ranging government consultation, appear to underestimate the opponents.

“Deceptively simple and undoubtedly well-intentioned, the proposal borders on the naive,” Julian Hayes, a partner at BCL Solicitors LLP said. “Even if it worked, it would simply drive ransomware attackers to softer targets.”

Ransomware pulled in more than £1 billion ($1.3 billion) from victims worldwide in 2023, according to the Home Office. It has become a lucrative source of cash for cybercriminals and state-sponsored actors able to infiltrate businesses and government agencies and take control of their networks and data.

Law enforcement agencies and the government see it as the biggest cyber risk facing businesses in Britain. But it is also perceived as a direct threat to national security because of the ability of criminals to shut down hospitals, energy suppliers and grocery chains.

The National Cyber Security Centre helped to manage 317 ransomware incidents in the 12 months to August 2024. They included 13 separate attacks deemed to be “nationally significant” that “posed serious harm to essential services or the wider economy.”

They include Russian hackers who stole private medical data in June 2024 in a ransomware attack on a medical testing company, Synnovis Services LLP, that disrupted London hospitals. And hackers demanded £600,000 from the British Library to prevent publication of stolen files, a demand it refused to pay, in October 2023.

What to do about the problem divides opinion. Some experts say that paying the ransom puts money in the pockets of organized crime, terrorists and sanctioned individuals — with no guarantee that the stolen data will be returned or services resumed. Paying helps to create a business model, encouraging more attacks.

Many organizations targeted do not pay. Most victims interviewed by the National Crime Agency said they did not want to reward their attackers.

But principles come at a cost.

Marks & Spencer the grocery and clothing chain, continues to lose money following a recent ransomware attack that has disrupted service and will cost it an estimated £300 million. And the Legal Aid Agency, which revealed in May that data dating back to 2010 had been stolen, warned anyone who had applied for legal support in criminal cases that they face the risk of being scammed.

But some companies see no other option. LockBit hackers hit Allen & Overy with a ransomware attack in 2023, but later retracted its threat to release the stolen data. Cyber-experts have interpreted this as a sign that A&O paid out to avoid sensitive client information from being released, although the firm never publicly commented.

Against this backdrop, the Home Office said in March that it was consulting on a range of proposals. They include a limited ban on publicly owned bodies and operators of critical national infrastructure making payments, mandatory reporting of all ransomware attacks by companies that meet thresholds and even approval by the government before they make any payment.

But lawyers warn that the proposals are risky. Payments are already widely viewed as the last resort, a drastic step for companies to take only when backup files restoring their operations fail or there is a risk that the stolen data is not encrypted.

James Longster, a partner in the technology and commercial transactions practice at Travers Smith LLP, said that private sector clients, particularly financial services firms, are concerned that putting restrictions on public-sector targets will simply push criminals to intensify their attacks on them.

“There isn’t a magic answer,” Longster said. “People want to do something because it’s a problem. It’s hard to work out exactly what that is.”

There was also doubt among observers about how the proposals would work in practice. When would companies, trying to get to grips with resuming service, be required to notify the government of the attack? How would a ban, if it was extended to the private sector, affect global companies in countries where there was no bar to payment?

The government has already introduced compulsory reporting of cyberattacks in the Cyber Security and Resilience Bill, which is making its way through Parliament. Victims would be required to report an incident only once. But lawyers say a lack of detail means it is unclear how the proposals would sit alongside existing notification requirements, potentially delaying payment during talks with authorities — and prolonging the disruption.

Business leaders fear the proposals might also lead to expensive red tape when they are already under pressure. Companies already face a race against the clock to disclose cyberattacks to their regulator, the Information Commissioner’s Office — and, potentially, to individuals if personal data was stolen.

Longster predicted that the ban on public sector bodies making payments might not make it into legislation if there was resistance during the consultation. But he said that the reporting obligations to the central government “could meaningfully turn the dial” by equipping law enforcement agencies with the best information possible.

Another proposal would require businesses to gain government clearance to ensure that money would not go to sanctioned individuals or terrorists. Christopher Whitehouse of Reynolds Porter Chamberlain LLP said that limited legislation introducing a reporting requirement – but not going as far as an outright ban – would be a good compromise.

“Save for those extreme cases, if there’s something companies could do to survive, but aren’t allowed, it’s going to be a tough sell,” Whitehouse said.

Britain would become one of few Western governments to introduce the ban – perhaps the only one – if it did so. Many countries have pledged not to pay ransomware, but none have actually made it illegal, even if it involves paying a sanctioned entity.

Some U.S. states have passed legislation banning public authorities from paying ransoms, but experts have warned that the results have been mixed.

