Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty

Graham Cluley

Quadrigacx thumb

Find QuadrigaCX's missing $190 million, and you could win a $100,000 bounty

There has been another twist in the curious case of QuadrigaCX, a Canadian cryptocurrency exchange.

As we discussed in a recent episode of the “Smashing Security” podcast, QuadrigaCX was thought to be holding approximately $250 million CAD (US $190 million) in “cold storage” beyond the reach of hackers.

Now, normally that would be a good thing. After all, past hacks of cryptocurrency sites have proven that you’re more sensible to store digital currency somewhere hackers cannot easily access it, offline, and protected by a hard-to-crack password and strong encryption.

But things aren’t so good… if you can’t remember the password.

Or, in the case of QuadrigaCX, the problem isn’t so much that the password to the cold storage cannot be remembered, but rather that the only person who knew it had died.

As the company announced on January 14 2019, their CEO and co-founder Gerald Cotten had suddenly and unexpectedly died in India.

Quadriga facebook post

It is with a heavy heart that we announce the sudden passing of Gerald Cotten, co-founder and CEO of QuadrigaCX. A visionary leader who transformed the lives of those around him, Gerry died due to complications with Crohn’s disease on December 9, 2018 while travelling in India, where he was opening an orphanage to provide a home and safe refuge for children in need.

Gerry cared deeply about honesty and transparency–values he lived by in both his professional and personal life. He was hardworking and passionate, with an unwavering commitment to his customers, employees, and family.

Gerald Cotten, it was revealed in a court filing at the end of January, was the only one who knew the password to Quadriga’s cold storage… Meaning 115,000 cryptocurrency wallets were no longer accessible, and clients’ US $190 million worth of holdings could not be repaid.

(One has to presume they tried obvious possible passwords like “letmein”, “password1”, and “qwerty”.)

You can hear more about this case in the podcast we recorded with Jack Rhysider from the “Darknet Diaries”:

Smashing Security #114: 'Darknet Diaries, death, and beauty apps'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

But now there’s a new twist in the tale.

As Wired reports, an investigation by Ernst & Young has revealed that the wallets in question were actually empty eight months before Cotten’s supposed death. As if folks weren’t suspicious enough about QuadrigaCX’s inaccessible millions before this turn of events…

Another Bitcoin exchange, Kraken, says it is offering a US $100,000 reward to anyone who can provide “information leading to significant progress or discovery of all or some of the missing client funds.” Kraken says it will pass any tips it receives on to law enforcement.

It’s hard to say right now if what happened at QuadrigaCX is a classic case of cock-up or conspiracy, but I would advise cryptocurrency investors to be very wary of trusting others to look after their cryptocurrency wallets. You should perhaps consider investing in your own personal hardware wallet instead.

And, if you are the one person in a company who knows a piece of crucial information or password, perhaps consider how others in your firm might be able to gain access to that data if you were ever to come to an unexpected sticky end.

Password managers like LastPass and Dashlane allow you to grant emergency access to individuals you have approved in advance.

Similarly, Google Inactive Account manager provides a way for you to share data with pre-designated individuals if you have been “inactive” for a certain period of time.

Of course, none of these methods are going to help much if the wallets have already been emptied…

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES