Penningtons Manches Cooper has advised Matta Labs Ltd, the industrial AI spinout from the University of Cambridge, on its $14 million seed funding round led by Lakestar, with participation from Giant Ventures, RedSeed VC, InMotion Ventures, 1st Kind, Unruly Capital and Boost VC. The round was further supported by grants from Innovate UK and the Royal Academy of Engineering.

Matta is developing AI-powered manufacturing foundation models capable of transforming real-time decision making in manufacturing environments. Its technology uses unsupervised and self-supervised computer vision to deliver automated quality control, anomaly detection, root cause diagnostics, and corrective recommendations.

The company’s plug-and-play platform can be deployed in a matter of hours and has already demonstrated exceptional impact across early customer sites – including >99% defect detection in polymer manufacturing after just 10 minutes of data, high-speed bottling inspection for a global drinks company, and precision measurement of speaker components for Bowers & Wilkins. Matta has more than 300 factories in its commercial pipeline, with new deployments occurring roughly every two weeks.

The funding will be used to accelerate customer adoption, deepen Matta’s AI capabilities, expand into key European and U.S. manufacturing regions, and build self-service deployment tools. The company’s long-term ambition is to enable autonomous, end-to-end production lines.

The Penningtons Manches Cooper team was led by corporate partner James Went, supported by corporate senior associate Anoushka Gangji and commercial partner Rachel Bradley.

Douglas Brion, Co-founder & CEO, Matta said: “We are delighted to have secured this funding from such a strong group of global investors as we accelerate the development and deployment of Matta’s industrial AI platform. Manufacturing remains one of the world’s most complex and underserved data environments, and our technology is already demonstrating how factories can operate with far greater intelligence, efficiency and resilience.”

He added: “Penningtons Manches Cooper have been exceptional partners throughout this process. Their deep understanding of technology-driven businesses and their practical, commercial approach has been invaluable as we take this next step in scaling Matta.”

James Went, Partner, Penningtons Manches Cooper said: “It has been a privilege to support the Matta team from inception and now on this key investment round. Matta represents the very best of the UK’s deep-tech and university spinout ecosystem – combining world-class research with a compelling commercial vision and clear industry demand.

The calibre of investors participating in this round reflects the strength of the opportunity ahead. We look forward to continuing our partnership with Matta as they scale their technology across global manufacturing markets.”

As the traditional, financial industry continues to embrace crypto assets, the English courts are increasingly being asked to resolve disputes that sit at the intersection of traditional legal duties and new digital realities.

One such case, Hamblin v Moorwand Ltd [2025] EWHC 817 (Ch), offers a timely and important development in this space. In that case, the High Court confronted a novel set of circumstances: a derivative claim brought by victims of fraud on behalf of a company in administration against a regulated payment service provider operating a crypto-linked wallet.

The judgment is an interesting development in two key areas: the scope of the Quincecare duty and the procedural flexibility of derivative claims in the context of insolvency and crypto-related fraud. The case is notable not only for its facts, an authorised push payment (APP) fraud involving a crypto-linked wallet, but also for the court’s willingness to permit a derivative claim to be brought by non-shareholders on behalf of a company in administration. The judgment provides a rare example of a successful Quincecare claim and offers valuable guidance for financial institutions, insolvency practitioners and victims of fraud alike.

The facts

Mr and Mrs Hamblin were victims of an APP fraud. Believing they were making a legitimate investment, they transferred £160,000 to RND Global Ltd (RND), a company that was found to be incorporated and controlled by fraudsters. RND held an electronic wallet with Moorwand Ltd (Moorwand), a regulated payment service provider offering an “electronic wallet” capable of holding and transferring funds in both fiat and bitcoin.

The funds were credited to RND’s wallet and quickly dissipated on the instructions of a fraudster impersonating an individual registered on Companies House as RND’s director but who had, in fact, been the subject of identity theft. The transactions included bitcoin purchases and the purchase of a £34,500 luxury watch. RND is now in administration with no known assets and uncertain prospects of any dividend to unsecured creditors.

The first instance decision: a triple defeat

At first instance, the Hamblins brought three claims:

1. A personal claim to recover the £160,000 they had transferred to RND.
2. A derivative Quincecare claim on behalf of RND against Moorwand for breach of mandate and duty.
3. A claim under the Payment Services Regulations 2009 (PSRs) arguing that the payments were unauthorised.