Hayes of BCL Solicitors also said that the potential ban on government agencies making payments overlooks the fact that hackers, particularly those backed by hostile governments, are often more interested in causing chaos than making money.

Outlawing ransomware payments “risks making hostages of us all,” Hayes said.

“Such sophisticated threat actors are highly unlikely to surrender without a struggle,” Hayes continued. “Far from being deterred, such groups are more likely to fight tenaciously to protect their lucrative business models, with ‘big game’ ransomware groups intentionally targeting the U.K. essential services on which we all rely, both to break the government’s will and serve as a warning to like-minded countries not to follow suit.”

Some lawyers advocate for a more aggressive policy to help ensure that does not happen.

Dominic Holden of Lawrence Stephens said that hackers would look abroad if it was illegal for public and private sector entities to pay out.

Support for small and midsized businesses in the form of tax breaks or subsidized insurance premiums would also mean that the incentives to target the U.K. would vanish, Holden said.

“If the government is going to do this, I don’t think they should do it in half measures,” Holden said. “If you’re going to eradicate the problem, and disincentivize the hackers so they go overseas in jurisdictions where they can be paid, then grasp the nettle and ban all payments.”

Mark Jones, a partner at Paynes Hicks Beach LLP, said there were also concerns that the mandatory reporting requirement could then trigger regulatory scrutiny. The government would have to assure companies that the information would remain confidential if it wants to win support for legislation, Jones said.

“I would also hope to see measures to support those who are victims of ransomware, rather than simply add to the stress of the situation,” Jones added.

For more information on our cryptoassets expertise, please click here.

How to navigate the first 72 hours of a ransomware attack and recover ransoms paid in crypto

Posted on: May 23rd, 2025 by Alanah Lenten

Dominic and Asim’s article was published in Fraud Intelligence, 21 May 2025, and can be found here.

Discovering that you have been the victim of a ransomware attack can be reputationally and financially devastating to an organisation. However, when responding to an attack, the first 72-hours are critical. Quick and decisive action can help preserve evidence, while protecting assets and systems.

Cyber attacks vary in their potency and impact. A ransomware attack which locks down a company’s entire IT system is, of course, different from a more limited attack on a single device – an organisation’s response will therefore vary. However, notifying your insurers and the police, getting internal and external IT support on task immediately, while also notifying company staff should all be considered.

Where data is at risk, notifying the Information Commissioner and other regulators within 72 hours – as well as your customers – can also be necessary.

Should you pay the ransom?

Current guidance from the National Crime Agency is that they do not “encourage endorse nor condone the payment of ransom demands”. This is because there is no guarantee that you will get access to your data or computer, your computer may still be infected, you will be paying a criminal group, and you increase the likelihood that you (and others) may be targeted in the future.

However, in many cases, commercial victims of a ransomware attack can find themselves unable to continue their business operations whilst key systems remain compromised. This is the hacker’s leverage, that, there may come a point where continued business losses are unsustainable and paying a ransom to unlock their systems becomes an expense in mitigation.

Such ransom payments are often demanded in cryptocurrency and their payment can be covered by insurance. It is important that businesses check their policies to see whether this forms part of their cover.

How to prepare?

Given the number of moving parts involved in managing the aftermath after a ransomware event, it can quickly become overwhelming, unless robust and specific plans are already in place. Such ‘incident response plans’ should already be agreed and understood by the company’s leadership and those staff who will need to take action. Running simulations of how a business will cope during a ransomware attack is advisable (e.g. turning to paper processes in the short term and ensuring that all know what their roles are during an attack).

Backing up your systems on a regular basis and training staff  to recognise unusual behaviour or unexpected activity on their devices is critical – for example, phishing emails, unprompted windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much. This can suggest that scammers have taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

How to react?

While you are reacting to the consequences of the breach, you may simultaneously have to identify and fix the vulnerability, comply with legal and regulatory requirements, notify your insurers and provide comfort to your staff, customers and suppliers that matters are in hand. During this period, chaos can ensue, and mistakes can be made that could severely hamper any subsequent investigation.

Below are some key points to bear in mind during this initial period:

Preserve the evidence

The preservation of evidence is a key initial task, and leadership should strive to work with professionals to ensure that all system logs are retained. It is advisable to hire in digital forensics or organisations that specialise in dealing with cyberattacks –if you have good cyber insurance, this is something your insurer may provide.

Avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets.

If possible, take a full forensic image of the affected devices and work from backups (provided these have not also been compromised by the attack). You may need to buy fresh devices so that those affected can be preserved as evidence.

