Executive Summary: Key Legal and Evidentiary Issues

• Allocation of fraud loss between a cryptocurrency broker and its customer where a third-party “FBI” imposter used remote access and email to orchestrate unauthorised Bitcoin purchases.
• Validity of the underlying Bitcoin purchase contracts, including whether two large $100,000 transactions were binding despite being arranged by fraudsters using the customer’s email and computer.
• Interpretation and application of the “Isaacs/Marvco” common law principle on which party must bear a fraud loss when one party’s active carelessness enables the fraud.
• Construction of the pre-authorized debit (PAD) agreement, particularly clause 8, and whether it obliged the broker to “issue” a password or security code as a condition of debiting the customer’s account.
• Comparison between common law principles and a Québec Civil Code–based duty of prudence, and whether the trial judge erred by importing a civil law standard into a Saskatchewan common law dispute.
• Assessment of whether compliance or non-compliance with contractual and regulatory frameworks (PAD terms, Payments Canada rules, FINTRAC “travel rule”) would have prevented the loss.

Factual background and online fraud scheme

HoneyBadger Enterprises Ltd. is a business that brokers the purchase and sale of cryptocurrency, including Bitcoin. Its customer, Norman Bue, became entangled in a series of online frauds involving purported overseas entities and government agencies. Initially, around 2022, he invested about $53,873 in what he believed was a company called “Main Bit Ltd.”, which turned out not to be a real corporate entity. When he attempted to withdraw his investment, the “company” stopped responding. After this first fraud, someone claiming to act on behalf of the “Ministry of Justice at the United Kingdom” contacted him, asserting that the Ministry had seized the assets of “Main Bit Ltd.” and would compensate investors. To receive funds, he was told to send cryptocurrency first; he sent over $190,000 CAD in this way but received no compensation. A third approach came from a supposed “Cybercrime agency” called “Funds Recall,” offering to recover both the “Main Bit Ltd.” investment and the sums he had already wired to the supposed Ministry. This also required an upfront transfer of cryptocurrency, which he did not make. The final and most consequential fraud involved a supposed “cybersecurity division” of the FBI. The “FBI” contacted Mr. Bue and offered to help him recover all funds he had already lost, for a fee of $80,000 payable in cryptocurrency. As part of this interaction, the fraudsters directed him to participate in what they described as “dummy money transfers” to assist in dismantling the illegal operation that had defrauded him, and they provided him with a cryptocurrency wallet to use for these transfers. Critically, Mr. Bue voluntarily gave the fraudsters remote access to his computer and the password to his personal email account. The fraudsters also created an additional email account for him and provided the login credentials. Both email accounts were later provided by him to HoneyBadger as his own, and he instructed HoneyBadger to send all purchased Bitcoin to the wallet address supplied by the “FBI.”

Relationship with HoneyBadger and the PAD arrangement

On April 25, 2023, Mr. Bue contacted HoneyBadger for the first time to facilitate an $80,000 Bitcoin purchase. He did not disclose his prior victimisation by multiple fraud schemes or that the purpose of purchasing Bitcoin was to transfer it to the purported FBI. HoneyBadger emailed him its terms and described the process for purchasing cryptocurrency. On that basis, an overarching “Transaction Agreement” was formed: he could initiate purchases by email, HoneyBadger would obtain payment via a pre-authorized debit (PAD) arrangement with his credit union, and then HoneyBadger would quote a price and deliver Bitcoin to the wallet he specified. To enable debiting of his account, he signed a standard-form PAD agreement. This PAD form, owned and generated by Central 1 Credit Union, was a standard credit-union document used to regulate the obligations and liabilities of the “Payor” (here, Bue), the “Processing Institution” (the credit union), and the “Payee” (HoneyBadger) within the Payments Canada / Canadian Payments Association (CPA) regime. In the PAD agreement, he identified his credit union and account details but did not specify a maximum withdrawal limit and agreed that withdrawals would be with “sporadic” frequency rather than fixed instalments. One key term was clause 8, which stated that where PADs are sporadic, the Payee (HoneyBadger) must obtain authorisation for each PAD and that “a password or security code or other signature equivalent will be issued and will constitute valid authorization for the Processing Institution to debit the Account.” The interpretation of who must “issue” this password or signature equivalent, and for whose benefit, became central on appeal. HoneyBadger also carried out a “know-your-client” process. It verified his identity, physical address, and email accounts against his government-issued identification, and it treated the two email addresses he supplied as belonging exclusively to him.

