- What is cryptocurrency?
- Is cryptocurrency a genuine currency?
- What is the relationship between cryptocurrency and smart contracts?
- What are the downsides, or risks involved with, smart contracts?
- What is the legal status of cryptocurrency?
- Which financial services and market regulations apply to cryptocurrency?
- What are the risks and challenges associated with cryptocurrency?
- What are the different types of cryptocurrency fraud?
- What are the legal tools for stopping and/or penalising cryptocurrency fraud?
- What happens to cryptocurrency in the case of liquidation?
- Which tax obligations apply to cryptocurrency?
In recent years, there has been a real ‘gold rush’ for cryptocurrency. And while cryptocurrency needs to be ‘mined’, just like the real stuff, it is much easier to transport and, potentially, keep secure. The existence of cryptocurrency, however, has created compliance headaches for governments: Is it a genuine (‘fiat’) currency? Does it count as someone’s property? How do we ensure that tax is paid on it and that it is not used to commit crimes?
Cryptocurrency has proven to be particularly vulnerable to fraud: In one recent case, a Canberra couple were defrauded of tens of thousands from a scam cryptocurrency business. Perhaps most notoriously, before it was shut down, the dark web marketplace ‘Silk Road’ used cryptocurrency transactions to link buyers and sellers of illegal drugs in the United States.
Nevertheless, the growth of cryptocurrencies is showing little sign of slowing, with a recent court hearing in New South Wales (Hague v Cordiner (No. 2)  NSWDC 23), approving the use of cryptocurrency as security for costs.
In this document, we provide a complete guide to cryptocurrency fraud, broadly construed. As well as looking at cases that would be classified in law as fraud, we look at all the most common forms of wrongdoing associated with cryptocurrency. We begin by explaining the key aspects of cryptocurrency regulation in Australia. We consider:
- How is ‘cryptocurrency’, as well as other key terms like ‘distributed ledger technology’ and ‘smart contract’, defined?
- Is cryptocurrency really a currency?
- Can cryptocurrency constitute ‘property’ or a ‘financial product’ in the legal sense?
Then, we go on to look at cryptocurrency wrongdoing including:
- What are the risks/challenges of dealing in cryptocurrency?
- What are some of the most common scams to look out for?
- What action can be taken against cybercurrency fraud or wrongdoing?
Finally, we examine two key ways in which Australian law deals (or is likely to deal) with cryptocurrency:
- Cryptocurrency and liquidation;
- Cryptocurrency and tax obligations.
What is cryptocurrency?
So, what is cryptocurrency? Cryptocurrency (sometimes referred to as ‘digital currency’ or simply ‘crypto’) has no universally agreed upon definition. Not only that, due to a general perception that cryptocurrency is not a genuine currency, the term ‘cryptoasset’ is becoming more common.
The United Kingdom Cryptoassets Taskforce defined cryptocurrency thus:
a cryptoasset is a cryptographically secured digital representation of value or contractual rights that uses some type of DLT [distributed ledger technology] and can be transferred, stored, or traded electronically.
Picking apart this definition, what exactly is DLT?
DLT is a way of recording and validating transactions: It is a ledger – a ‘book’ of all relevant transactions (traditionally, the book that tracked all debits and credits against a business’s accounts). But instead of one book or computer file which records all the transactions, the ledger is multiply located amongst many different access points (‘nodes’). That is to say, it is distributed.
So DLT is a ledger that is distributed –where does the ‘technology’ come in? Through DLT, each individual node (e.g., an individual user’s computer terminal) processes and verifies the transaction based on a consensus protocol. Cryptography is usually used to identify participants and confirm records. The DLT can usually be programmed in order to automate some function on the records. For example, smart contracts (more on these below) might be used to automatically execute terms of an agreement.
All nodes in the network receive the same permanent record of the history of transactions in the network. This record of the history of transactions is recorded in a chain of cryptographic ‘blocks’: This is why the DLT is sometimes called ‘blockchain’.
Access can be ‘permissioned’ or ‘permissionless’. In a permissionless DLT anyone can change and make alterations to the record of transactions (which will be verified and authenticated using built-in mechanisms, see discussion of ‘mining’ below). In a ‘permissioned’ system, only participants with special authorisation will have access to the DLT.
Two key benefits of DLT include:
- Enhanced security. Essential records are not kept in a giant book locked up in a dusty office. Each node holds the records. This makes it, in theory, much more difficult to attack and manipulate the records;
- Transparency. The information can be seen right across the network.
So how does this definition of DLT tie back into the definition of ‘cryptoassets’? A cryptoasset is a “cryptographically secured digital representation of value or contractual rights”, which uses a DLT. This means, the next question is, how is that representation of value or contractual rights secured?
In major cryptocurrencies (e.g., Bitcoin, Ethereum or Bitcoin Cash) the cryptocurrency is protected using ‘public key’ cryptography. This is a system that employs pairs of keys: public keys and private keys. The public keys are publicly available and necessary for identification. The private keys are secret to the cryptocurrency account holder and used for authentication.
The private key establishes the ownership of a given portion of cryptocurrency funds. These keys are generated and stored in something known as ‘wallet’. In essence, an individual’s own cryptocurrency funds are ‘held’ in the wallet.