To put the second claim into context, a Quincecare claim arises from the duty established in Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363, which requires banks or payment service providers to refrain from executing payment instructions if they are “put on inquiry” that the instructions may be an attempt to misappropriate funds. If there are reasonable grounds to suspect fraud or lack of authority the bank must investigate before proceeding.

All three claims were dismissed. The personal claim failed because the Hamblins had voluntarily authorised the payment to RND and Moorwand had no direct relationship with them. The derivative Quincecare claim was dismissed on the basis that Moorwand had not been “put on inquiry” and therefore had no duty to investigate the authority of the person giving instructions on behalf of RND.

Finally, the PSR claim also failed as Moorwand had complied with the mechanical requirements of the payment instructions. The judge held that the payments were authorised in the narrow sense required by the PSRs even if they were procured by fraud.

The appeal: a rare success for Quincecare

On appeal, Mr Justice Marcus Smith overturned the dismissal of the derivative Quincecare claim. He held that the judge at first instance had erred in law by conflating the knowledge of the fraudulent agent with that of the company. The fraudster’s knowledge could not be attributed to RND which was the innocent principal. This led the judge to overlook three key facts that should have put Moorwand on inquiry:

• The suspicious nature of the documents used to open the account, including a utility bill with a mismatched name.
• Internal concern raised by Moorwand staff about the legitimacy of the account.
• The inconsistency between RND’s stated business, a marketing consultancy, and its actual transactions (bitcoin trading and luxury purchases).

The appeal court found that these red flags should have triggered Moorwand’s duty to investigate whether the payment instructions were genuinely authorised. By failing to do so Moorwand breached its duty to RND and was required to restore the misapplied funds to RND’s account.

Importantly, the court rejected Moorwand’s reliance on an exclusion clause in its terms of business. The clause excluded liability for damages but did not apply to claims for restitution or breach of mandate. The court held that the claim was not for damages but for the restoration of funds wrongly paid out and therefore the exclusion clause did not apply.

This decision is particularly significant in light of the Supreme Court’s ruling in Philipp v Barclays Bank plc [2023] UKSC 25. In Philipp, the court clarified that the Quincecare duty does not apply where a customer gives a clear and authorised instruction, even if that instruction was induced by fraud. This effectively closed the door on most APP fraud claims brought by individual victims against their banks.

Derivative claims by non-shareholders

One of the most striking aspects of the case is the court’s acceptance of a derivative claim brought by non-shareholders. Under English law, derivative claims are typically brought by shareholders under Part 11 of the Companies Act 2006. The statutory framework is designed to allow shareholders to enforce the company’s rights where the company itself is unable or unwilling to act, usually because the wrongdoers control the company. Here, the Hamblins were not shareholders of RND but the court allowed them to bring the claim on its behalf.

This procedural innovation reflects a pragmatic approach to justice in the face of corporate fraud and insolvency. The court recognised that RND, being in administration, was unable to pursue the claim itself. The administrators had not taken action and the Hamblins had a legitimate interest in recovering the funds they had lost.

While the court did not set out a general principle allowing non-shareholders to bring derivative claims, the decision suggests that such claims may be permitted in exceptional circumstances, particularly where the company is insolvent, the wrongdoing is clear and the claimant has a direct interest in the outcome.

A pyrrhic victory?

Despite the appellate success, the final paragraph of the judgment sounds a note of caution:

“I very much hope that this does not prove to be a pyrrhic victory for the Appellants. RND, as I understand it, is in administration, and its assets must be distributed properly in accordance with the rules. To whom those monies go is not a matter for this appeal.”

This reflects a harsh reality: even if Moorwand is ultimately required to restore the funds to RND, the Hamblins may not recover the full amount. As unsecured creditors in an insolvent estate they will rank alongside other creditors in the same class and may receive only a fraction of the restored funds, if any, after the costs of the administration are deducted and any preferential and secured creditors are paid.

The administrators’ statement of proposals confirms that RND has no known assets, no secured or preferential creditors and estimated unsecured claims of £305,900 comprising £305,000 from consumer creditors and £900 from HMRC. However, only £160,900 in claims had been received at the time of the administrators’ last progress report (which would appear to be the HMRC £900 claim and Hamblins’ claim for £160,000).

If no other creditors come forward, the Hamblins may ultimately receive most of the funds, subject to the administrators’ fees and expenses which to date exceed £20,000. If additional creditors come forward the recovery will be diluted further.

The administrators have not yet confirmed whether the debt will be paid and their investigations into potential claims are ongoing.

