As cyber attacks escalate, companies are increasingly turning to lawyers to help them trace stolen money, negotiate with hackers and, in some cases, take attackers to court to recover stolen funds.
From phishing scams to trading breaches, attacks involving cryptocurrency are rising. The value of illicit cryptocurrency transactions, including scams and ransomware, rose to $20.6bn in 2022, up from $18.1bn a year earlier, according to a report by Chainalysis, a blockchain data platform.
Now, cyber crime specialists at law firms are being called on to play an intermediary role — part negotiator and part forensic investigator — to help minimise damages while also finding ways to prevent hackers from succeeding in their attacks.
Companies face multiple challenges, as the international nature of hacking makes it difficult to investigate attacks and trace stolen funds. Syndicates based in, and sponsored by, hostile states — such as the North Korea-inked Lazarus Group — have been among the most prolific cryptocurrency hackers.
But, in November 2022, US law firm King & Spalding helped Google score a legal victory against the Russian operators of a botnet known as Glupteba. They used it to steal login and account information to commit crimes, including theft and fraud, and to use other people’s computers to illicitly mine cryptocurrency.
In a New York lawsuit, Dmitry Starovikov and Alexander Filippov were named along with 15 other unidentified individuals as controlling the botnet. According to the court ruling, Glupteba was notable for its “technical sophistication” and leveraged blockchain technology to protect itself from disruption. It used a network of private computers infected with malware to aid numerous criminal schemes, including selling credit card details for fraudulent purchases.
US district judge Denise Cote ruled that the defendants used the botnet to steal and exploit Google users’ personal and financial information, which they sold.
“Botnets are generally very complex and resilient cyber crime schemes,” says Sumon Dantiki, partner in special matters and government investigations at King & Spalding. “Among botnets, Glupteba was a particularly innovative threat, which required Google to respond with a very novel and multi-faceted disruption effort.”
In her ruling, Cote said the defendants had attempted to use the litigation as a means of extorting Google, or at least seeking discovery, the formal process of sharing evidence, which could help them evade the company’s efforts to shut down the botnet. The judge upheld Google’s request for settlements against the defendants and their lawyer, and ordered the defendants to pay Google’s legal fee in the case. The amount was not specified. Cote found that there had been a “wilful attempt to defraud the court and resist discovery” by the defendants.
Preventing the defendants from using the litigation to obtain information about Google set a legal precedent and sent a warning to botnet operators. “The court finds that the defendants have intentionally withheld information and misrepresented their willingness and ability to engage in discovery in order to disadvantage Google in this litigation, avoid liability, and further profit off of the criminal scheme described in the complaint,” the ruling stated.
Dantiki says the ruling has wider importance, too: “The court’s award here is significant and demonstrates that the judiciary won’t tolerate a litigant who abuses the court system.”
As well as pursuing hackers through the courts, law firms are being called on to track down and recover stolen funds. And they are having some success. The sum extorted through ransomware attacks fell from $766mn in 2021 to $457mn last year, according to Chainalysis.
US law firm Morrison Foerster helped recover stolen funds for UK-based Euler Finance, a cryptolending platform, after a $197mn cyber theft. It managed to retrieve all the funds in three weeks. This was one of the biggest recoveries in decentralised finance history.
William Frentzen — a partner and trial attorney in Morrison Foerster’s white-collar crime unit, and a former government prosecutor experienced in dealing with hackers — had already helped to recover money stolen in a $110mn fraud at crypto exchange Mango Markets. So, when Euler suffered an attack in March, Frentzen received a call the next morning. He had to alert US law enforcement agencies and determine whether the firm was dealing with state actors or an individual.
His team was able to make contact with the hacker. “We sent messages to attacker wallets on the blockchain — which was public — to try to get the hacker to engage in a private conversation,” he explains.
The hacker then did something that helped the team engage. “The hacker made a strategic error in paying 100 ETH, or Ether, worth approximately $170,000 at that time, into an account reputed to be linked to North Korean hackers,” Frentzen recalls. “Very soon after, North Korea started sending what appeared to be phishing messages. We emphasised this interest to the hacker as a pressure point and [said] that it was bad enough with the FBI and DoJ on the case — you do not want to attract the interest of state actors and organised crime.”
The hacker decided to return the funds and Euler was able to offer redemptions to its users before closing the platform — although it says it has plans to resume trading.
“The money was returned to us in pieces — including a payment to one individual in Latin America, and we kept the conversation going,” explains Frentzen. “We eventually got all the money back and, because it was Ether and the price of Ether went up, we were able to obtain $220mn to return to Euler’s users.”