Your internal communications team may want to take on PR consultants to assist with crisis comms as the news breaks, if it is an attack with significant reputational implications.

Secure Your Communications

It may be wise to set up new, secure email addresses immediately and avoid logging into any accounts you suspect may have been compromised. You should consider how best to continue internal communications with secure channels being set up to action any critical messaging

It may be necessary to notify your bank and or other service providers of any new email address, or communication preferences, to ensure that no instructions are to be taken from the old email addresses.

In attacks where the victims have been socially engineered, one or more company email addresses or social media accounts may have been compromised. You should access the log-in history which details the IP address and location of all log-in attempts.

If there are any suspicious logins, it is likely that email addresses have been compromised, and your communications may be monitored or used by the scammers to gain further access. This could also impact other accounts, bank accounts and social media profiles.

It is vital that passwords are immediately changed and strengthened across the organisation.

Communicating with the Hackers

When the hackers reach out to demand a ransom payment from you ensure that they are unaware of the steps you are taking internally.

Ransom payment negotiators are available to assist with these negotiations to drive the ransom demanded down. This can also buy an organisation time if the hacker is threatening to publish the compromised data on the internet.

Make sure to collate a detailed record of all communications with the hackers, including requests for payments, emails, phone calls, text messages, social media interactions. If the ransom is paid in crypto, take a note of the transaction details, wallet addresses and transaction hashes etc.

If you have been directed to a webpage during your interactions with the hackers, you should ensure to take screenshots of these pages in case they disappear. Any evidence of what jurisdiction they may be in is also vital.

Accurate records are crucial for any subsequent legal action and investigations.

Recovering the ransom payment

If the ransom is paid in crypto, this could give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action. It may also allow time for the necessary court orders to freeze assets to be granted and implemented. These steps, if taken quickly, can result in an organisation (or their insurer) recovering the ransom after it has been paid.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets, as well as relevant transaction hashes or addresses as these will form the basis of asserting your proprietary claim to those assets, which is essential in recovering them.

Hackers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. Exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Your legal team can place exchanges on notice that they have received the proceeds of crime and request they freeze the relevant accounts while also requesting disclosure of any onward transfers and withdrawals from that account to trace the stolen assets.

Report to Law Enforcement

The attack should be reported to the police and Action Fraud. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible and obtain a direct liaison and contact details. Try not to be discouraged or frustrated if the police cannot offer much help.

Police resources, expertise, and capacity to deal with cyber crime can vary considerably, and officers may lack immediate familiarity with the complexities involved.

Even if the police can’t provide much assistance, a formal report is important, as it creates an official record that supports other legal and recovery actions you may take and can also assist law enforcement in identifying patterns in criminal gangs to help others avoid falling victim.

Engage with Experts

Engaging promptly with specialist IT and legal advisors experienced in breach response is crucial to mitigate the fallout from the attack and limit business interruption.

Cyber experts should be able to quickly identify the areas of your system that have been affected, the extent of the breach and the data under threat, as well as devise a plan for bringing your systems back into operation. It may be possible to decrypt some of the compromised data without paying the ransom, or to restore your systems from backups.

Your legal team should work closely with these experts to ensure that your regulators are notified of the attack and kept abreast of developments. Your legal team may also need to review your company’s commercial agreements, to see if any termination or notification events are triggered as well as deal with any claims that might arise from your suppliers or customers as a result of the attack.

Conclusion

Careful advanced planning and swift and methodical action when an attack occurs can reduce stress, while also significantly limiting the damage a ransomware attack can cause to an organisation in the first 72 hours.

Crypto recovery – navigating the first 72 hours

Posted on: May 23rd, 2025 by Natasha Cox

When a person goes missing, the first 72-hours are mission critical.

The same urgency applies if you have been hacked, scammed or are the victim of a theft- even more so if the loss are crypto assets. Quick and decisive action in the immediate hours will significantly mitigate the risk of those assets being obfuscated and dissipated and assist with recovery.

Crypto scammers are particularly ruthless, often deploying all manner of sophisticated tactics. From straightforward account compromises and theft with no direct interaction, to elaborate social engineering, often gaining trust through dating websites, fake investment platforms, or social media, their ultimate aim is to deprive a rightful owner of crypto assets.

Discovering that you have been the victim, regardless of the methodology used, can be emotionally draining as well as financially devastating. Clarity of thought and rational action can often give way to absentmindedness. This can lead to victims continuing to pay the bad actors, or fake recovery firms who are one and the same.

In the circumstances this is entirely understandable.