The Bitcoin transactions and disputed payments

Within this framework, six Bitcoin purchase transactions were executed through HoneyBadger. Each was initiated from one of the email addresses that Bue had provided, and each followed a standard pattern: an email from him (or whomever had access to his email) asking HoneyBadger to purchase a specified amount of cryptocurrency, HoneyBadger issuing a PAD instruction to his credit union to debit that amount, then emailing him a quote with the applicable Bitcoin quantity, followed by a confirming email from that same account approving the transaction and directing HoneyBadger to deposit the Bitcoin to the “FBI” wallet. The first two transactions, totalling about $79,991, were carried out on April 27 and May 1, 2023. The April 27 purchase was funded by wire transfer; the May 1 purchase was the first to be debited from his credit union account under the PAD. Bue expressly acknowledged that he authorised both of these transactions. On May 29 and 30, 2023, HoneyBadger received emailed requests to purchase $10,000 and then $30,000 of Bitcoin. Again, he admitted that he had authorised these two smaller transactions. The remaining two transactions are the ones he later disputed: HoneyBadger received email instructions to effect $100,000 of Bitcoin purchases on each of May 31 and June 1, 2023. He denied ever authorising these two large transfers, claiming they were initiated solely by the fraudsters using remote access to his computer and control of his email accounts. Notwithstanding his later denial, each of the six transactions followed the same contractual pattern, were initiated from the email accounts he had put forward as his own, and directed Bitcoin to the same third-party wallet he had provided.

Dispute over reversals and the first instance judgment

On June 6, 2023, several days after the last transaction, Bue contacted HoneyBadger and objected to the last four transactions totalling $240,000 (the two smaller amounts plus the two $100,000 transfers). By then, HoneyBadger had already debited his credit union account under the PAD and delivered the Bitcoin to the designated wallet. At Bue’s request, the credit union reversed the PAD debits totalling $240,000 from HoneyBadger’s account. HoneyBadger then went to court and obtained a preservation order to keep the disputed $240,000 intact while liability was litigated. It later discontinued its claim against the credit union, and HoneyBadger’s counsel held the preserved sum in trust pending judgment. Because Bue admitted authorising $40,000 worth of the impugned transactions, $40,000 of the preserved funds was released to HoneyBadger when the King’s Bench judgment was eventually rendered, leaving $200,000 in dispute. In the summary judgment application, HoneyBadger claimed that Bue had breached the PAD agreement by instigating the reversal of properly authorised and processed debits, and that it had complied with applicable FINTRAC anti-money laundering guidelines. It maintained it bore no responsibility for the fraud perpetrated by the unknown third party and sought recovery of the full $240,000. Bue’s defence was that the two $100,000 transactions were unauthorised, that the PAD agreement and related regulatory regimes (including the “travel rule”) imposed duties on HoneyBadger to detect or prevent such fraud, and that it had breached these obligations. He also argued that cryptocurrency was “goods” governed by The Sale of Goods Act, and he counterclaimed for damages arising from the preservation order, alleging abuse of process. The King’s Bench judge rejected his Sale of Goods Act argument, holding that cryptocurrency is not a “good” under that statute and that the relevant transactions were underpinned by written agreements. She found there was insufficient evidence to determine whether HoneyBadger had complied with the FINTRAC “travel rule” and dismissed his abuse-of-process counterclaim, noting that it was legitimate for HoneyBadger to seek a preservation order.

