Blockchain Bites: Australia sanctions Medibank attacker in first use of cyber powers, Number go up: FTX and Celsius recoveries buoyed by crypto markets, Full Court press: Judge quizzes SEC in Binance case, Japan serves up Web3 friendly policies
Michael Bacina, Steven Pettigrove, Tim Masters, Jake Huang, Luke Higgins, Luke Misthos & Kelly Kim of the Piper Alderman Blockchain Group bring you the latest legal, regulatory and project updates in Blockchain and Digital Law.
Australia sanctions Medibank attacker in first use of cyber powers
In a coordinated action with the US and UK governments, Australia has imposed targeted financial sanctions on Aleksandr Ermakov, a Russian citizen and alleged cybercriminal, for his role in the Medibank hack 18 months ago. This marks the first time that the Government has utilized new powers to deter and respond to malicious cyber activity since they were introduced in 2021.
The targeted sanctions make it a criminal offence, punishable by up to 10 years’ imprisonment and heavy fines, to provide assets to Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments. Ermakov will also be subject to a travel ban.
This announcement highlights the Government’s commitment in the 2023-2030 Australian Cyber Security Strategy to deter and respond to malicious cyber activity, including through the use of sanctions. The coordinated action between Australia, the US and the UK follows recent actions targeting Hamas’ fundraising networks, including cryptocurrency exchanges.
In its announcement, the US Office of Foreign Assets Control stated:
Australia sanctioned Ermakov for utilizing ransomware to attack the Medibank network and for the exfiltration of sensitive data of 9.7 million users of Medibank services. Today, the United States and the United Kingdom, in solidarity with Australia, are taking action against the same individual because of the similar risk presented by this actor to the United States and the UK.
Australia has sanctioned Ermakov under new powers in the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 (Cth) which enable it to deploy targeted sanctions based on certain thematics, including weapons proliferation, serious human rights abuses and malicious cyber activity. Sanctions can be applied targeting sanctionable conduct wherever it occurs globally.
Under this regime, the Minister for Foreign Affairs may designate a person or entity for targeted financial sanctions and impose travel bans if the Minister is satisfied the person or entity:
- has caused, or attempted to cause, a significant cyber incident;
- has assisted with causing, or with attempting to cause, a significant cyber incident; or
- has otherwise been complicit in causing, or in attempting to cause, a significant cyber incident.
A ‘cyber incident’ is a cyber-enabled event (or a group of related cyber events) that results in, or seeks to cause, harm to Australia or another country or countries. This may include events that result in harm to individuals, businesses, economies or governments.
The coordinated sanctions against Ermakov will restrict his ability to continue to profit from ransomware attacks by prohibiting ransomware payments to him or on his behalf. The Minister’s announcement stated:
The Australian Government discourages businesses and individuals from paying ransoms or extortion claims to cyber criminals.
Minister for Home Affairs and Minister for Cyber Security, the Hon Clare O’Neil MP said:
Our strong advice to businesses is never pay the ransom. Paying a ransom does not guarantee sensitive data will be recovered, prevent it from being sold or leaked online or prevent further attacks. It also makes Australia a more attractive target for criminal groups.
There are a number of legal issues to consider in responding to a ransomware attack, including disclosure and sanctions obligations and potential legal claims. Where faced with a ransom demand, it is important to carefully consider all factors including the risk of breaching sanctions laws. Given these risks, it is important to seek professional advice from cyber experts and lawyers with experience in dealing with cyber attacks in responding to any cyber incident.
By Steven Pettigrove and Jake Huang
Number go up: FTX and Celsius recoveries buoyed by crypto markets
Creditors of the defunct crypto exchanges, FTX Trading Ltd and Celsius Network, finally saw some light at the end of the tunnel this week with the promise of creditor distributions now on the horizon. However, legal challenges and contention remain over the calculation of creditor claims in FTX and the prospect of potential preference actions against Celsius creditors who made net withdrawals from Celsius greater than USD$100,000 in the 90 days prior to the petition date -13 July 2022.