The appropriate next steps can vary depending on the specific circumstances, however our recommended action plan is detailed below and applies to most scenarios:

  1. Secure your communications

Often, particularly in cases where victims have been socially engineered, your email addresses and social media accounts will likely have been compromised as the result of the hack.

Most mainstream email providers will allow you to see a log-in history which details the IP address and location of all log-in attempts. Consider if any are unrecognisable.

If there are any suspicious log-ins, it is likely that your email address has been compromised and your communications may be monitored by the scammers. This could also impact other personal and financial accounts linked to your email, such as online shopping accounts, bank accounts and social media profiles. Credit ratings and access to future baking facilities may also be affected.

In this case, it is vital that you immediately change the password for your email, and then for all other accounts held online.

In addition, we recommend that you set up a new, secure email address immediately and avoid logging into any accounts you suspect may have compromised. You should divert any personal and critical emails to your new account, and ensure that you update your email address across your online shopping, social media and bank accounts.

It is important that you notify your bank and or cryptocurrency exchange of your new email address, which replaces the old one, and ensure to communicate that no instructions are to be taken from the old email address.

  1. Cease communications strategically

In cases where scammers have maintained prolonged contact, they may continue to reach out to you. Let them remain unaware you know this is a fraudulent scheme. If they know that you are aware, there is a heightened risk that they will take steps to obfuscate their trail and dissipate assets, which can make asset recovery more complicated.

If you can, you should look to cease communication strategically without encouraging further interaction. One approach might be to indicate you will be unavailable or away for a few weeks. This will hopefully give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action.

In short, the longer the scammers believe that their scam is undetected, the better.

You should then immediately begin collating a detailed record of all previous communications, including requests for payments, emails, phone calls, text messages, social media interactions, transaction details, wallet addresses and transaction hashes etc. Accurate records are crucial for any subsequent legal action and investigations. If you have been directed to a webpage during your interactions with the scammers, you should ensure to take screenshots of these pages in case they disappear.

Evidence of what jurisdiction they may be in is also vital. For example, note of their telephone number and dialling code (e.g. +44 for UK) or mention of a registered office (even if untrue) will help dramatically.

  1. Report to law enforcement

As soon as possible, you should report the theft to the police and Action Fraud – or equivalent law enforcement agencies. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible, and obtain a direct liaison and contact details. Action Fraud is only a database, and your query will not progress unless the police investigate.

Try not be discouraged or frustrated if the police cannot offer much help. Police resources, expertise, and capacity to deal with crypto related crimes can vary considerably, and officers may lack immediate familiarity with blockchain technology, or the complexities involved

Even if the police are unable to offer much direct assistance, formally reporting the incident is a crucial step as it creates an official record that supports any subsequent legal and recovery actions you may take with the support of your legal team.

  1. Device management and evidence preservation

Given that so much of our lives are conducted online and contained within personal devices such as laptops and mobile phones, it is crucial to exercise heightened caution if these devices may have been compromised.

If you notice unusual behaviour or unexpected activity on your devices (for example, unprompted command prompt windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much) then this may be an indication your device may be compromised.

This is more likely if the scammers have previously taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

As tempting as it may be, avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets. Formatting or resetting the device risks destroying potentially valuable evidence which often indicates the attack vectors used by the scammers and can be a useful part of the puzzle in identifying who they may be.

If your budget permits, obtaining new, uncompromised devices for interim use is recommended.

  1. Secure remaining crypto assets

It may be that the scammers have only targeted or been able to target specific parts of your crypto holdings. However, if your devices or email/social media accounts have been compromised, it is likely they know much more than you think – including what centralised exchange accounts and wallet addresses you have that they may wish to target next.

As such, you should immediately access and review all centralised exchange accounts you may hold online, and cold storage where applicable. Update your details held at these accounts, including email, contact information and passwords.

It is also crucial to strengthen your two-factor authentication and carefully review transactions to identify any activity you do not recognise which may be indicative of that account being compromised.

If you are holding any assets on these accounts, consider creating new, secure self custodial wallets on uncompromised devices and transferring remaining assets between multiple wallets.

If you have previously staked assets, check to see whether these remain staked or have been unstaked without your knowledge and are in any cooldown period. If unstaking has been initiated, try to take steps to ensure the unstaked assets can immediately be sent to your new, secure wallets as soon as possible.

  1. Engage with experts

Engaging promptly with specialist lawyers experienced in crypto asset disputes, particularly asset tracing on blockchains and recovery, can be vital ensuring the swift tracing and recovery of your assets.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets (such as statements) as well as relevant transaction hashes or addresses as this will form the basis of asserting your proprietary claim to those assets. This is essential in recovering such assets.