Practical implications

The case offers several important takeaways:

1. Quincecare duties extend beyond banks: The judgment confirms that payment service providers offering crypto-linked wallets may owe Quincecare-type duties to their customers. Institutions must be alert to red flags and cannot necessarily rely on mechanical compliance with payment instructions to avoid liability.
2. Insolvency practitioners should be proactive: Administrators should consider whether claims against third parties, particularly financial institutions, could yield recoveries for the estate.
3. Victims should consider strategic use of derivative claims: While the route is complex and fact-sensitive, derivative claims may offer a viable path to recovery in cases of crypto-related fraud. However, as the court acknowledged, such claims may ultimately benefit the insolvent estate rather than the individual victim. Early engagement with insolvency practitioners and legal advisors is essential.

Conclusion: a cautious step forward

Hamblin v Moorwand Ltd is a rare example of a successful Quincecare claim and a creative use of the derivative action procedure. The court’s willingness to permit a derivative action brought by non-shareholders on behalf of a company in administration reflects a pragmatic and flexible approach to justice in the face of crypto-related fraud. However, it also highlights the limitations of such remedies in the context of insolvency.

For victims of crypto fraud, the case not only offers a glimmer of hope but also a warning. Even a successful claim may not lead to full recovery. For financial institutions, the message is clear: red flags must be taken seriously and the boundaries of liability are shifting.

While not a revolution, Hamblin may mark the start of a more nuanced judicial engagement with crypto-related fraud as courts continue to adapt established doctrines to new financial realities.

Appeal pending

At the time of writing, Moorwand has applied to the Court of Appeal for permission to appeal. While the High Court ordered Moorwand to repay £159,992.81 plus interest of £48,758.80 (to 9 June 2025) to RND, enforcement of that order has been stayed pending the outcome of the permission application and any subsequent appeal. The funds have been paid into Moorwand’s solicitor’s client account in the interim. The final outcome and the Hamblins’ prospects of recovery therefore remain uncertain.

This Halloween we bring you stories not of witches nor of werewolves but of something far scarier: cybersecurity threats that lurk in the shadows of our servers.

Ghosts in the machines

Our Halloween horror anthology begins on the night of 31 August when JLR, the UK’s biggest automotive employer, which manufactures the Jaguar and Land Rover brands, fell victim to a sinister cybersecurity incident. Dubbed by experts as Britain’s costliest hack, for over a month, production lines shuddered to an eerie halt and retail outlets flickered into darkness.

While the government has since announced that it will underwrite a £1.5 billion loan to JLR and the company will resume manufacturing in the coming weeks, the damage has been done and, like all good horror stories, this one leaves behind a trail of unsettling truths

1. JLR was attacked on a Sunday evening and this strike at witching hour was no accident. It was a calculated ambush. The hackers knew the weekend would bring slower response times and fewer guards at the gate.
2. Automotive companies like JLR are particularly vulnerable to attacks. Their vast interconnected and increasingly digitised infrastructure is a tempting target for cyber predators, as a single incident can wreak havoc across an entire network and supply chain.Unsurprisingly, the ripple effect of this incident has been felt severely by JLR’s 2,200 suppliers, many of whom are based in the West Midlands and the Northwest, and have begun to lay off workers. Small car part makers have been particularly affected. Reportedly, left cash-strapped by the production halt, some individuals have been asked by banks to put up their homes as personal guarantees to obtain emergency loans.
3. Government intervention will be a welcome relief for JLR’s estimated 32,000 employees and the further 104,000 employees in its supply chain. However, critics question whether it sets a dangerous precedent for other large companies that may be vulnerable to future attacks. They also suggest that large businesses may become complacent and avoid purchasing cybersecurity insurance as a result.

The curse of the weak password

This summer, KNP, a 128-year-old Northamptonshire haulage firm that had weathered war, financial downturn and global pandemics met its end, it is thought, when a cybercriminal gang guessed a single feeble password.

It was reported that in a chilling ransom note, the hackers wrote.

 “If you’re reading this it means the internal infrastructure of your company is fully or partially dead…Let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue”.
Despite having cybersecurity insurance in place, KNP could not afford the estimated £5 million ransom price to decrypt the stolen data and restore access to the company’s system. Unable to operate, the company collapsed resulting in the loss of 700 jobs.