As cryptocurrency transactions occur, they must be authenticated and the blockchain updated. This activity is carried out by cryptocurrency ‘miners’: Individuals with powerful computing set-ups who use software to compete with other miners. The miners solve mathematical problems associated with the transaction data and, upon finding the solution, are awarded with quantities of cryptocurrency.
The UK Cryptoassets Taskforce looked at three broad categories of cryptoasset:
- Exchange tokens. These are what we most commonly known as ‘cryptocurrencies’. Examples include Bitcoin and Ethereum;
- Security tokens. These encompass certain rights for an individual, such as repayment of a specific sum of money or an entitlement to profits;
- Utility tokens. These provide access to specific products or services, usually provided via DLT.
The final concept necessary for understanding cryptocurrency is ‘Initial Coin Offerings’ (ICOs). An ICO is a type of funding that sells cryptocurrency tokens to speculators or investors in return for legal tender (or sometimes more established cryptocurrencies like Bitcoin). ICOs are sometimes used by startups seeking to avoid the regulation and rules that apply to seeking investment through other means.
Key takeaway: Cryptocurrency (or ‘cryptoassets’) are a representation of value/rights that uses distributed ledger technology (DLT). Cryptocurrencies often use public key cryptography (public key plus private key), store currency in ‘wallets’, and authenticate transactions via ‘mining’.
Is cryptocurrency a genuine currency?
Given that ‘currency’ is often defined as a ‘medium of exchange’, why did the UK Cryptoassets Taskforce use the term ‘cryptoassets’, rather than using the more common term ‘cryptocurrency’? Essentially, this is because, to date, central banks and Governments around the world have not accepted cryptocurrencies as legal tender (often called ‘fiat currency’). Decision-makers tend to view the volatility of cryptocurrency as indicating that it is not a reliable way of storing value. It has also been noted that they are not widely accepted as a means of exchange (though of course this is changing).
Perhaps a useful analogy for the ‘crypto as a currency’ issue is so called ‘free banking’: The situations where banks are able to issue their own private notes. From 1837–1863, banks in the United States could issue their own bank notes, as long as they were backed by actual gold, or state government bonds. This was also common in Australia up until 1910. The value of private currencies was notoriously volatile, with bank notes (for example) depreciating considerably based on physical distance from a bank branch.
At its core, the perceived problem with cryptocurrency as a genuine currency is a lack of ‘backing’: There is no ‘lender of last resort’ (i.e. the central bank) to prop up the issuers of crypto, providing the backing that people need to feel comfortable in treating it as a form of currency. Furthermore, rather than being asset backed, the value of cryptocurrency is almost entirely dependent on the confidence of the market. The key problem there is – like the poppies in Holland – when confidence drops unexpectedly, the cryptocurrency becomes worthless.
What is the relationship between cryptocurrency and smart contracts?
As with crypto-‘currency’, ‘smart contract’ may be a misnomer: It is up for debate whether the things known by that name are bona fide contract, in the legal sense. Nevertheless, the name is here to stay. So, what exactly is a smart contract?
In essence, it is a computer protocol which enforces/automatically carries out a prior agreed obligation. More specifically, portions of a contract which are if/then conditions (i.e., things that will only occur if something else happens), can be converted into code. They can then be added to the DLT and executed upon the occurrence of certain triggering events. We shall see further below in the case of Quoine Pte Ltd v B2C2 Ltd  SGCA 1 02 (Quoine), that a malfunctioning smart contract can be a significant cause of loss (and in some cases, be used intentionally to facilitate cryptocurrency fraud).
It is, perhaps, best to understand how smart contracts might work through an example: A commonly invoked potential application of smart contracts is ‘trade finance’. This is the system of financing used to support the import and export of goods across borders.
So how would this work through a smart contract on a DLT? The Hong Kong Monetary Authority introduced a smart contract mechanism for trade finance which proceeds as follows:
- Buyer and seller (e.g., importer and exporter) agree to the purchase and sale of goods via a regular contract/agreement for the sale and purchase of goods;
- The buyer sets up the transaction on a DLT platform. Appropriate permissions and access are provided for all the parties involved in the transaction;
- Buyer uploads purchase order to the DLT platform. Consensus is used to verify and authenticate the purchase order before it becomes part of the blockchain;
- The export bank receives notification of the purchase order and a request for export financing;
- Upon verifying the transaction, the export bank agrees to export financing and uploads financing document to the platform for authentication;
- Seller ships the goods to the purchaser;
- Export country customs approval sent to the DLT;
- Importing country customs approval sent to DLT;
- A trade financing document would be uploaded to the DLT platform for all parties to validate through a consensus mechanism;
- Import bank receives notification of invoices/bills of lading as well as request for import financing. Both are verified on the platform;
- Import bank authorises the import financing.
There are some fairly clear benefits to smart contracts that work along these lines:
- Improved transparency. With the smart contract, all parties can see when customs have approved an export or import;
- Security. In a smart contract, the confirmation of each element of the code is encrypted. The risk of an unauthorised individual accessing transaction documents is limited;
- Cost savings. Manual processing, including the sending and verification of paper documents, increases costs and the amount of time spent on each transaction;
- Reduced risk of fraud. As aspects of the smart contract are self-executing. This means there is a reduced risk of one party defrauding the other;
- Secure storage. All documents involved in the transaction, as well as confirmation that the smart contract was executed, are stored in the DLT for later retrieval and audit purposes.
