This article originally appeared in LawNews (ADLS) and is here with permission.
By James Cochrane, Arran Hunt & Samantha Chow
Cryptocurrency markets have been volatile in the wake of Covid-19, including a sharp correction and significant selloff in tech equities. This means investors are at risk of further cryptocurrency insolvencies in New Zealand or affecting Kiwi investors.
This article looks at the recent New Zealand High Court decision in Ruscoe & Moore v Cryptopia Limited 2020 (in liquidation)  NZHC 728, alongside the curious Canadian tale of Quadriga CX (QCX) and considers what investors can do when faced with a crypto insolvency.
In January 2019, the Christchurch-based cryptocurrency exchange, Cryptopia, suffered a serious security breach resulting in NZ$30 million worth of digital currency being hacked and transferred into an undisclosed exchange. Liquidators Grant Thornton were appointed on 15 May 2019.
With the rising value and popularity of crypto assets, Cryptopia at its liquidation date had more than 2.2 million registered users and employed 37 staff. To give some context around how significant its operations were, New Zealand had the twenty-sixth largest number of account holders (9,475) with 230 other countries and territories identified as account holders by reference to IP addresses. The liquidators estimated that Cryptopia held cryptocurrency worth, at the time of judgment, about NZ$170m.
As this was a novel case for New Zealand, Cryptopia’s liquidators filed an application to the High Court seeking directions (under s 248 of the Companies Act 1993) about the legal status of crypto assets in New Zealand.
The liquidators had earlier filed a petition in the bankruptcy court in New York to preserve Cryptopia information stored on US servers, engaged former staff to assist them and gained a court order allowing them to convert 344 bitcoin into cash to fund the liquidation expenses and to preserve assets. At the time those bitcoin were worth more than NZ$4.4m.
The application concerned the competing interests between Cryptopia’s account holders and creditors. Post-liquidation, Cryptopia had 960,143 account holders with a positive coin balance. Of that number, 104,186 were believed to have a “deemed nil value”, presumably because of the hack.
Creditors were also owed substantial amounts. The liquidators’ first report showed 69 unsecured creditors owed in excess of $2.16m and secured creditors owed more than $1.4m, with the company owing employees’ preferential claims of $318,000 for outstanding wages and holiday pay and a further $271,808 in unsecured debt.
The legal issues
The two main legal issues before the court were:
- Does cryptocurrency constitute “property” under s 2 of the Companies Act? And can cryptocurrencies form the subject matter of a trust?
- Was the cryptocurrency being held on trust by Cryptopia for account holders?
Counsel for the account holders argued that cryptocurrency is a form of intangible property at common law and under the Companies Act and is capable of forming the subject matter of a trust. Cryptopia was holding the cryptocurrencies on trust for the account holders, by way of either an individual trust for each account holder as a sole beneficiary or in one trust for the benefit of all account holders being co-beneficiaries of that trust.
Counsel for the creditors disagreed, saying the question of whether cryptocurrency should constitute property should be left for Parliament to decide. It was instead argued that the account holders were unsecured creditors and the cryptocurrency formed part of Cryptopia’s pool of assets which ought to be distributed in accordance with Part 16 of the Companies Act.
The property issue
The High Court was satisfied that cryptocurrency met all four classic characteristics of property: identifiable subject matter, identifiable by third parties, capable of assumption by third parties and had some degree of permanence or stability.
The court rejected the argument that cryptocurrencies were mere information, by explaining that the purpose of cryptocurrency is not to impart information or knowledge but to create an item of tradable value. To strengthen this position, account balances and the function of private keys were compared to online banking systems.
While revolutionary in terms of New Zealand law for cryptocurrency, this finding was not particularly surprising in light of overseas decisions. But in the ever-changing world of decentralised finance or “DeFi”, the finding is welcome.
The trust issue
Distinguishing the Singaporean Court of Appeal case Quine v B2C2 Ltd  SGCA (1) 02, the New Zealand High Court was satisfied on the particular facts and on construction of Cryptopia’s terms and conditions that the three certainties required to form an express trust were met. The court held that the cryptocurrency was held on separate express trusts for each and all account holders, not just those active at the time of liquidation.