This tale is a stark reminder of how easily cyber gangs can take advantage of simple security lapses such as a weak password. Operational resilience in the face of these threats relies on companies taking measures such as:

1. enforcing strong password policies and regular update
2. implementing multi-factor authentication
3. backing up data securely with proper encryption
4. training staff to spot the signs of cyber sorcery

Attacks against big names like JLR, Harrods and M&S often attract media attention. However, this cautionary tale demonstrates the devastating impact that cybersecurity incidents can have on small and medium enterprises (SMEs), like KNP, which may lack the capital resources or defences to survive, are unlikely to receive government bailouts and, consequently, are more prone to collapse.

For example, data from Coalition Research suggests that 75% of the 133 UK companies publicly listed by ransomware groups in 2025 had fewer than 200 employees. The group most affected by cyber-attacks was those companies with 10 employees or fewer. This reinforces the importance of cybersecurity for SMEs who appear to be disproportionately impacted.

This is not just a hack…this is an M&S hack and tales of other retail cybersecurity incidents

Earlier this year, M&S was among three retailers, along with the Co-op and Harrods, that were victims of cyber incidents. The culprit behind this hack on M&S is thought to be a web of cybercriminals known as the Scattered Spider. The attack left shelves bare and resulted in the disruption of online orders and click-and-collect services for seven and 15 weeks respectively. Customer data was also stolen. The financial ramifications have been significant with the incident estimated to have cost the retail giant around £300 million in lost profits this year.

The Co-op weathered no better. All 6.5 million members had their data stolen and the incident contributed to a pre-tax loss of £75m.

However, amongst these dark tales, there are commercial and legal lessons to be learned:

1. Strong crisis communication: From a commercial perspective, timely and transparent communications with employees, customers and the media, among other stakeholders, is crucial to help the company take control of the narrative and protect their reputation.For example, M&S kept customers informed about the breach through statements from the CEO, which were effective at showing accountability from the top. The National Cyber Security Centre recommends preparing for a potential incident by developing pre-approved templates for communications with various stakeholders, as well as identifying an official company spokesperson who is trained on crisis communication and is aligned with the company’s messaging.From a legal perspective, effective communication is also crucial for complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. While meeting legal obligations, organisations must not lose sight of the human impact of a crisis, which requires clear and compassionate messaging to help maintain trust and support those affected.
2. Reporting obligations: In addition to complying with Article 34 of the GDPR, both M&S and the Co-op would have needed to notify the Information Commissioner’s Office (ICO) without delay and no later than 72 hours after becoming aware of the breach under Article 33(1) of the GDPR. This was because there was a risk to the rights and freedoms of their customers. Both companies reported the incident to the National Cyber Security Centre (NCSC) and other companies should consider this where a significant cyber incident occurs.
3. Crisis preparedness: It is also reported that M&S had an excellent cybersecurity response plan and had conducted a mock cyber-attack in the year before the incident. A robust incident response plan is your spellbook for containing an attack.
4. Cybersecurity insurance: This is where the stories of M&S and Co-op diverge. It is believed that M&S will be able to recover at least part of its losses through cybersecurity insurance. Meanwhile, the Co-op did not have specific cybersecurity insurance and will bear the full financial impact of the attack.However, companies should be aware that having insurance is not a ‘get out of jail free card’ and should think carefully about the level of insurance coverage they require. As described above, KNP had insurance and still was forced to shut down.

Remedies and fancy (re)dress

If the worst happens and a cybersecurity breach occurs, what are your legal remedies.

For individuals 
For an individual whose data has been compromised, there may be several causes of action. For example, if the company holding the data did not take sufficient steps to secure it and/or did not have appropriate policies in place, claims for breach of contract, negligence or breach of statutory duty may be made out. The value of this kind of data breach compensation claim is often low, but claimants can join together to bring a group data breach claim. The likelihood of success of such claims has recently been increased by the Court of Appeal’s ruling in Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117, which held that there is no ‘threshold of seriousness’ which must be met. M&S is already facing a group claim from its data breach by at least one law firm, Thompsons Solicitors, whose website suggests over 10,000 individuals have ‘signed up’ for the potential claim (which does not appear to have been issued yet) so far.
For companies
For a company that has suffered a breach, there are several potential civil and criminal remedies that can be pursued. For example, injunctions can be sought – even against persons unknown – to prevent further dissemination or use of the data. In the recent case of HCRG Care -v- Person(s) Unknown [KB 2025-000736], the attackers, known only as ‘Medusa’, stole confidential data belonging to employees, clients and third parties of a prominent UK health care organisation.

