Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang. This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses suffered when it reimburses its insureds for ransoms that are later recovered through law enforcement action.
Major NetWalker arrest leads to significant asset seizure and plea deal
In early 2021, Sebastien Vachon-Desjardins was apprehended by the RCMP. Vachon-Desjardins was an affiliate of a ransomware gang responsible for NetWalker ransomware, which not only locks up a user’s data but leaks a sample of the stolen data online to demonstrate the gang’s nefarious intentions. Vachon-Desjardins’ sentencing reasons cite 17 Canadian victims, other international victims and notes that he trained numerous others on how to propagate the scheme.
In connection with Vachon-Desjardins’ arrest, the RCMP seized more than 680 bitcoins, worth more than $22 million at the time, along with a significant amount of cash and other assets.
In a sentencing order granted on January 31, 2022, the Ontario Court of Justice sentenced Vachon-Desjardins to serve seven years in accordance with a plea agreement, and made restitution orders in favour of several victims, including an order awarding $72,503 to our client’s insured.
Insurers excluded from restitution order
The criminal restitution process in Canada includes no established process for identifying victims to invite them to apply for restitution. Victims who are in contact with law enforcement during the investigation may be invited to apply, but these invitations are extended on an ad hoc basis.
Insurers do not appear to have been contacted to apply for restitution. Our client’s insured was awarded restitution, but only for its out-of-pocket costs, over and above the amount reimbursed by insurance under its cyber policy, which amount included $525,000 to pay the ransom required. Further, following the court’s order for sentencing and restitution, the court was functus – no appeal was taken by any party, nor would a non-party such as a victim have clear standing to appeal.
Client obtains relief from forfeiture
Ordinarily, assets seized in a criminal investigation are forfeited to authorities 30 days after sentencing, unless a party can make an application under Criminal Code s. 462.42 for relief from forfeiture. To satisfy the test for relief from forfeiture, the applying party must satisfy the court it has an interest in the property and not be involved in the crime or any complicity in the offence at issue.
In this case, the insurer had a clear interest in the bitcoin that was paid by its insured to satisfy the ransom, having reimbursed its insured for that amount. It managed to overcome the Crown’s initial opposition and settle an order for relief from forfeiture that provides meaningful and rare recovery in a complex ransomware case.
 NRF’s insurer client was represented by Andrew McCoomb and Tyler Morrison of Norton Rose Fulbright Canada’s Toronto office in this matter.