The bankrupt Bahamas based crypto exchange received US Bankruptcy Court approval to liquidate its crypto holdings in September 2023. Under the so called “coin monetarization” strategy, the firm sought to minimize risks of price volatility while maximizing sales value and creditor distributions. At a Court hearing in Delaware on Wednesday, the exchange’s lawyers confirmed that eligible customers could be repaid in full, provided they can prove that they held and subsequently lost assets on the platform. FTX’s lawyer stated:
I would like the court and stakeholders to understand this not as a guarantee, but as an objective…There is still a great amount of work, and risk, between us and that result. But we believe the objective is within reach, and we have a strategy to achieve it.
The bankruptcy administrators’ method for calculating claims remains contentious as the US Bankruptcy Judge John Dorsey ruled that the claim value will be calculated based on what creditors were owed on the filing date of FTX’s bankruptcy in November 2022. This sparked controversy for its failure to take into account the surge in prices over time, which saw Bitcoin’s price rebound approximately 110% from the time of collapse.
In response, the FTX Creditor Committee lawyer stated during the Wednesday hearing:
Many of those claims are premised upon currencies which declined dramatically in value in that tumultuous period leading up to the petition date
The exchange has also abandoned its plans to relaunch due to lack of interested buyers and will shift its focus to repaying customers.
Following the approval of Celsius’ reorganization plan by the US Bankruptcy Court in November 2023, Celsius circulated notices to customers who have large preference exposure in the firm’s bankruptcy offering settlements with the bankrupt estate. The settlement offers have proved controversial, with creditors given only a short period of time to consider the offer and requiring creditors to pay in funds into the bankrupt estate in order to become eligible for distributions.
In a January 31 statement, Celsius officially confirmed that it would exit bankruptcy and being distributions to creditors:
Today, over 18 months after Celsius paused withdrawals, we began distributing over $3 billion of cryptocurrency, fiat, and stock in Ionic Digital to Celsius creditors
Ionic Digital Inc is a newly established Bitcoin mining company which is expected to become publicly traded, following requisite approvals. In a court filing, Celsius also clarified that PayPal, Venmo and Coinbase will be used for creditor distributions as the debtors’ mobile and web applications are scheduled to be taken down in late February. The firm is currently taking final steps to wind down its operations:
Our exit from bankruptcy is the culmination of an extraordinary team effort and extensive collaboration…we are proud of the preservation and distribution of cryptocurrency assets and enhanced recovery for customers and claim holders
Separately, the firm’s former CEO, Alex Mashinsky, is pending his trial in September 2024, on charges of fraud, price manipulation and misleading conduct. He has denied all allegations to date and is currently released on a USD$40M bond. FTX’s former CEO, Sam Bankman-Fried was convicted on fraud charges following a high profile trial in New York last November.
By Steven Pettigrove and Kelly Kim
Full Court press: Judge quizzes SEC in Binance case
In last week’s summary judgment hearing in the Securities and Exchange Commission (SEC) versus Binance, the judge posed a simple yet confounding question: “What is the difference between a crypto asset that is a security and a crypto asset that isn’t?”
Judge Amy Berman Jackson, with a sly twinkle in her eye, posed this question during the rollercoaster hearing of Binance’s motion to dismiss the SEC’s case against it, a legal ballet dancing over statutes of limitations, jurisdictional disputes, and the central question of whether Binance’s BNB exchange token qualifies as a security.
During the hearing, Her Honour echoed the industry’s frustration with the SEC’s failure to give clear guidance defining the boundaries of securities laws in relation to digital assets. Her Honour aimed a pointed question at the SEC:
What is the boundary of your definition [of a security]? And don’t just say Howey.
For the uninitiated, the “Howey” test hails from a 1946 court decision, concerning an investment scheme involving orange groves in Florida. The application of the so-called “Howey test” that derives from that case has been the subject of heated debate over several years.
Jennifer Farer, an attorney representing the SEC, acknowledged the absence of a clear delineation between a token that is a security and a token that is not, stating “I know that the court may be frustrated that there’s no bright line.” The lack of precise regulatory guidance has been a recurrent challenge for both the SEC and the crypto industry, leading to regulatory actions of varying outcomes and casting a cloud over the development of Web3 technologies.