Faced with extortion threats, HCRG successfully obtained an interim – and then final -injunction for breach of confidence to prevent further misuse or disclosure of the stolen information. Despite the inherent difficulties in serving injunctions on ‘unknown persons’, service was achieved via a web portal and ultimately by email. The case highlights the English court’s flexible approach to bringing those responsible for ransomware attacks to justice.

Proprietary or freezing orders can be obtained to trace and recover any assets stolen as part of the hack and Norwich Pharmacal orders can offer a means of tracing and identifying wrongdoers by obtaining relevant disclosure from third parties as to the identity of the hackers.

Plainly, none of these spooky solutions are as effective as avoiding the breach in the first place. This year, as you celebrate Halloween, make sure you are not taken in by any of the ‘tricks’ listed above and instead, ‘treat’ yourself to some cybersecurity and up-to-date legal advice!

Earlier this year, Visa, in collaboration with the Merchant Risk Council or MRC, published its 2025 Global eCommerce Payments & Fraud Report, revealing a sharp rise in post-purchase fraud, a growing adoption of real-time payments and a shift in how merchants worldwide are balancing security with customer experience. 

The report is drawn from over 1,000 merchants across 38 countries. The take-home message for crypto and fintech businesses is that merchants remain reluctant to accept cryptocurrency payments and continue to grapple with its security implications. However, that is not to say merchants are ignoring new technologies as many are now embracing AI-driven tools for fraud-prevention.

Merchants across the board offer a limited set of tender types. They all accept card, digital wallets and bank transfers but only approximately 10% of merchants accept cryptocurrency at checkout. That makes cryptocurrency the least accepted payment method overall among the surveyed merchants, even lagging behind fiat (which plummeted in its acceptance by 10% since 2024). That also means that very few new merchants have decided to onboard cryptocurrency since previous years. Preferences at checkout remain outcome-driven as merchants steer their customers toward certain methods which lower payment-fraud risk and reduce processing costs.

By contrast, real-time payments (RTPs) are on a clear upward trajectory. Thirty seven per cent of merchants already accept RTP and among those adopters, about 79% saw usage increase over the last year and 87% expect further growth next year.

RTPs offer merchants and customers near-instantaneous transfers of sums between accounts which can be done any time 24/7 so it is not surprising that they are so popular.

A large share of non-adopters indicate they are looking to add RTP in the near future. If crypto payments are to achieve more mainstream adoption, they will have to credibly compete with RTP on ease of use and minimise chance of fraud exposure and end-to-end costs. While many blockchain-based currencies rely on robust cryptographic standards like SHA-256, offering 256-bit security, cryptocurrencies still face reputational challenges.

Their association with cybercrime and anonymous transactions continues to fuel public scepticism. Until that perception shifts and tangible steps are taken to reduce user-end vulnerabilities, the broader acceptance of crypto payments in business to customer transactions may remain limited.

So what are the vulnerabilities in the way merchants currently work? Turnng to the report’s general findings, fraud remains a prevalent issue. The top five attacks globally are refund/policy abuse, RTP fraud, phishing/pharming/whaling, first-party misuse and card testing, each affecting roughly one-third to nearly one-half of merchants. RTP fraud is in the lead affecting almost half of merchants.

North American merchants are more likely to suffer RTP fraud, while refund and policy abuse are the leading problems in Asia and Latin America. For crypto payments, the practical point is that merchant attention is also on post-purchase and policy-driven losses not just fraud at the payment authorisation stage. A checkout system that prevents chargebacks does not, by itself, address disputes rooted in fulfilment or policy abuse.

Merchants report persistent fraud management challenges and plan to invest accordingly and 63% expect to increase investment in tools and technologies. They are prioritising new solutions over new staff: 19% expect to decrease spending on fraud management staff/talent in the next two years. Solutions that lower cost and reduce manual review are explicitly in scope for the near future. It stands to reason the solutions to crypto payments’ fraud risk (such as on-chain exposure heuristics) will be evaluated on that same basis.

Overall, it is clear that in mainstream eCommerce, crypto payments remain a minority tender compared to other new methods like RTP. The merchants in this report reward systems that reduce fraud risk and processing cost, and minimise operational inefficiencies. Digital-asset offerings that can be shown to meet those tests may earn merchants’ trust and eventually be more widely accepted at checkout.

For crypto exchanges, compliance with court orders over crypto wallets can be a delicate balancing act. Non-compliance could result in serious consequences, including contempt of court. However, delivery of the wrong crypto asset could also result in liability. And what is the remedy for the innocent party if the wrong crypto asset is delivered – can the order be set aside?

