Important Note: This article is for general information and educational purposes only—not legal advice. It draws on the written judgment of Judicial Commissioner Ong Chee Kwan dated 22 December 2020 and 13 February 2021, and on commentaries by Skrine, Foong Cheng Leong, and The Malaysian Lawyer.
For illustration only
What a Landmark Cyber Fraud Case Means for Financial Institutions and Commercial Litigators
In September 2020, a German chemical manufacturer, Zschimmer & Schwarz GmbH, received an email from its long‑standing South Korean business partner, Real KoWorks. The partner had requested a routine commission payment of roughly €123,000 to be paid into its Korean bank account. What followed was a sophisticated, two‑stage fraud that spanned continents and exploited both electronic and physical channels of communication.
Unknown persons had infiltrated the email exchanges between the two companies. Posing as Real KoWorks, they told the German company that the payment must be made to a Malaysian bank account, citing a “sudden economic inflation” in Korea. At the fraudsters’ request, the German company couriered a form to Real KoWorks to be signed and stamped. That was the company’s internal policy whenever a bank account was changed. However, en route, the fraudsters intercepted the form, manipulated its contents, and then forwarded it to Real KoWorks. They also created fake email addresses impersonating the German company’s representative. The emails were used to convince Real KoWorks to sign and stamp the altered form before returning it to Germany. Believing the form to be genuine, the German company instructed its bank to pay the sum into the Malaysian Muamalat Bank account of Kontiinuer Engenharia Industrial.
View the full timeline of the first fraud attempt →
The first attempt failed. The payment was stopped by the German company’s bank for further authentication. The fraudsters, undeterred, tried again. They requested that the German company recall the payment and deduct a recall fee of €126.00 from the commission payment. The fraudsters also provided new bank details for a CIMB account held by Mohammad Azuwan bin Othman, trading as Premier Outlook Services. Once more, they manipulated the courier‑based verification process. They used the same fake email addresses to trick Real KoWorks into signing and stamping a fresh set of forms. This time, the deception succeeded. On or about 27 October 2020, the German company instructed its bank to pay approximately €123,014.65—roughly RM600,000—into the Premier Outlook CIMB account. The funds were credited on 30 October 2020 and fully transferred out shortly thereafter.
How Do You Sue an Unknown Person
The fraud was discovered only when Real KoWorks reported it had not received any commission. By then, the money had already moved into other Malaysian bank accounts. The German company knew its funds had landed in a specific CIMB account, but the real perpetrators—the 1st Defendant, described in the proceedings as “Persons Unknown”—remained unidentified.
What do you do when you know your money has been diverted into a Malaysian bank account but you have no idea who the perpetrators are? Zschimmer & Schwarz acted swiftly, seeking broad reliefs on an urgent ex parte basis via the e‑review platform—a system that allows judges, registrars, and lawyers to conduct hearings and manage cases online. The High Court, faced with an application that tested the boundaries of Malaysian civil procedure, rose to the challenge. In doing so, it broke new ground in Malaysian law.
Novel Orders: Three Landmark Firsts
On 22 December 2020, Judicial Commissioner Ong Chee Kwan granted three orders, each a first in Malaysia, that together created a practical pathway for victims of anonymous cyber fraud to seek relief. Plaintiff, Zschimmer & Schwarz GmbH, had named two defendants: the unknown fraudsters as the 1st Defendant, and Mohammad Azuwan bin Othman, the account holder, as the 2nd Defendant. It sought two broad reliefs—a proprietary injunction and Mareva injunction against both defendants, and substituted service by email and advertisement against the first defendant. The court granted both.
1. Proprietary Injunction Against “Persons Unknown”
The proprietary injunction preserved the plaintiff’s proprietary interest in the siphoned funds. This was the first time such an order had been made against unnamed defendants in Malaysia. The order also prevented the 2nd Defendant from dealing with the money while the legal process unfolded.
2. Mareva Freezing Injunction Against “Persons Unknown”
The Mareva freezing injunction restrained any dissipation of assets pending judgment, also a first against “Persons Unknown.” Importantly, when the plaintiff later discovered that the funds had flowed from the CIMB account into other bank accounts, it applied to amend the writ and statement of claim to include the recipients as the 3rd and 4th Defendants, and sought further ex parte proprietary and Mareva freezing injunctions against them. The court (on 13 February 2021) granted those applications as well, demonstrating that the injunctions could follow the money as the trail of funds expanded.
3. Substituted Service via Email and Dropbox
The court ordered that substituted service of the originating process on the 1st Defendant be effected via the email addresses used in the fraud. Because the full set of cause papers was too large to attach as a single file, the court also allowed the plaintiff to include a link to an online Dropbox folder in the email sent to the 1st Defendant. This was both practical and unprecedented. The court recognised that in cyber fraud cases the only known contact points for the defendants are often digital, and therefore ensured the 1st Defendant could conveniently access the full set of papers.