Paul Grewal, Chief Legal Officer of Coinbase (which is fighting its own battle with the SEC), pointed out via X that the SEC contradicted itself in the Binance case when compared to similar arguments in the Coinbase case:In a regulatory landscape where precision is paramount, this contradiction highlights the confusion over what the SEC have consistently maintained are clear laws. Despite the SEC’s protestations, it has faced a series of setbacks in recent cases seeking to enforce those laws, notably the high-profile loss against Ripple last year.
Despite Her Honour’s questioning of the SEC’s case, she also seemed underwhelmed by Binance’s defence of its ICO. The SEC’s suit, a 13-count pleading featuring allegations ranging from failure to register as a securities exchange to fraud carries on despite Binance’s settlement with the US Department of Justice and the Commodity Futures Trading Commission on other charges which resulted in a USD $4.3 billion settlement and a guilty plea from Binance founder and former CEO Chaoping Zhao.
Alongside Coinbase’s defence of its case against the SEC, which was also before the Courts recently, Her Honour’s decision will carry heavy implications. The heated debate underscores the need for legislative action to give clarity to the crypto industry while ensuring appropriate protections for consumers.
In Australia, ASIC has similarly sought to test the boundaries of its jurisdiction by pursuing enforcement actions against the likes of Finder Wallet and Block Earner alleging that certain crypto-asset related offerings involved the offer of financial products.
As the gears of justice turn slowly, it may be several years before the Courts can provide sufficient clarity to industry and consumers. These matters should not be left to the judicial system if regulators wish to provide effective regulatory protections, avoiding jurisdictional arbitrage while keeping pace with technology.
For the time being, all eyes are fixed on the outcome of the Binance and Coinbase cases, which are set to make significant precedent for the crypto industry and beyond whatever the eventual outcome.
By Steven Pettigrove and Luke Higgins
Japan serves up Web3 friendly policies
Lawmakers from Japan’s governing Liberal Democratic Party are hard at work developing a range of policies aimed specifically at fostering Web3 projects by clarifying relevant laws and regulations. This work continues Japan’s progressive approach to regulating digital assets to best position the country to capitalise on growth and opportunity arising from Web3 businesses.
In an interview with Coindesk Japan, Japanese congressmen Masaaki Taira and Hideto Kawasaki said:
We would like to grasp the current situation in areas other than decentralized autonomous organizations and identify new important points for policy
Japan has been a pioneer in establishing robust consumer protections and attractive regulation for Web3 for some time. In 2020, Japan enacted amended legislation regulating digital assets, after it became one of the first countries to establish a regulatory framework for cryptocurrency exchanges following the collapse of the Mt Gox exchange. Those reforms have faired well with Japanese customers of FTX Japan recovering their assets in full shortly after the collapse of the now defunct exchange owing to strict custody and segregation rules under local law.
Last June, Japan introduced stablecoin legislation becoming one of the first jurisdictions in the G20 to roll out its framework. Also in 2023, Japan’s central bank, the Bank of Japan, released a report detailing experiments it undertook using a Central Bank Digital Currency (CBDC).
In April 2023, the Liberal Democratic Party of Japan set up a Web3 project team called web3PT which committed to discussions with the aim of developing various Web3 projects using blockchain technology. The group also released their own Whitepaper which is under ongoing development.
At the end of 2023, web3PT hosted a Decentralised Autonomous Organisation (DAO) hackathon aimed at creating an environment where stakeholders and interested parties could express what they want to see from policymakers, like Hideto Kawasaki.
Through the hackathon, both short-term issues and medium to long-term issues became clear
While other jurisdictions, such as the United States and to a lesser extent Australia, have been slow to introduce fit-for-purpose laws and policies with respect to Web3, the Japanese government is taking significant steps to implement robust policy to attract investment and business. In common with a number of Asian jurisdictions like Hong Kong, Singapore and Korea, Japan has taken a proactive approach to harness the benefits of Web3 technology while addressing consumer protection concerns. These policies have also provided a regulated pathway to the further development of Web3 technologies helping to keep and attract talent in a competitive global technology space.
By Michael Bacina, Steven Pettigrove and Luke Misthos