Key takeaway: Smart contracts, which use DLT but may or may not involve cryptocurrency, can be a useful mechanism for more efficiently executing contractual terms.
What are the downsides, or risks involved with, smart contracts?
The European Banking Authority, the European Union’s banking regulator, highlighted a number of risks associated with the adoption of DLT in smart contracts. Set out below are a few of these risks:
- Jurisdictional issues and conflict of laws. As the DLT nodes are often located in different jurisdictions, the contract will need to establish an appropriate jurisdiction. While some of these issues will arise with international trade finance anyway, some are specific to, or exacerbated by, the use of a DLT platform. For example, in some countries digital signatures are permitted and in other countries they are not;
- Compliance issues. A range of data relating to the transaction is held on the DLT platform. This will likely include personal data which is regulated differently in different countries. For example, any nodes located in Europe may be subject to the rigorous regulation of the General Data Protection Regulation (GDPR). There is also a risk that reduced manual verification of the transaction could breach Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) regulations;
- Increased cyber-attack surface. The increased number of participants in the transaction via their nodes will all have different security levels for their node. A weak node might be identified by an attacker and used to steal a private key.
Key takeaway: Despite their advantages, smart contracts and DLT more generally do involve substantial risks that need to be managed.
What is the legal status of cryptocurrency?
Cryptocurrency can be traded and transferred, with or without using smart contracts. Whichever way an individual or business deals with cryptocurrency, it is essential for individuals to determine for themselves how well protected their holding of cryptocurrency is.
While it may not be considered legal currency, that does not mean that cryptocurrency has no legal status. Probably a more important question is whether or not cryptocurrency constitutes property. In lieu of an existing court case on the issue, the UK Jurisdiction Taskforce (not to be confused with the ‘UK Cryptoassets Taskforce’,) issued a statement on the legal status of cryptoassets. Chaired by the Chancellor of the High Court, and a select group of QCs, Justices and top solicitors, the reasoning in this statement has already been highly influential on the courts (see the cases discussed in detail further below), and is likely to continue to be so both in the UK and in related legal systems (such as Australia and New Zealand).
Without getting too philosophical, what is property and why does it matter? Property, fundamentally, is about the relationships of people to things. In the most fundamental proprietary relationship, ownership, the individual has exclusive control and enjoyment of the thing. But property is not limited to ownership and also includes, for example, possession.
Property matters because those with property have substantial rights and privileges over others. For example, owners can often have securities registered against their assets. In addition, having a proprietary relationship with assets is often key to getting priority over unsecured creditors in the case of insolvency. Ultimately the taskforce concluded:
- Cryptoassets have all of the key indicators of property. This means:
- cryptoassets can be owned;
- they are capable of being defined;
- the owners can be identified and cryptoassets can be assigned;
- they are permanent;
- they have a degree of stability;
- The distinctive features of cryptoassets do not disqualify cryptoassets from being classified as property;
- Cryptoassets are not disqualified due to being ‘pure information’, or because it is difficult to classify them in terms of the standard categories of property (‘things in possession’ or ‘things in action’);
- Therefore, in principle, cryptoassets are to be treated as property.
The UK Jurisdiction Taskforce’s statement was affirmed in the case of AA v Persons Unknown  EWHC 3556, a decision of the Commercial Court in the England and Wales High Court of Justice. There, the court classified Bitcoin as property for the purposes of an interim injunction.
In that case, a Canadian insurance company had its computer system hacked: Malware was installed which encrypted the company’s systems rendering it unusable. To get the decryption tool, the hackers demanded a ransom of CAD $1,200,000 to be paid in Bitcoin. After payment, and the decryption tool being sent, the company investigated and tracked down the Bitcoins. While some had been turned into fiat currency, 96 Bitcoins were intact and had been transferred to another address. This address was linked to the exchange ‘Bitfinex’.
The applicant sought a proprietary injunction in respect of the Bitcoin and for a freezing order (to stop the Bitcoin being transferred). The court explicitly accepted the reasoning of the taskforce, and accepted that there was a property interest in the Bitcoin. It granted the proprietary and freezing injunctions.
In Ruscoe v Cryptopia Ltd (in Liquidation)  NZHC 728, the New Zealand High Court accepted that cryptocurrency was a form of property, and that it was property that could be held on trust. We discuss this case in further detail below.
While not specifically addressing the issue of whether or not cryptoassets constitute property, as mentioned earlier, in Hague v Cordiner (No. 2)  NSWDC 23, the court accepted that cryptoassets were a legitimate investment for the purposes of security for legal costs.
Therefore, it is a fair assumption that when the question ‘are cryptoassets property?’ eventually comes before the Australian courts, the answer is likely to be in the affirmative.
Key takeaway: While Australian courts have yet to hear a case on the issue, it is likely that they would follow the UK Jurisdiction Taskforce, as well as the England/Wales and New Zealand cases, in classifying a cryptocurrency account (‘cryptoasset’) as property.
Which financial services and market regulations apply to cryptocurrency?
