New Tools for Fighting Fraud: CMOC v Persons Unknown

CMOC v Persons Unknown is a new international cyber-crime precedent.  The plaintiff had to chase and serve legal notice to 30 respondents in multiple jurisdictions worldwide. The case was touched upon in May 2019 issue of Arbitration.ru dedicated to collecting bad debts and fighting international fraud. Now we publish in-depth coverage from the legal team that was directly involved on the case representing the claimant.

The impact of fraud on commercial entities is an increasingly global concern. The most effective method of combatting fraud is to stop it from happening in the first place. However, it is inevitable that, as the technological weapons available to perpetrators of fraud become more sophisticated, there will be occasions when even the most advanced fraud prevention systems will be breached. In such circumstances, it is essential that the law provides the victims of the fraud with the tools required to identify, trace and recover the misappropriated assets. In CMOC Sales & Marketing limited v Persons Unknown & 30 others [2018] EWHC 2230 (Comm), considered to be a “pioneering judgment”¹, the Commercial Court in London made a number of innovative orders, which enabled the Claimant to recover a significant portion of the stolen funds and which will be of considerable assistance to those who fall victim to fraudsters in the future. 

The claims in CMOC were brought in the English courts by way of litigation, rather than arbitration, but there is no reason in principle why similar orders could not be made either in support of an actual or anticipated arbitration proceedings (using the powers conferred by section 44 of the English Arbitration Act 1996 and/or section 25 of the Civil Jurisdiction and Judgment Act 1982, as amended), whether seated in England or elsewhere in the world. It demonstrates the increasing willingness of the English courts to find original and creative ways to assist parties in combatting international fraud in whatever forum the claims form to be resolved.

The Fraud

In October 2017, the CMOC Sales & Marketing Ltd (“CMOC”), an English incorporated company part of the China Molybdenum group learned that over £7 million had been stolen from its bank account by way of a sophisticated cyber fraud. It later became apparent to CMOC that the fraudsters controlled and operated a vast money laundering network that had evidently been set up for the purpose of stealing money, distributing it rapidly to multiple bank accounts across the globe and then ‘cleaning’ the money through various nefarious means. Upon discovering the fraud, the only information available to CMOC was that which it could glean from its own bank account statement, that is to say the banks that received its money at the first level and the payee names associated with those transfers (which, of course, need not be the name of the person who holds the recipient bank account).

Worldwide Freezing Orders (“WFO”) against ‘Persons Unknown’

CMOC needed to act urgently if it was to be successful in recovering any money, the first stage of which was to obtain WFOs against the people who had stolen the money.  The purpose of the WFO was essentially twofold:

1. To prevent the further dissipation of any assets remaining in the recipient bank accounts; and

2. As discussed further below, as a matter of English procedural law, a freezing order is the springboard for further ancillary relief, including orders for disclosure against the banks at which the recipient accounts were held, which could arguably not get off the ground unless there has been a primary freezing injunction.²

The central issue faced by CMOC in seeking the WFO was who should be named as a respondent to it given that it was unclear who was responsible for perpetrating the fraud. In these circumstances, the only option available was to seek a WFO against “Persons Unknown”. The prior case of Bloomsbury v New Group Newspaper³ confirmed that the English court in principle had jurisdiction to make an interim order against persons unknown. That case concerned an application to require individuals whose identity was unknown to deliver up all copies of ‘Harry Potter and the Order of the Phoenix’, which had been taken away from the printers prior to publication without authority and offered to the press for a fee. 

The principle had not, however, yet been extended to a WFO, backed by a Penal Notice stating that a respondent who disobeys the order may be liable for contempt of Court and imprisonment. Nevertheless, the Court in CMOC case held that there was a strong justification for extending the principle to WFOs in the circumstances of fraud litigation where the first objective is to notify the relevant banks of the WFO so that the recipient accounts can be frozen and the second objective is to obtain vital information from the banks which may assist in positively identifying some or all of the defendants and that this justification outweighed any potential future issues concerning contempt or the need to ensure that the relevant defendant has been properly notified of the injunction.

The crucial test for obtaining an order against persons whose identity is not known is that “the description used must be sufficiently certain as to identify both those who are included and those who are not. If that test is satisfied then it does not seem to me to matter that the description may apply to no one or to more than one person or that there is no further element of subsequent identification whether by way of service or otherwise”⁴. CMOC therefore structured its initial definition by reference to the information that it did know, that is to say the legal and/or beneficial owners of the bank accounts that received funds directly from CMOC, the amounts that were stolen and the time the fraud took place, with bank account information listed in the Claim Form. The Court was satisfied that defining ‘Persons Unknown’ in this way was sufficient to establish the Court’s jurisdiction to make a WFO.