Because of the nature of the cryptocurrency exchange and trading, the court acknowledged that some account holders might be unidentifiable. In this case, it directed the liquidators to follow the procedure set out in s 76 Trustee Act 1956 where advertisements are published, calling for claims to be made. As only those account holders who held types of cryptocurrency that were stolen would have suffered a loss, any recovered misappropriated cryptocurrency should go to those account holders whose accounts were looted, on a pari passu basis. In any event, the crypto cannot be treated as company assets.
Another example about the liquidation of a cryptocurrency exchange company is the Canadian case of Quadrigca CX. On 9 December 2018, Gerald Cotten, founder and CEO of Canada’s largest cryptocurrency exchange, QCX, unexpectedly died at the age of 30 while on honeymoon in India with his wife, Jennifer Robertson.
QCX was shut down in January 2019 and declared bankrupt in April that year, leaving users without access to their digital wallets. According to a report by the Ontario Securities Commission (OSC), more than 76,000 clients were owed a combined $215m in assets. Cotten was the only person with access to their private crypto keys, with no alternative operational procedures in place for if he were to ever lose access.
The OSC report said most of the $169m asset shortfall – approximately $115m – resulted from Cotten’s fraudulent conduct. It was found that Cotten created a string of accounts under different aliases which contained fictitious dollar balances to buy his customers’ cryptocurrency. He then moved those amounts into his own personal accounts at other cryptocurrency trading sites. The OSC report noted: “He sustained real losses when the price of crypto assets changed, thereby creating a shortfall in assets to satisfy client withdrawals. Cotten covered this shortfall with other clients’ deposits.” In effect, the report said, “this meant that Quadriga operated like a Ponzi scheme.”
According to his wife, his cause of death was complications from Crohn’s disease. But QCX’s creditors are convinced Cotten faked his own death to escape liability from his lucrative Ponzi scheme.
Cotten’s will, which was finalised just days before his sudden death, left all his financial assets to his wife and made her the sole executor of his estate.
She has reduced the loss to creditors by agreeing to surrender everything she inherited from Cotten’s estate and any assets he transferred to her before his death.
But as many believe Cotten is still alive, creditors have asked the Royal Canadian Mounted Police to exhume his body and conduct a post-mortem autopsy to confirm his identity and cause of death.
Cryptopia differs to QCX. While there has been no published judgment, it looks as if QCX’s account holders are being treated like unsecured creditors in the company’s liquidation rather than as beneficiaries of separate trusts.
And Cryptopia’s losses have not yet been attributed to any fault of the company or its directors. Unlike Cryptopia, where an internal ledger was maintained, there is no evidence that QCX maintained any accounting records since at least 2016. Rather, Cotten appears to have treated his customers’ assets as his personal slush fund. In this regard, QCX is more akin to the Ross Asset Management Ponzi scheme discussed in the New Zealand Supreme Court decision McIntosh v Fisk.
Justice Warwick Gendall notably stated that if there was any fault on Cryptopia’s part, as a matter of principle where a trustee is also a beneficiary of a trust (which Cryptopia considered was the case) and there is a shortfall in trust assets, then the trustee cannot have a share in the distribution if the trustee is found to be culpable, in respect of, and to the extent of, that shortfall.
Still, there remains the question of how New Zealand law might respond to a case where the liquidation of a cryptocurrency exchange platform resulted from failings of the company or its directors.
Possible liquidator actions
For a similar case to QCX, where the exchange turns out to be insolvent, a liquidator might bring a personal recovery action against the director for reckless trading.
Section 135 Companies Act specifically creates a duty owed to creditors not to engage in reckless trading, meaning directors must not cause, agree or allow the company to operate in a way which creates substantial risk of serious loss to creditors. Similarly, actions would likely lie against the director for breach of their duties under s131 to act in the best interests of the company and also under s136 which focuses on specific transactions and prohibits directors from incurring obligations unless they reasonably believe the company can perform them when required. Action might also be possible under s137 for breach of their duty of care and skill.
A director like Cotten would probably have committed an offence under s 138A for a serious breach of his or her duty to act in good faith and in the best interests of the company, if it could be shown he or she in fact acted in bad faith.