The Legal Reasoning: An English Foundation, A Malaysian Anchor
The court did not invent these remedies from scratch. It drew on a growing body of English case law, in particular CMOC Sales & Marketing Ltd v Persons Unknown [2018] EWHC 2230 (Comm), which had permitted similar injunctions against unnamed fraudsters. Central to the reasoning was the two‑category test laid down by the UK Supreme Court in Cameron v Liverpool Victoria Insurance Co Ltd [2019]:
Category 1: Anonymous defendants who are identifiable (though not yet named) by reference to their role in the wrong or their connection to specific acts—such as the sender of a particular email or the controller of a particular bank account—can be sued.
Category 2: Truly anonymous defendants, with no identifying characteristics at all, cannot.
The fraudsters in Zschimmer & Schwarz fell squarely within Category 1. They were identifiable by their connection to the specific email addresses used to deceive the company and by their connection to the bank account into which the funds were paid. That was sufficient to satisfy the threshold.
Crucially, the court did not rely solely on English authorities. Judicial Commissioner Ong Chee Kwan also cited a Malaysian legal text: Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law, in particular the section dealing with actions against Persons Unknown. This gave the decision a local anchor, and it showed that Malaysian legal writing was keeping pace with the challenges of cyber fraud.
The court further noted that nothing in the Malaysian Rules of Court 2012 prohibited the filing of claims against “Persons Unknown.” Order 89 of those Rules already permitted such references in land possession cases, providing a procedural foothold. The purpose of the injunctions, the court explained, was to act as a springboard for further disclosure orders against banks and other third parties. The goal was that by the time of trial, the fraudsters could be identified.
The Spartacus Order: A Demand to Step Forward
In a subsequent decision, on February 13, 2021, the same court granted Malaysia’s first self‑identification order against the 1st Defendant, known as a Spartacus Order.
The order required the unknown fraudster(s) to identify themselves by responding to a newspaper advertisement within seven days. Failure to comply would expose them to committal proceedings for contempt of court. The court drew on English authority—PML v Person(s) Unknown [2018] EWHC 838 (QB)—which held that while a defendant may choose to disobey, it cannot be assumed that all will. Contempt of court is a powerful deterrent. The court also noted the case of NPV v QEL & Another [2018] EWHC 703 (QB), where an anonymous defendant had actually complied with a similar order and provided his name and address.
For the first time in Malaysia, a court had ordered an unknown defendant to unmask himself, or face the consequences. The order is not confined to commercial fraud; it can be deployed against anonymous hackers, blackmailers, and sextortion perpetrators.
Practical Takeaways for Financial Institutions and Businesses
The Zschimmer & Schwarz case has real, practical significance. It offers concrete, actionable lessons for financial institutions, commercial litigation lawyers, and businesses.
- Cyber fraud victims can sue—even when the perpetrator is unknown. As long as the fraudster is identifiable by reference to their actions—the email accounts they used, the bank accounts they controlled—Malaysian courts will entertain claims and grant injunctions against “Persons Unknown.”
- Injunctions can follow the money. When funds move from the initial recipient to other accounts, further injunctions can be obtained against the new recipients. The court’s willingness to add the 3rd and 4th Defendants and grant further Mareva and proprietary injunctions demonstrates that the remedies are not static; they adapt to the flow of assets.
- Banks may be compelled to disclose information. The freezing and proprietary injunctions serve as a springboard for disclosure orders, enabling victims to trace and recover funds through the banking system.
- Fraudsters can be ordered to identify themselves. The Spartacus Order is a novel and powerful tool. It turns the table on anonymous fraudsters, and there is an English authority confirming it can work in practice.
- Fraud can exploit both electronic and physical communication channels. In this case, the fraudsters did not rely solely on fake emails. They also intercepted and manipulated documents sent by couriers. Businesses must implement robust verification protocols across all communication methods—not just email—especially for cross‑border transactions.
- Malaysian courts are drawing on local as well as English authority. The willingness to follow English case law while also finding support in Malaysian legal writing shows a judiciary that is practical, modern, and resourceful. For commercial litigators, the case provides a clear roadmap.
A Closing Thought
A German company, a South Korean partner, a Malaysian bank account, and fraudsters hiding behind both fake emails and intercepted courier documents. The threads of this case stretch across continents and communication channels. Yet the legal remedy was forged in a Malaysian High Court.
For businesses that fear there is no recourse against anonymous cyber fraud, Zschimmer & Schwarz says otherwise. The law can reach into the unknown. It can freeze assets before they vanish, trace them as they move, and—with a Spartacus Order—even demand that the unknown step forward and be named.
Download our free Cyber Fraud Response Checklist for businesses →