High Court Issues Injunctions Against “Persons Unknown” in Cyber Fraud Case

According to a news report, a total of 5,697 cases of cyber fraud were reported to CyberSecurity Malaysia, the national cyber security specialist and technical centre under the purview of the Ministry of Communications and Multimedia Malaysia, from January to August 2020.
While cyber fraud cases are often reported, it is not often that the fraudster is actually caught and brought to justice. This is unsurprising as the identity of the fraudster is often unknown and victims may not know what recourse is available against an unknown person.
All this will now change with the recent decision of the Malaysian High Court in Zschimmer & Schwarz GMBH & Co. KG Chemische Fabriken v Persons Unknown and Mohammad Azuwan bin Othman (t/a Premier Outlook Services) KLHC Suit No. WA-22NCC-600-12/2020 (“Zschimmer & Schwarz”) where the Court granted a Mareva Injunction and a proprietary injunction against “Persons Unknown” in a cyber fraud claim for the first time in Malaysia.
One may ask what is the utility of such injunction orders being granted against “Persons Unknown”? The utility of such injunction orders lies in its ability to be a springboard for the grant of further ancillary relief vis-a-vis third parties to eventually reveal the identity of the alleged fraudsters so that by the time trial commences, the identity of the alleged fraudster(s) would be known. In other words, the purpose of such orders is to grant temporary relief pending trial, during which time the wrongdoers can be identified. 
Brief Facts
In Zschimmer & Schwarz, the Plaintiff, a German company, had been in communication with its South Korean business partner (“Korean Company”) through emails. The Plaintiff was under the impression that it was about to make a commission payment to the Korean Company.  The fraudster, whose identity is unknown (hence named as “Persons Unknown” in the claim), was able to infiltrate the email communications and participated in the fraud to deceive the Plaintiff into mistakenly paying the commission into the 2nd Defendant’s bank account in Malaysia.
The fraudster was able to send emails from the Korean Company’s email account to the Plaintiff to trick the Plaintiff into making payment of the commission into a bank account in Malaysia, belonging to the 2nd Defendant. At the same time, the fraudster also created a fake email account to impersonate the Plaintiff so as to complete the fraud. The Korean Company was under the impression that it was communicating with the Plaintiff but in actual fact, it was the fraudster whom the Korean Company was communicating with.
Ultimately, the fraudster was successful, and the Plaintiff made a payment of approximately €123,014.65 into the 2nd Defendant’s bank account in Malaysia. The 2nd Defendant is a sole proprietor whose identify was known. The Plaintiff eventually discovered that the payment was not made to the Korean Company. The Plaintiff then filed an application (on an urgent ex parte basis) for among others, a proprietary injunction and a Mareva injunction against the fraudster who was named as “Persons Unknown” (1st Defendant) and the 2nd Defendant (“Plaintiff’s Application”).
The High Court allowed the Plaintiff’s Application against both the Defendants.
Some of the salient points from the High Court’s Grounds of Judgment are explained below.
The High Court Decision
Jurisdiction to grant injunction orders against Persons Unknown
While the High Court was cognisant of the fact that it is not usually the case that a defendant is described as “Persons Unknown”, it was nevertheless satisfied that it had jurisdiction to grant interlocutory injunction orders against “Persons Unknown”. In this regard, the High Court acknowledged the fact that in cases involving cyber fraud, the identity of the fraudsters is often unknown. The High Court was also cognisant of the fact that injunctive orders were often granted in the United Kingdom against “Persons Unknown” in cases involving fraud.
The High Court compared the present case to the English High Court case of CMOC Sales & Marketing Limited v Persons Unknown [2018] EWHC 2230 (Comm) (“CMOC Case”) where the fraudsters, whose identity were unknown, had hacked into the company’s email system and caused the company’s bank to pay millions out of its bank account. The English High Court allowed the company’s application for various interim injunctive orders, including a worldwide freezing order, against the fraudsters who were named as “Persons Unknown”. The process of identifying the unknown fraudsters was essentially by obtaining information and disclosure orders against the banks into which the funds were originally paid from the company’s bank account. By the time the trial started, the claimant had already named most of the fraudsters.
The High Court was of the view that the CMOC Case confirmed that Courts have jurisdiction to grant injunctive orders against “Persons Unknown”.  Be that as it may, it must be cautioned that it is not in every case where the defendant cannot be named, that the Court has jurisdiction to grant an injunctive order. In this regard, the High Court had referred to Cameron v Liverpool Victoria Insurance Co Ltd [2019] 3 All ER 1 (SC) where the United Kingdom Supreme Court explained there are two different categories of cases where the defendant cannot be named, to which different considerations apply.
The first category comprises anonymous defendants who are identifiable but whose names are unknown. An example would be squatters occupying a property who are identifiable by their location, although they cannot be named. The second category comprises defendants, such as most hit and run drivers, who are not only anonymous but cannot even be identified. The distinction is that in the first category the defendant is described in a way that makes it possible in principle to locate or communicate with him and to know without further inquiry whether he is the same as the person described in the claim form, whereas in the second category it is not. It is only in those cases falling under the first category can the Courts exercise its jurisdiction over an unnamed defendant.  Similarly, in the CMOC Case the English High Court cautioned that the description of the “Persons Unknown” must be sufficiently certain as to identify both those who are included and those who are not. This essentially means that cases can only brought against anonymous defendants whose names are unknown if and only if they can be described in a way that makes it possible to identify them.
The High Court was also cognisant of the fact that there is nothing in the Rules of Court 2012 which prohibits Writ of Summons and applications from being filed against “Persons Unknown”.
Jurisdiction to grant parallel proprietary injunction and Mareva injunction orders
The High Court was of the view that it has jurisdiction to grant parallel proprietary injunction and Mareva injunction orders and noted that this is often done in fraud cases. The High Court explained that there is a difference between the two remedies. A Mareva injunction is designed to protect a plaintiff against dissipation of assets on which he might execute judgment against while a proprietary injunction is to preserve assets over which a plaintiff has a proprietary claim. These are the assets that can be turned over to the plaintiff if he is successful in the action. Unlike a Mareva injunction, there is no need for the plaintiff to show a risk of dissipation of assets when seeking proprietary injunction.
Service of cause papers against Persons Unknown
The High Court recognised that it would be impractical for the cause papers to be served personally on the 1st Defendant as “Persons Unknown”. On that basis, the High Court also allowed the Plaintiff to effect service on the 1st Defendant through email, that is, by sending emails to the fake email addresses that were used by and in control of the 1st Defendant. The High Court was also satisfied that there is nothing to prevent the court from granting an order for substituted service by way of email.
The decision in Zschimmer & Schwarz shows that the Malaysian Court is willing to extend its jurisdiction as required in order to assist the victims of cyber fraud. It also shows the Malaysian Court’s willingness to grant reliefs to keep pace with cross-border recovery efforts. Victims of cyber fraud will now have an additional tool at their disposal. It is also worth noting that there has yet to be any such case decided by the Courts of neighbouring country, Singapore. The dynamism shown by the Malaysian Court in this case will no doubt increase the confidence of foreign investors in the Malaysian judicial system.
Case commentary by Janice Ooi (Senior Associate) of Skrine