Claims would also be available under the Subpart 6 of the Property Law Act 2007 on the basis that the transfer of the cryptocurrency was a disposition made when the company was insolvent and with intent to prejudice a creditor or without receiving reasonably equivalent value.
If the crypto can be traced on the blockchain or via other means, a recovery action may be available against the recipient. Any transactions occurring while the company was insolvent and within the statutory specified period (in the case of QCX, any transfers of crypto from the company into Cotten’s false personal accounts) could be considered insolvent transactions under s292 of the Companies Act. This would entitle a liquidator to set aside the transactions.
Liquidators could also recover from someone in Cotten’s wife’s position, as she would probably be captured under s297 for receiving the cryptocurrency or the wallet “keys” at undervalue or s298 for acquiring the property for inadequate consideration.
In addition, there could be equitable and restitutional remedies available to the liquidators and/or the creditors, such as claims in knowing receipt and dishonest assistance, or where money is paid under mistake or received without consideration and the recipient is unjustly enriched.
A Japanese exchange that suffered a significant hack in 2018 has just commenced a claim against another major exchange, Binance, seeking to recover its losses. The plaintiff, Fisco, asserts that Binance’s “know your client” or “KYC” protocols, which are designed to prevent money laundering, failed to meet industry standards and that Binance was put on notice by the exchange which suffered the hack through which the stolen funds were being laundered.
Fisco’s complaint explains how blockchain analytics were used to trace the stolen bitcoin to the recipient’s cryptocurrency address and, from there, how the bitcoin was laundered in smaller amounts (less than two bitcoin) through Binance’s pool.
Account holders and creditors in a similar position to those in QCX may also have a cause of action under the Fair Trading Act 1986 (FTA). A director in Cotten’s position could be held personally liable under s9 for misleading and deceptive conduct by creating fake aliases to purchase customers’ crypto amounts, and on describing the company’s general financial position. The FTA’s incoming unconscionable conduct provisions would likely be relevant.
Both Cryptopia and QCX highlight the problem of a centralised exchange – a factor in both cases. Exchanges tend to use “web wallets”. These tend to be connected to the internet and are commonly known as a “hot wallet”. These wallets are easy to set up and the funds are quickly accessible, making them convenient for traders and other frequent users.
But they have risks that other “cold” wallets, such as “paper” or “hardware” wallets, do not have, including the risk of the exchange’s central servers being hacked or the risk of the company itself becoming insolvent. Cold wallets, on the other hand, have no connection to the internet. Instead, they use a physical medium to store the keys offline, making them resistant to online hacking attempts. As such, cold wallets tend to be a much safer alternative of “storing” your coins.
In QCX’s case the exchange held and managed the users’ private “keys”, allowing Cotten to steal their funds.
In Cryptopia’s case, the users deposited their “fiat” currency into a “hot wallet” for the cryptocurrency in question. Once deposited, the currency could be left in the hot wallet to meet withdrawal requests from other users or be transferred to a cold wallet.
When a trade occurred between two users on the exchange, the users’ respective coin balances on the company’s internal ledger would change to reflect the trade but the balances in the company’s digital wallets did not change. The trades and transfers that took place on the exchange did not affect the blockchain ledgers (the general ledgers of ownership that exist for each cryptocurrency outside of the exchange).
This is because the coins remained in Cryptopia’s digital wallets. Only trades outside the exchange would be recorded on the relevant cryptocurrency’s public ledger. However, crucially, like QCX, Cryptopia exclusively held the private keys to its digital wallets that contained the cryptocurrencies traded on the exchange. Account holders did not have access to the private keys. This, and the fact the hot wallets were connected to the internet, allowed them to be hacked.
With ever-increasing numbers of “mobile” hot wallets and exchanges, and the assets held and traded on them increasing in value, investors need to understand how ownership of their crypto property is recorded and managed. While we hate and often overlook it for the sake of convenience, doing your research and reading the fine print is likely to be your best line of protection from a crypto insolvency.
James Cochrane and Arran Hunt are partners at Stace Hammond and Samantha Chow is an intern. This article originally appeared in LawNews (ADLS) and is here with permission.