‘Financial products’ are heavily regulated in Australia, and so too are the markets upon which those products are traded. The agency responsible for enforcing those rules is the Australian Securities & Investments Commission (ASIC).
The financial services regulatory regime consists primarily in rules of conduct and disclosure rules. These rules are intended to ensure that industry participants operate honestly, fairly and with integrity and competence. ASIC uses a licencing system, an ‘Australian Financial Services’ (AFS) licence, to vet and monitor industry participants.
The regime has a range of disclosure rules designed to help investors make informed decisions and promote transparency in financial markets.
The regime also includes some additional protections for situations where investors are at a particular disadvantage: For example, retail investors have access to a dispute resolution mechanism, recognising that they may not otherwise be able to afford pursuing a formal action through the courts.
So, what is a financial product? In short, a financial product is a facility through which a person makes a financial investment, manages financial risk, or makes a non-cash payment (see 12BAA Corporations Act 2001 (Cth)). In 2014, in its submission to the Senate inquiry into digital currency, ASIC offered the view that cryptocurrency is not necessarily a financial product, as it need not involve:
- ‘Making an investment’, as envisaged in the Corporations Act 2001 (Cth). Analysed through the terms used in that that Act (see section 763B), purchasing cryptocurrency is more akin to the purchase of bullion or real property. That is, the purchase money doesn’t generate a return itself, even though the bullion, real property (or cryptocurrency) might;
- There is no facility though which financial risk is managed. Unlike, say insurance contracts or hedging contracts, the person who acquires the facility cannot manage the consequences of certain events occurring;
- Cryptocurrency does not, in itself, give the holder a facility for non-cash payments, as there is no attached right to use the cryptocurrency to make payments, or to redeem it for cash. These things may happen of course, but they would only happen due to entirely separate third party arrangements.
Nevertheless, just because cryptocurrency is not necessarily a financial product, it doesn’t mean that it won’t involve a financial product in particular cases.
In recent advice, ASIC has stated that there are three key considerations in determining whether crypto is a financial product:
- The existence of legal rights attached to the cryptocurrency. For example, does the recipient receive ownership rights, such as voting rights?
- The function of the cryptocurrency. For example, is its value linked to a distinct asset or index?
- Funding. Is there a pool of investor funds for common financial benefit?
As examples, ASIC has suggested that the following could count as financial products:
- ‘Contracts for difference’ using a cryptocurrency. In this arrangement a contract between two parties would state that the buyer must pay the difference between the current value of the bitcoin, and its value at a stated time in the contract;
- Intermediaries who, through a merchant facility, transfer the crypto into fiat currency;
- Cryptocurrency to EFTPOS facilities.
We can distinguish several different types of potential cryptocurrency bodies in Australia and how they might be regulated under the ASIC regimes:
- Issuers of crypto/tokens. Any individual or company that issues tokens that are ‘financial products’ (see discussion above) are required to hold an AFS Licence. Note, however, there are exceptions to this for bodies that operate in the ‘enhanced regulatory sandbox’. We discuss this in more detail below;
- Cryptoasset intermediaries. Individuals that give advice, deal with, or provide intermediary services for cryptocurrency that is a financial product, are subject to a range of laws and regulations, including the requirement to hold an AFS licence;
- Miners and transaction processors. Those involved in mining essentially provide a ‘clearing and settlement’ service and therefore, where they are dealing with financial products, they are regulated according to clearing and settlement rules;
- Cryptocurrency exchange and trading platforms. It is likely that platforms dealing in cryptocurrency that is a financial product, count as a market, and are therefore required to hold an Australian Market Licence;
- Cryptoasset payment and merchant services. If a ‘non-cash payment facility’ is involved with respect to financial product, an AFS licence must be held and a range of obligations apply.
It is worth noting that, even where a business may be otherwise required to attain an AFS licence, they may be exempt from the requirement to do so for up to two years if they are eligible to participate in the ‘Enhanced Regulatory Sandbox’.
To participate, the individual must satisfy key eligibility criteria: the ‘net benefit’ test and the ‘innovation’ test. There are also limitations on what products and services may be provided under the sandbox. For example, there is a AUD $10,000 limit on the value of financial services that you can provide to a retail client.
As long as it otherwise satisfies the eligibility criteria, innovative cryptocurrency products that would otherwise constitute financial products, could be exempt from licensing obligations through the sandbox.
Key takeaway: In some cases, businesses that deal with cryptocurrency may be subject to the financial services and financial market regulation frameworks. These will apply only where the business is dealing with a cryptoasset that is also a financial product.
What are the risks and challenges associated with cryptocurrency?