Trial judge’s allocation of the fraud loss

On the allocation of the $240,000 fraud loss, the trial judge was highly critical of Bue’s behaviour. She expressly found that his “naivete and ignorance is at the heart of this fraud,” that he had been “duped several times,” yet still chose to “cooperate fully” with fraudsters purporting to be from the FBI. She stressed that he both made purchases and deposited them into the fraudsters’ wallet “willingly,” and that he opened his computer and gave the “FBI” free access. She concluded that, had he disclosed any of these circumstances to HoneyBadger, the fraudulent scheme would have come to an “abrupt end.” Nevertheless, the judge did not place the entire loss on him. Instead, she held that HoneyBadger should also be partly responsible because it had allegedly failed to comply with clause 8 of the PAD agreement. She accepted Bue’s argument that the words in clause 8—“a password or security code or other signature equivalent will be issued”—obliged HoneyBadger to issue such a credential and to use it as part of a verification process before debiting his account. In her view, HoneyBadger had simply relied on email communications from the addresses he provided instead of creating and requiring a separate password or security code to authorise each PAD. She reasoned that if HoneyBadger had complied with this supposed obligation, the fraud would have been detected and the loss prevented. Drawing on a Québec Superior Court decision, Alfagomma Inc. v HSBC Bank Canada, where a bank and its client were found equally liable for a wire-transfer fraud under the Civil Code of Québec’s duty of prudence, she analogised and concluded both HoneyBadger and Bue were at fault. She held Bue liable for the initial $40,000 he admitted authorising, and for the remaining $200,000 she apportioned responsibility equally: $100,000 to HoneyBadger and $100,000 to Bue. This resulted in a net award of $140,000 to HoneyBadger (the $40,000 plus half of the $200,000) and $100,000 to Bue.

Appeal: Validity of the Bitcoin purchase agreements

On appeal, Bue cross-appealed on the threshold question of whether the two $100,000 transactions were valid contracts at all. He argued there was no consensus ad idem because he had never subjectively intended to be bound by those specific purchases, he had no knowledge of them when they occurred, the orders were initiated by unauthorised third parties, and he received no benefit because the Bitcoin never came into his control. The Court of Appeal rejected these arguments. It accepted the trial judge’s findings that there was a valid overarching “Transaction Agreement” formed by email, under which Bue agreed to a process: he would initiate purchases by email, HoneyBadger would obtain payment via the PAD, then quote a price and deliver Bitcoin to the wallet he identified. The judge had also found that each individual Bitcoin transaction was a “separate agreement” concluded when HoneyBadger quoted a price and received an email confirming acceptance and wallet details. The Court of Appeal held that nothing in contract law, or in the Transaction Agreement or PAD agreement, prevented Bue from delegating certain tasks (such as sending emails) to another person while remaining contractually accountable. It emphasised that the lack of his real-time awareness did not negate contract formation where he had voluntarily given the fraudsters control over the very mechanisms (computer, email accounts, wallet address) that the contract used for ordering and paying for Bitcoin. The Court also rejected his contention that there was no consideration because he did not personally receive the Bitcoin. Under basic contract and agency principles, the fact that a third party obtains the benefit does not invalidate the contract; at most it raises issues of privity if that third party seeks to enforce it. Moreover, the Court noted that agency law contemplates agents contracting for undisclosed principals or beneficiaries; and while FINTRAC guidelines may deal with undisclosed beneficiaries, any alleged non-compliance did not go to the elements of contract formation. Overall, the Court concluded that all six Bitcoin purchases, including the disputed $100,000 transactions, were made under valid contracts consistent with the Transaction Agreement and PAD arrangement.

Appeal: Allocation of liability and misapplication of legal principles

Having upheld the validity of the contracts, the Court turned to whether the trial judge had any legal basis to allocate part of the fraud loss to HoneyBadger. HoneyBadger argued that the judge had misapplied the governing common-law principles and had inappropriately imported a civil law duty derived from the Civil Code of Québec. The Court agreed. It identified the controlling common-law authority as Isaacs v Royal Bank of Canada, read in light of Marvco Colour Research Ltd. v Harris. Those cases articulate a principle for resolving who should bear a fraud loss among parties who are at least innocent of actual wrongdoing, but where one party’s carelessness has actively enabled the fraud. In Isaacs, a borrower agreed to be an accommodation mortgagor for a stranger and signed mortgage documents without reading them. When the stranger absconded with the funds, she attempted to shift blame to the bank, arguing it was better placed to detect the fraud. The Ontario Court of Appeal held that while the bank might have been careless, her conduct went further because she had taken affirmative steps that facilitated the fraud. As between the two, she was in the best position to prevent the loss and therefore had to bear it. Marvco, though decided in the context of the non est factum defence, expresses the same core idea: where two innocent parties are exposed to a fraud, the party whose own carelessness made the fraud possible must bear the loss, even if there was no formal duty of care owed to the other party. Applying these cases, the Saskatchewan Court of Appeal highlighted that the Isaacs principle does not call for a proportional or comparative negligence approach to apportioning losses between two “equally careless” victims. It instead asks whether one party’s conduct involved active participation that enabled the wrongdoers to inflict the loss, as distinct from mere passivity or inability to detect fraud. The Court found that on the trial judge’s own factual findings, Bue’s behaviour matched, and arguably exceeded, the level of “affirmative action” in Isaacs: he had been defrauded repeatedly, yet still opened his computer to strangers, gave them full remote access and his email passwords, allowed them to generate and control one of his email accounts, and directed HoneyBadger to send Bitcoin to a wallet entirely controlled by the fraudsters. The trial judge had explicitly found that had he disclosed any of this to HoneyBadger, the scheme would have come to “an abrupt end,” and that “but for” his carelessness HoneyBadger would not have drawn on the PAD or released the cryptocurrency. On those findings, the Court held that Bue was not merely careless; he “actively allowed a third party to defraud him” and therefore, under Isaacs and Marvco, must bear the loss.