A further technical difficulty that CMOC faced was how and where to serve ‘Persons Unknown’. Inevitably, if CMOC wanted the judgment of the English Court to be enforceable in foreign jurisdictions, it would need to show that the defendants had been properly served. CMOC’s solution was to serve in a number of ways including by sending documents both to the fake email addresses that had been used by the hacker to perpetrate the fraud and by sending documents to the banks where recipient accounts were held.

Disclosure Orders against Third Party Banks

As noted above, as a matter of English procedural law, once CMOC had obtained the WFO, this opened the door for seeking ancillary orders against non-defendant banks at which the recipient accounts were held. Ordinarily, a claimant seeking disclosure from banks will apply for a so-called Norwich Pharmacal order, which is a flexible remedy to be used in situations such as where the information sought is necessary to identify wrongdoers or to trace and preserve assets. However, the 2017 judgment in AB Bank Limited, Off-Shore Banking Unit v Abu Dhabi Commercial Bank PJSC⁵ indicated that Norwich Pharmacal relief does not have extra-territorial effect.

As the majority of the recipient accounts were held at overseas banks (for example in UAE, Hong Kong, USA and multiple European jurisdictions), CMOC had to seek the relief by a different method, «namely the Court’s jurisdiction arising out of the Bankers Trust Co v Shapira⁶, the drawback of which is that the claimant must pay the bank’s expenses of disclosure and given an undertaking in damages. Moreover, a Shapira order will only be made against overseas banks in exceptional circumstances. Fortunately, the authorities make it clear that an example of an exceptional case is where the claimant is chasing an international fraud. In CMOC’s case, the Court was satisfied that this was an exceptional case and therefore proceeded to make the disclosure orders requested against the banks in question.

Over the course of the litigation, CMOC obtained disclosure orders against approximately 40 banks, which enabled CMOC to discover information about the persons holding the recipient bank accounts, make investigations into whether they were part of the fraud (in which case they were added as named respondents to the WFO) or innocent third parties who had inadvertently been caught up in it (in which case they were not), begin the process of recovering the funds frozen in the recipient accounts and trace the onward flow of funds.

Innovative Service Methods

Service by online data room

One of the most difficult logistical elements of complex international fraud litigation is that, as the funds are dissipated through multiple accounts across the world, numerous individuals, companies and banks become parties to the litigation. In CMOC’s case, by the time of trial, there were 29 Defendants, 51 No Cause of Action Defendants (which included the banks) (“NCADs”) and money had been traced to more than 25 jurisdictions. This meant that the process of serving documents on the parties was very complicated and cumbersome, particularly in circumstances where there was a significant amount of documents and many of the banks’ servers rejected emails containing documents larger than 5mb.

The solution of the English Court was to permit service of documents by sending to the defendants and the NCADs a link to an online data room. The Court was satisfied that this was a secure and data protection compliant method of service and that all recipients of the link would know how to use it. This innovative solution saved a considerable amount of time and costs and enabled CMOC’s legal team to focus its efforts elsewhere. 

Service by WhatsApp and Facebook

A further complication arose once CMOC had positively identified certain individuals who held recipient bank accounts and who appeared, on the evidence, to have been involved in perpetrating the fraud. A number of these individuals were no longer at the residential addresses that they had provided to the banks when setting up their accounts and/or had disabled the email addresses that the bank had on record. 

In order to assist CMOC in ensuring that the link to the data room had been received by the defendants, the Court permitted service on certain recipients either by Facebook messenger (following investigations which enabled positive identification of the relevant Facebook account) or by WhatsApp (to the phone numbers that the bank had on record for the account holder). 

Trial and Conclusion

Following trial, the Court handed down its judgment against Persons Unknown and 28 identified individuals (CMOC having settled with two named defendants) and ordered repayment of the stolen money, damages and legal costs on an indemnity basis. Although the sum stolen in this case was fortunately relatively small compared to other cyber fraud attacks that have impacted major corporations in recent times, the receptiveness of the London Commercial Court to assisting the victims of fraud in using creative solutions for tracing assets and identifying perpetrators is a welcome development and, in the view of the authors, sets various precedents which reinforce London’s reputation as a leading jurisdiction for fair and effective dispute resolution.

Daniel Burbeary, 
Peter Stewart, 
Irina Buydova,

Cooke, Young & Keidan LLP, London

1 http://disputeresolutionblog.practicallaw.com/computer-has-frozen-cmoc-sales-marketing-limited-v-persons-unknown-and-30-others/ 
2 Pursuant to CPR r.25.1(g) 
3 [2003] EWHC 1205 
4 Ibid para 21 by Sir Andrew Morritt V-C  
5 [2017] 1 W.L.R. 810 
6 [1980] 1 W.L.R. 1274 CA