Civil Procedure Rule 40.9 states that if you have been ‘directly affected by a judgment or order’, you can apply to have the order set aside or varied, despite not being a party to it. However, the rule is spookily silent (or ‘relatively lacking in prescription’) on what is meant by ‘directly affected’.
rnhe recent crypto case of Jones v Persons Unknown & Ors [2025] EWHC 1823 (Comm) has now provided some clarity. Unfortunately for the applicant, crypto exchange, Kyrrex, a person is not ‘directly affected’ by a judgment if their assets have been mistakenly taken to comply with that judgment. In other words, if a judgment orders a step to be taken but the step is mistakenly taken against the wrong party, that party is not ‘directly affected’ by the judgment or order. Instead, it has been indirectly affected by the mistake. While the court had every sympathy with ‘innocent losers’ Kyrrex, it ruled that it had no standing to set aside the order.

This judgment highlights the far-reaching consequences of errors in the tracing and identification of crypto assets. From a practical perspective, it shows the importance of acting promptly and how delays in investigation or legal action can prejudice your position. It is also a salutary reminder to ensure that any tracing investigation is carried out by someone with the necessary expertise.

Background

Mr Jones, a Bitcoin investor, fell victim to a large-scale crypto investment scam in 2019. He was conned into agreeing to let fraudsters invest his Bitcoin. Instead of investing, however, they spirited away just under 90 Bitcoin (with a value of about £1.5 million) across the blockchain. Following expert tracing evidence, Mr Jones successfully obtained worldwide freezing and proprietary orders against persons unknown (the fraudsters) and an order against the crypto exchange Huobi Global Limited, to where the Bitcoin had been traced into Huobi wallets.

Mr Jones then secured summary judgment against the unknown fraudsters and Huobi (which had taken no active part in the proceedings). In 2022, following judgment and final orders, Huobi was ordered to deliver up the Bitcoin. It complied but in the course of compliance, deducted funds from wallets linked to Kyrrex, a separate company not linked to the fraud.

While Kyrrex complained at the time about the deduction, it was not until November 2024 that it applied to set aside the order.

The law

In addition to the analysis of the term ‘directly affected’, the court also concluded that Kyrrex’s two year delay in bringing the application meant it was brought far too late. In the intervening period, Huobi had ceased to be listed on the Seychelles Register of International Business Companies and now was operating under the name HTX. This change, combined with the passage of time, would have made it almost impossible for Mr Jones to trace his Bitcoin through other exchanges. Accordingly, the delay adversely prejudiced Mr Jones and the court ruled this was also a reason not to set aside the order.

The lessons

While Mr Jones successfully obtained the remedy he sought (the delivery up of the stolen Bitcoin), a problem was created in obtaining that remedy. According to Kyrrex, the unjustified and mistaken deduction from its wallet had left it liable to claims from its own customers.

The possibility and practicality of tracing Bitcoin and other cryptocurrencies is a complex technical and legal question. While the English courts now clearly accept that cryptocurrency is property and the Property (Digital Assets etc.) Bill intends to confirm the same), it can remain challenging to trace or follow. This is particularly the case where, as here, the cryptocurrency is traced to a ‘mixed’ wallet. A further difficulty here was that the account was recorded ‘off-chain’, meaning there was no clear blockchain analysis evidencing the arrangements between the exchange and its customers.

This judgment underscores the need for technically competent and robust expert evidence. While Kyrrex was not successful in this application, the court appears to have accepted that the initial expert evidence was inaccurate. This is likely to lead to greater challenges to expert tracing evidence in the future from both the courts and defendant exchanges.

Questions of applicable law and jurisdiction in tracing crypto assets also create complexity. While the position in English law is not yet clear, the emerging consensus (following a Law Commission consultation) suggests that digital assets are likely to be recommended to be deemed to be ‘located’ in law wherever the controller of the asset’s private key is located.

While the Law Commission’s consultation remains ongoing, should this approach be adopted, in a case such as this where a crypto asset is ‘controlled’ by fraudsters, strategic legal planning will be required to ensure that any additional jurisdictional hurdles are met.

Final thoughts

This case highlights the nuances and challenges in responding to court orders for third-party crypto platforms. While compliance with court orders is plainly desirable and necessary, the risks of inadvertent errors by decentralised systems are significant. As the courts continue to adapt to the challenges of new classes of assets – and new ways to defraud people of them – litigation strategy in crypto disputes must be driven not just by knowledge of the law but the technology itself.