Civil law duty of prudence and its inapplicability

The Court was particularly critical of the trial judge’s reliance on Alfagomma Inc. v HSBC Bank Canada, a Québec Superior Court case. In Alfagomma, the bank’s duties flowed from the Civil Code of Québec, specifically Article 1457, which creates a broad extra-contractual duty on “every person” not to cause injury to another and to act with reasonable prudence and diligence. Under that civil law framework, Québec courts have developed a concept that banks must exercise reasonable care, especially when faced with suspicious activity, and may be liable to their customers or even third parties when they fail to act on strong signs of misdealing. The Saskatchewan Court of Appeal stressed that Article 1457 has no application in Saskatchewan, which is a common law jurisdiction, and that its civil-law–based duty of prudence is “out of step” with common-law authorities such as Isaacs and Marvco. Moreover, the factual predicate for such a duty was absent here. The trial judge had herself found there was “nothing” in the transactions between Bue and HoneyBadger that would have raised alarms; the increasing size of purchases was consistent with normal customer behaviour, and HoneyBadger reasonably believed at all times that it was dealing with Bue. The Court therefore concluded that even if a civil-law-style prudence duty were hypothetically available at common law, it was not engaged on these facts. It held that the judge erred in law by importing the Civil Code of Québec framework and by using it to justify an equal split of the loss.

Interpretation of the PAD agreement and clause 8

Beyond the misapplied legal principle, the Court also found that the trial judge’s allocation of liability rested on a faulty interpretation of clause 8 of the PAD agreement. The judge had treated the PAD as a bilateral contract between Bue and HoneyBadger for Bue’s benefit and inferred that HoneyBadger was required to “issue” a password or security code as a form of authentication before debiting his account. On appeal, the Court engaged in a detailed contractual interpretation exercise, guided by Sattva Capital Corp. v Creston Moly Corp., which requires construing contractual language in its commercial and factual matrix. It noted that this PAD was a standard-form credit-union document produced by Central 1 Credit Union, and that by its own text it was “for the benefit of the Payee and Processing Institution” – that is, for the benefit of HoneyBadger and the credit union – not for Bue’s protection. The PAD implements the Payments Canada / CPA rules for pre-authorized debits, and its commercial purpose is to allow a payee to initiate automated funds transfers (AFTs) from a customer’s account with limited verification obligations on the processing institution. The Court pointed to clauses 9 and 10 of the PAD, which make clear that the credit union is not required to verify that a PAD has been issued in accordance with the agreement’s particulars, nor to verify that the purpose of the payment has been fulfilled, as a condition of honouring PADs issued by the payee. Properly read, clause 8 had two components. First, because PADs were “sporadic,” HoneyBadger was required to obtain an “authorisation” from Bue for each debit, consistent with the CPA definition of “Authorization” as a payor’s consent or agreement whose identity has been verified by “commercially reasonable methods.” Second, the sentence that “a password or security code or other signature equivalent will be issued and will constitute valid authorization” needed to be read in that context and in light of The Electronic Information and Documents Act, 2000, which treats an electronic signature as information that a person creates or adopts to sign a document. Considering the structure of the agreement, the definitions of “Payor,” “Payee,” and “Processing Institution,” and the fact that only Bue signed the PAD and only his account was being debited, the Court held that clause 8 is most logically interpreted as a promise by Bue that he will create or adopt a password, security code, or other electronic signature equivalent, and that when he uses it, it will constitute valid authorisation for his credit union to honour PADs issued by HoneyBadger. In other words, the PAD required Bue, not HoneyBadger, to generate the security credential; it did not impose any contractual obligation on HoneyBadger to create or send him a password as a prerequisite to debiting his account. On that proper construction, the Court concluded that HoneyBadger had not breached clause 8, and the trial judge’s finding of “non-compliance” was based on a palpable and overriding error in interpretation.