So far, we have explained what cryptocurrency is and how DLT/blockchain and smart contracts work. We have also looked at how cryptocurrency is defined according to traditional legal categories. But what are the risks for individuals in using cryptocurrency? Some of the most important risks include:
- Cryptocurrency is not insured in the way that bank deposits are. If your cryptocurrency platform is unable to pay out deposits, the Government will not step in to get you your money back;
- Fluctuations. Cryptocurrency is relatively volatile. Consider the case of Bitcoin, the most prominent form of cryptocurrency: It fell to USD $3867.09 on March 12th, after reaching a high of USD $9204.67 on March 7th;
- No chargebacks. As cryptocurrency is not backed by a bank, there is no way to use credit card chargebacks to reverse a transaction. Note, some cryptocurrency exchanges do allow chargebacks for payment through PayPal;
- Public information could identify owners. While cryptocurrency owners hold on to their own private keys, post-‘Silk Road’, it has become clear that the public information recorded in the blockchain for all to see can be used to work out who the owner of a cryptocurrency account is. We are likely to see further cases of regulators using digital surveillance powers to trace usage;
- Overseas transactions and border issues. As with any international transaction, even if the transaction specified where any dispute is to be resolved, there can be considerable difficulty in enforcing this overseas;
- Unknown location. It can be mysterious where a company is incorporated. It is not always easy to work out where exactly a cryptocurrency exchange is located;
- Insolvency or liquidation. Where a company in liquidation has cryptoassets at hand, it will be important for the liquidators to try and access the cryptocurrency to add to the pool of assets for paying creditors. However, the ease of transferring cryptocurrency offshore presents a problem. If the cryptocurrency has been transferred overseas it is much less likely that liquidators will be able to recover it– they will need to get cross border recognition in the country of their habitation. We discuss the impact of cryptocurrency on liquidation at the end of this guide;
- Security of private keys. As the private key held by the individual or business provides almost unrestricted power to move around cryptocurrency, it is crucial that businesses keep these secure.
Key takeaway: Whatever the advantages or appeal of purchasing, investing in, or trading cryptocurrency, there are quite a few risks in doing so that need to be managed.
What are the different types of cryptocurrency fraud?
This is a guide not to cryptocurrency itself, but cryptocurrency fraud. Now that we have explained how cryptocurrency operates, and how it is regulated under the existing law, we will examine how cryptocurrency fraud might occur. We set out some of the key possibilities below:
- Basic sale of goods that are not delivered. Where a transaction involves cryptocurrency as some form of consideration, there is always the risk that a fraudulent party never delivers the cryptocurrency. Compared to some other basic forms of fraud, cryptocurrency can make it more difficult to enforce/take action to ensure that cryptocurrency is paid as it should be;
- Hacking of trading platforms. Perhaps the most well-publicised case of this was the hacking of the Mt. Gox trading platform. This platform was, up until its closure, the world’s biggest cryptocurrency exchange platform. In February 2014, it was discovered that $480 million worth of Bitcoin was missing. The business subsequently became insolvent and filed for bankruptcy that same month. While the CEO was initially suspected, a joint taskforce of U.S. federal agencies analysed the blockchain and was able to trace the stolen bitcoins to hacking by one specific Russian bitcoin exchange operator. Meanwhile the CEO was acquitted in Japan of aggravated breach of trust and embezzlement, but convicted of more minor offending;
- Scam ICOs. In one 2018 study, 81 percent of ICOs were found to be fraudulent: The purchasers received nothing. While an ICO might sound like an ‘Initial Public Offering’ of shares/stock, there is little connection between the two from a consumer safety perspective. IPOs are strictly regulated by securities regulators (ASIC, in Australia), whereas ICOs are usually completely unregulated;
- Phishing scams. In phishing, the potential victim receives an unsolicited email which looks like it comes from the cryptocurrency exchange or wallet service provider. A link in the email takes the potential victim to a site that looks exactly like the actual site of the provider, but is in fact a scam site. Once account details are entered, the scammer logs into the real account and transfers out the cryptocurrency;
- ‘Pump and dump’ scams. In this scam, cryptocurrency traders work together to ‘talk up’ a particular cryptocurrency across media and social media channels. At the same time, they purchase substantial amounts of the cryptocurrency. As the price climbs, others influenced by the marketing join in to further pump up the price. Then at a certain point, the group decides to ‘dump’: They all sell the coin at the same time causing a massive decline in the value of the cryptocurrency and leaving other purchasers holding nothing of value. These scams, depending on the details, are often illegal under securities law;
- Compromising specific accounts. Sophisticated scammers can target wallets to extract the funds of specific high value accounts. They may use a variety of different scamming techniques. In the Binance hack, phishing and viruses were used alongside other measures to get access to the ‘hot wallet’ that they extracted crypto from;
- Fake apps. A common scam involves scammers creating fake apps for the purpose of capturing the real login details of customers. These login details are then used (as a form of ‘phishing) to access customer’s actual cryptocurrency accounts. Fake apps can include:
- Fake exchange apps. Apps imitate a real exchange in order to capture credentials;
- Fake wallet apps. In these cases, cryptocurrency is often sent to the wallet of the fraudster;
- Crypto-mining malware/fake apps. In these cases, individuals are running a mining app, but instead of the crypto created going to their own account, it goes to a fraudster.
- Crypto-jacking. This involves the malicious use of another person’s computer or device in order to mine cryptocurrency without their consent. While traditional malware seeks to steal data, this malware seeks to steal the processing power of victims.
Key takeaway: Anyone thinking about purchasing or investing in cryptocurrency, or who already has, needs to ensure that they are familiar with all the major scams relating to it.
What are the legal tools for stopping and/or penalising cryptocurrency fraud?
Given the various ways in which cryptocurrency fraud and other cryptocurrency wrongdoing may occur, what legal options are available in response to this wrongdoing? We will look at several possibilities, including civil actions taken by individuals, actions taken by regulators and the possibility of criminal prosecution.