Scammers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. These exchanges will have established payment rails which allow them to enable the transfer of fiat funds and are crucial to their business operations. 

As these payment rails exist within a regulated environment, banks must be comfortable with the funds handled by these exchanges. Consequently, exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Once an investigator can identify exchanges which have received the stolen assets, your legal team should then enter into dialogue to place them on notice that they have received the proceeds of crime and request they take specific actions. These include freezing the relevant accounts to secure any assets held within, as well as requesting disclosure of any onward transfers and withdrawals from that account which can be used to further trace the stolen assets with a view to recovery.

This draws a line in the sand – the exchange is now aware of the issue and any funds held at or subsequently deposited at that account must now be frozen.

  1. Seek emotional support

Recognising that you have fallen victim to a scam can trigger intense emotional distress, anxiety, and feelings of isolation. It is important to recognise you are not alone and that these feelings, while overwhelming, are a common response to what can be a very personal breach of privacy, trust and security.

If you find yourself in such a position, consider reaching out to supportive friends and family. Whilst there are also online communities offering support to victims, you should treat these with caution, as these can present attractive hunting grounds for scammers seeking to exploit those at their most vulnerable.

If you find your emotional state severely impacted or you are feeling persistent low, anxious or overwhelmed, it is essential to seek professional medical or mental health support.

As outlined above, acting quickly and methodically within the immediate hours and days after discovering a scam or can significantly improve the prospects of recovery and limit the broader financial and emotional damage.

For more information on our services relating to technology disputes, please click here. For our cryptoassets services, please click here

Shaping Blockchain Law: Matt Green Reflects on Career and Landmark Crypto Cases in CDR

Posted on: May 14th, 2025 by Natasha Cox

Head of Blockchain and Digital Assets and Technology Disputes, Matt Green, speaks with Commercial Dispute Resolution (CDR) about his career in the crypto asset space and how some of the notable cases he has worked on have influenced legal precedent around blockchain and digital assets. 

Matt’s interview was published online in Commercial Dispute Resolution (CDR), 12 May 2025 and can be found here.

Discussing the first crypto case he was involved with, the landmark AA v Persons Unknown, Matt explains “I was enormously opportunistic, and I just rode with it… I was in the right place at the right time.”

He notes how there was “a big gap in the market” at the time, with many in the blockchain and digital asset space not knowing that there were legal routes to trace and recover their stolen or hacked assets.

Speaking on lessons learned during his career, Matt comments:“It is attrition, staying in the game, not overreaching. Being very aware that you don’t know everything. I don’t think anybody could say they did have all the answers, on the basis that the judiciary and the industry are trying to figure it out.”

Discussing the evolution of both his practice and the digital asset space itself, Matt explains that “there will be huge intellectual property battles about a variety of different things that we probably can’t even imagine yet, it’s almost unknowable.”

With many of Matt’s cases showing the “grizzly places” of the crypto world – from pig butchering scams on Facebook groups for grieving widows to tracing stolen assets to an organ farm in Southeast Asia, and the high-profile disputes over the identity of Satoshi Nakamoto.

Yet despite this, Matt encourages people to see the wider utility of this technology, telling CDR that he would like to see the “wider adoption and understanding of the applications of blockchain tech and digital assets.”

For junior lawyers looking to get into the constantly evolving world of digital assets and blockchain, Matt explains that there are plenty of ways: “set up a blog, write articles, start a podcast, join groups. If you get involved with the industry that you choose, you’re going to be much more valuable to a law firm than if you don’t, and there is no date by which you should start doing this.”

For more on our Blockchain, Digital Assets and Technology Disputes services, click here

Matt Green discusses crypto assets disputes and recovery with the Government of Gibraltar

Posted on: May 8th, 2025 by Natasha Cox

Director and Head of Blockchain Matt Green presented to the Ministry of Justice, Trade and Industry of the Government of Gibraltar, outlining the evolving legal status of digital assets alongside Scott Pounder, Founder and CEO of Prometheus Insights. 

Looking to the current legal landscape and potential future developments, Matt and Scott explained why recognising digital assets as property is essential, considering:

  • The definition of digital assets
  • The canon of common law, including Matt’s own cases, and how asset recovery cases created precedents globally
  • The role of legal definitions of property, now ratified in the Court of Appeal, from case law through to the Property (Digital Assets etc) Bill
  • Considering a draft statutory instrument designed to bring dealing with crypto assets into the remit of regulated activity under FSMA 2000.

The Government of Gibraltar’s official press release can be found here.

For more information on our digital assets expertise, please click here.