Would a security code have prevented the fraud?

The Court went further and held that, even if one accepted the trial judge’s (incorrect) assumption that HoneyBadger was supposed to issue a security code or password, the factual record did not support the conclusion that this would have prevented the fraud. The two disputed $100,000 purchase instructions came from his personal email account, which he had voluntarily given to the fraudsters. HoneyBadger corresponded by that same email, sending quotes, receiving confirmations, and confirming deposit to the wallet. If HoneyBadger had, hypothetically, issued a password or security code, the natural and most practical way for Bue to use it would have been to send it back to HoneyBadger through those same email communications. But given that the fraudsters already had full remote access to his computer and his email login credentials, there was no realistic reason to believe he would have either withheld the password from them or that they would have been unable to transmit it back to HoneyBadger. In short, a password-based authorisation mechanism would simply have been another piece of information the fraudsters could and likely would have exploited, given the degree of control Bue had allowed them over his systems. For that reason, the Court held there was “no foundation” in the evidence to support the judge’s view that compliance with clause 8, even on her interpretation, would have stopped the fraud.

Application of the Isaacs/Marvco principle to the facts

Having removed the civil-law duty and the alleged PAD breach from the equation, the Court applied the Isaacs/Marvco principle squarely to the facts as found by the trial judge. Those findings included that Bue had: invested substantial funds in a fictitious online “company” based on an internet advertisement; transferred more than $190,000 to a supposed foreign ministry in the hope of recovery; entertained contact by yet another entity (“Funds Recall”); then agreed to send $80,000 to a supposed FBI “cybersecurity division” via “dummy money transfers,” for which the fraudsters provided a wallet; granted them remote access to his computer and his email accounts; allowed them unsupervised control of those systems; provided no information to HoneyBadger about his prior frauds or the third-party nature of the wallet; and personally initiated several of the early Bitcoin purchases, directing HoneyBadger to the fraudsters’ wallet. All of this culminated in his silence about the true nature of his dealings and his continuing willingness to transact through the compromised email accounts and wallet. Against that background, the Court concluded that Bue’s conduct was more than passive negligence; it was active cooperation that “permitted the fraudsters to acquire $200,000 in cryptocurrency” beyond the sums he had already purchased on their behalf. In contrast, HoneyBadger had implemented a standard know-your-client process, followed a fixed and transparent transactional protocol, and had no reason to suspect that either the email accounts or the wallet address were compromised or controlled by anyone other than Bue. It therefore fell squarely within the “innocent party” category in Isaacs and Marvco. As between an innocent party and one whose careless, affirmative actions exposed the innocent party to fraud, the latter must bear the loss.

Final orders and significance of the decision

The Court of Appeal allowed HoneyBadger’s appeal and dismissed Bue’s cross-appeal. It set aside the King’s Bench judgment that had awarded Bue $100,000 and left HoneyBadger with only $140,000. In its place, the Court ordered that HoneyBadger is entitled to the full $200,000 still held by the Court of King’s Bench in Swift Current, representing the balance of the preserved funds after $40,000 had already been released to it on the basis of Bue’s admitted authorisation. It directed the local registrar to release the $200,000 to HoneyBadger once the 60-day period for seeking leave to appeal to the Supreme Court of Canada expires, provided Bue does not file a leave application. In addition to this substantive recovery, the Court awarded HoneyBadger its costs of the summary judgment application at first instance (on Column II of the King’s Bench tariff) and a single set of costs of the appeal and cross-appeal (on Column 3 of the Court of Appeal tariff), although the reasons do not quantify those costs in dollar terms. Taken together, the effect of the decision is that HoneyBadger emerges as the successful party, ultimately entitled to the entire $240,000 in disputed funds (the $40,000 already released plus the $200,000 ordered released on appeal), along with costs whose precise monetary amount cannot be determined from the judgment alone.