- Sequestration orders
Liquidators and bankruptcy trustees might pursue cryptocurrency through an order for sequestered property. This could occur, for example, where a company on the verge of liquidation transferred its cryptocurrency to a third party to avoid it forming part of the pool of assets for creditors. The liquidator might, for example, use existing provisions in the Corporations Act 2001 (Cth) to argue that this was a creditor-defeating disposition or an uncommercial transaction. In order to bring such an action, the liquidator may need to first establish to the court that the cryptocurrency was property (see earlier discussion). In addition, they will need the public and private keys to be disclosed in order to access the cryptocurrency.
- Actions for breach of contract
In Quoine, the Singapore Court of Appeal considered breach of contract in the case of cryptocurrency. In that case, an error in an automated trading procedure resulted in the selling of the cryptocurrency Ethereum at 250 times its market price. The transaction was then immediately reversed by defendant. Plaintiff sued for breach of contract. The defendant argued that:
- There was an implied term that any transactions that were a result of an error in the computer code could be reversed by one of the parties, and;
- There was a contractual mistake which entitled the defendant to reverse the transaction.
The court held that there was no such implied term, as there was an explicit term stating that transactions were ‘irreversible’, and therefore there were no ‘gaps in the contract’ to be filled by an implied term. Considering whether there was a mistake in common law or equity, the court held that there was not: while both parties had a mistaken belief, Quoine did not have knowledge of this mistaken belief. Therefore, there were no grounds for voiding the trade.
- Actions for breach of trust
As well as breach of contract, the court in Quoine also considered whether there had been a breach of trust by the defendant in transferring the assets of the plaintiff. The court (following the UK approach) accepted that the cryptocurrency could constitute property. It considered whether the three key elements of a trust were present (certainty of intention, certainty of subject matter; and certainty of object). Overruling the early decision in the International Commercial Court of Singapore, the court found that mere fact that the account holders’ cryptocurrency was in separate digital wallets, separated from the platform’s own trading assets, didn’t mean that there was a trust. It found that there was insufficient certainty of intention for a trust to be formed.
In Ruscoe v Cryptopia Limited (In Liquidation)  NZHC 728, the High Court of New Zealand considered both the status of cryptocurrency as property, and the issue of breach of trust. Huge quantities of crypto were stolen from an exchange (Cryptopia), amounting to approximately NZD $30 million. The company subsequently went into liquidation and a dispute arose as to who was entitled to the remaining cryptocurrency, valued at approximate NZD $170 million. The liquidators made an application to the court to consider whether the cryptocurrency was held in trust, and therefore still the property of account holders.
The court settled the theoretical questions, following both the UK Jurisdictional Taskforce’s statement, and the decision in Quoine: Cryptocurrency can constitute property (rather than being simply ‘information’), and it can constitute the subject matter of a trust.
As in Quoine, the court then considered whether the three elements of a trust were present in this particular case. It found:
- There was certainty of subject matter. Cryptopia kept the private keys for the wallets. The subject matter was clearly recorded in the Cryptopia database;
- There was certainty of object. The beneficiaries were those with positive token balances, as indicated in Cryptopia’s database;
- There was intention to create a trust. This was demonstrated by Cryptopia not handing over public and private keys to accountholders. Cryptopia also had no intention to trade the cryptocurrency in its own right.
The New Zealand court distinguished this case from Quoine where there was found to be insufficient intention to hold cryptocurrency on trust. Important elements present in this case included:
- Terms and conditions relating to each account explicitly stated that cryptocurrency was held on trust;
- Tax returns and other financial reporting indicated that Cryptopia did not consider itself to be the owner of the cryptocurrency residing in accounts
All in all, the court considered it clear that Cryptopia acted as the custodian of the cryptocurrency on behalf of account holders.
- Knowing Receipt and Knowing Assistance: Third Party Liability for Breach of Trust
What if cryptocurrency is transferred in breach of trust by a third party rather than the trustee? This is where the principles set out in a 19th century Court of Appeal in Chancery case, Barnes v Addy (1874) LR 9 Ch App 244 are relevant. This case sets out two possible causes of action in ‘knowing receipt’ and ‘knowing assistance’.
Knowing receipt requires that :
- The individual was in receipt of trust property;
- That receipt was in breach of trust;
- The recipient knew that this transfer was in breach of trust.
In principle, this could be used as grounds to recover cryptocurrency from a party ‘further down the line’ that has received cryptocurrency as a result of fraud.
Knowing assistance requires:
- Dishonest and fraudulent design. This means that the breach of trust or fiduciary duty must be more than a simple breach, it must amount to fraudulent (i.e., ‘disgraceful’ or ‘shameful’ conduct);
- Assistance. The third party must have actually acted to further the trustee or fiduciary’s dishonest purpose (see the Supreme Court of Queensland in Quince v McLaughlan  QSC 61);
- Knowledge. This could be either actual knowledge or constructive knowledge (where a third party could reasonably be expected to know).
Knowing assistance might apply to any third party who assists in the breach of trust, though it is worth noting that on these grounds the plaintiff needs to prove the significant element of fraudulent behaviour by the trustee or fiduciary.
- Wrongful detention and conversion
In Copytrack Pty Ltd v Wall 2018 BCSC 1709, the Supreme Court of British Columbia considered whether the torts of wrongful detention (‘detinue’) and conversion could be applied to recover cryptocurrency. In that case, Copytrack owned a blockchain-based copyright registry. As part of its system, it sold cryptocurrency in the form of CPY tokens to the public. Mr Wall, a Canadian, purchased 530 CPY tokens for CAD $780. Mistakenly, Copytrack send 530 Ether tokens worth approximate CAD $495,000. Mr Wall refused to return the Ether when asked and claimed that he had been hacked and no longer had control over the Ether.
The court found that it was undisputed that the coins were the property of Copytrack and that they were wrongfully detained by the holders. In light of this, Copytrack was entitled to trace the cryptocurrency to the accounts where it was held and recover that amount.
- Misleading conduct and misrepresentations
Under Australian Consumer Law (ACL) and the common law, individuals are not permitted to engaging in misleading or deceptive conduct (e.g., section 18 of the ACL), or make misrepresentations to customers in order to sell something. If, for example, a cryptocurrency business were to make misleading advertisements that a cryptocurrency would provide “guaranteed returns” it may be in breach of these provisions and rules. This could result in civil penalty proceedings brought by the Australian Competition & Consumer Commission (ACCC) for breach of the ACL. It could also result in a misled individual bringing a claim for contractual misrepresentation and damages.
- Civil proceedings for breaches of director or AFS licensee duties
In addition to proceedings for breaching the ACL, there are a range of other ways cryptocurrency fraud or wrongdoing could breach legislation, giving rise to a cause of action. One important area of potential liability is wrongdoing by directors of companies in breach of the Corporations Act 2001 (Cth). A range of key duties set out below, in the case of breach, could give rise to substantial civil penalties:
- Duties of reasonable care and diligence (see section 180). For example, if the director of a cryptocurrency exchange did not take reasonable care to safeguard the security of cryptocurrency accounts, they could be liable under this head;
- Duty to act in good faith in the interests of the company as a whole (see section 181). For example, if a company director acted to enrich themselves with cryptocurrency transfers at the expense of the company, they could be liable ;
- Duty not to make improper use of the director’s position (see section 182). This duty could be breached in similar circumstances to the case described above;
- Duty not to make improper use of information (see section 183). For example, a director engaging in a ‘pump and dump’ scheme, as outlined earlier, may be breaching this duty if due to an awareness that others were about to ‘dump’ their cryptocurrency, they too offloaded their holdings;
- Duty not to trade while insolvent (see section 588G). For example, a cryptocurrency trader subject to a hack which substantially depletes their assets, may be in breach of this provision if they continue to trade in the knowledge that they can no longer pay their debts.
- Duty to avoid conflicts of interest (see section 191). For example, this may be breached if a director were to be a director of one cryptocurrency platform while failing to declare that they were also the director of a competitor platform.
As discussed earlier, depending on the circumstances, a cryptocurrency business could be subject to the financial services or market regulatory frameworks contained in the Corporations Act 2001 (Cth). A licence-holder in breach of their licensee obligations could be subject to civil penalties, as well as having their licence cancelled or suspended.
- Action for breach of anti-money laundering legislation
The AML/CTF regulatory framework in Australia is designed to track and monitor flows of money both within and to and from Australia. The goal is to reduce the occurrence of money laundering and financing of terrorism. It does this by requiring regulated entities to:
- Collect information establishing a customer’s identity;
- Monitor transactions;
- Report any transactions or activity that are suspicious or involve large amounts (cash over $10,000) to the AML/CTF regulator (AUSTRAC).
Due to the privacy and anonymity inherent in cryptocurrency, it is an area that has been identified as potentially prone to money-laundering or terrorism financing.
In 2018, law changes came into effect to introduce AML/CTF obligations for cryptocurrency exchange platforms in Australia. All platforms must:
- Register with AUSTRAC;
- Satisfy reporting obligations.
AUSTRAC can pursue civil penalties against individuals or businesses that fail to comply.
- Cryptocurrency fraud and prosecution under the criminal law
Perhaps the most obvious legal basis for pursuing cryptocurrency fraudsters is the criminal law. There are a huge range of provisions that could lead to criminal liability for cryptocurrency fraud, but some key possibilities include:
- Theft. If an individual intentionally steals the cryptocurrency of another (e.g., via hacking into their account), then they may be charged with theft.
- Dealing in proceeds of crime (for example, section 193C Crimes Act 1900 (NSW), or 400.9(1) of the Criminal Code 1995 (Cth)). In 2018, a Sydney woman was jailed for two years for this criminal offence. In that case, AUD $450,000 of the cryptocurrency, ‘Ripple’ had been hacked and stolen;
- Criminal breach of AML/CTF laws. One cryptocurrency fraudster was recently convicted and jailed for producing false or misleading documents contrary to s 137 of the Anti-Money Laundering & Counter Terrorism Financing Act 1995 (Cth);
- Criminal breach of director’s duties. Under section 184 of the Corporations Act 2001 it may be a criminal offence to breach a director’s duty in some cases. Generally, this is the case where the director was either reckless or intentionally dishonest in their failures to comply with their duties.
Key takeaway: There are a limited number of ways in which cryptocurrency fraud can be pursued legally (i.e., through a ‘cause of action’). Some of the most likely avenues for individuals who have been defrauded are breach of contract, breach of trust and complaining to a regulator to take action.
What happens to cryptocurrency in the case of liquidation?
We have discussed several cases so far where a cryptocurrency business ends up insolvent, while holding a certain amount of cryptocurrency. We looked at the finding in Cryptopia, that cryptocurrency is intangible personal property, held in trust for deposit-holders. Thus, in that case, the court found that the account holders had priority over unsecured creditors.
Assuming that there is insufficient cryptocurrency to provide to cover the amounts sought by all beneficiaries, how should the remaining cryptocurrency be distributed?
The New Zealand High Court gave the following directions to liquidators:
- The liquidators should work out which account holders were affected on the date of the hack and their relative shares in the trust;
- The liquidators should then distribute that loss across existing beneficiaries. That is, the default is for the remaining amount to be distributed according to the pari passu principle;
- Any amounts added to an account after the hack, should remain untouched and have none of the ‘loss’ taken from those amounts;
- Where account holders cannot be found, general rules applying to the distribution of assets to missing beneficiaries will apply;
- Any cryptocurrency recovered at a later point should be applied pro rata to make up the loss suffered by all account holders.
It remains to be seen whether an Australian court would treat cryptocurrency assets in a liquidation in the same way. Given the widespread acceptance of the classification of cryptoassets as property in other similar jurisdictions, it seems likely an Australian court would make a similar decision.
Where all beneficiaries have received their allocated cryptocurrency, and there is still cryptocurrency left over, how would it be distributed to creditors upon liquidation?
The usual priority rules for liquidation would likely be applied:
- Liquidators would be paid for their fees and expenses;
- Secured creditors would come next (e.g., those who hold mortgages or personal property securities over the company’s property);
- Priority unsecured creditors (e.g. employees);
- Unsecured creditors.
Liquidators may be facing a range of challenges in attempting to liquidate holdings in cryptocurrency and add to the pool of distribution for creditors, such as:
- Not possessing the private keys to allow access to the cryptocurrency;
- Dealing with the significant volatility in the cryptocurrency markets which means the time of sale of the cryptocurrency will be crucial in calculating its value.
Key takeaway: A key issue in the liquidation of a cryptocurrency business will be whether any cryptocurrency is held ‘on trust’ for deposit-holders. If it is, those assets will not be available for distribution to creditors in liquidation. Where liquidation is to occur, it is likely that the usual priority rules in Australia for distribution of proceeds will apply if claims are debts only.
Which tax obligations apply to cryptocurrency?
The Australian Tax Office (ATO) has developed guidance explaining the tax obligations that apply to the holding and disposal of cryptocurrency. Key aspects include:
- The application of capital gains tax (CGT). A CGT event occurs when an individual disposes of cryptocurrency. This can occur when cryptocurrency is sold or gifted, where it is traded, where it is converted to fiat currency, and where it is used to obtain goods of services. There is an exception to this where the cryptocurrency is a ‘personal use asset’. Where a net capital loss occurs, this can be carried forward to offset a capital gain in a later year. In addition, where the private key or cryptocurrency is stolen or lost, the individual may be able to claim a capital loss;
- Cryptocurrency will be classified as a personal use asset where it is kept or used primarily to purchase goods or services for personal use. Note that if the cryptocurrency is held as an investment, as part of a profit-making scheme, or in the course of carrying on a business, the personal use asset exemption does not apply;
- Miners receive additional tokens when a new block is created. The money value of these additional tokens is ordinary income and taxable as such;
- Chain splits. Where a cryptocurrency ‘splits in two’ as a result of change in rules, the new currency (if held as an investment) does not count as new income or a capital gain. Where held as an investment, the capital gain will occur on disposal and that is the point at which tax must be paid;
- Payment of a salary in cryptocurrency is taxed as a fringe benefit;
- Receipt of cryptocurrency for services rendered is treated as ordinary income;
- A range of record-keeping obligations apply to individuals and businesses involved in cryptocurrency. In relation to cryptocurrency transactions, the following must be kept.
- receipts of purchase or transfer of cryptocurrency;
- exchange records;
- records of agent, accountant, and legal costs;
- digital wallet records and keys;
- software costs related to managing your tax affairs.
Where an individual or business fails to comply with their tax obligations relating to cryptocurrency, they may be liable for committing tax fraud or a range of other tax and financial reporting offences.
Cryptocurrency is likely to continue to rise in popularity. Alongside that, so too are incidences of cryptocurrency scamming and fraud. Anyone who wishes to invest in cryptocurrency, or operate a business that deals in it needs to:
- Understand how cryptocurrency works on a technical level. It is impossible to understand the risk that is being undertaken without, for example, knowing how easy it is to hack into a particular exchange platform;
- Be aware of the most common scams (such as scam ICOs and phishing scams) that are doing the rounds with cryptocurrency;
- Be familiar with the legal status and regulatory framework for the cryptocurrency it is dealing with (e.g., is it held on trust for you? Does it involve a financial product? What are the consequences in case of liquidation?);
- Understand their rights against anyone who would seek to scam or defraud them;
- Recognise their tax obligations and how they might comply with them.