There has been another twist in the curious case of QuadrigaCX, a Canadian cryptocurrency exchange.
As we discussed in a recent episode of the “Smashing Security” podcast, QuadrigaCX was thought to be holding approximately $250 million CAD (US $190 million) in “cold storage” beyond the reach of hackers.
Now, normally that would be a good thing. After all, past hacks of cryptocurrency sites have proven that you’re more sensible to store digital currency somewhere hackers cannot easily access it, offline, and protected by a hard-to-crack password and strong encryption.
But things aren’t so good… if you can’t remember the password.
Or, in the case of QuadrigaCX, the problem isn’t so much that the password to the cold storage cannot be remembered, but rather that the only person who knew it had died.
As the company announced on January 14 2019, their CEO and co-founder Gerald Cotten had suddenly and unexpectedly died in India.
It is with a heavy heart that we announce the sudden passing of Gerald Cotten, co-founder and CEO of QuadrigaCX. A visionary leader who transformed the lives of those around him, Gerry died due to complications with Crohn’s disease on December 9, 2018 while travelling in India, where he was opening an orphanage to provide a home and safe refuge for children in need.
Gerry cared deeply about honesty and transparency–values he lived by in both his professional and personal life. He was hardworking and passionate, with an unwavering commitment to his customers, employees, and family.
Gerald Cotten, it was revealed in a court filing at the end of January, was the only one who knew the password to Quadriga’s cold storage… Meaning 115,000 cryptocurrency wallets were no longer accessible, and clients’ US $190 million worth of holdings could not be repaid.
(One has to presume they tried obvious possible passwords like “letmein”, “password1”, and “qwerty”.)
You can hear more about this case in the podcast we recorded with Jack Rhysider from the “Darknet Diaries”:
But now there’s a new twist in the tale.
As Wired reports, an investigation by Ernst & Young has revealed that the wallets in question were actually empty eight months before Cotten’s supposed death. As if folks weren’t suspicious enough about QuadrigaCX’s inaccessible millions before this turn of events…
Another Bitcoin exchange, Kraken, says it is offering a US $100,000 reward to anyone who can provide “information leading to significant progress or discovery of all or some of the missing client funds.” Kraken says it will pass any tips it receives on to law enforcement.
It’s hard to say right now if what happened at QuadrigaCX is a classic case of cock-up or conspiracy, but I would advise cryptocurrency investors to be very wary of trusting others to look after their cryptocurrency wallets. You should perhaps consider investing in your own personal hardware wallet instead.
And, if you are the one person in a company who knows a piece of crucial information or password, perhaps consider how others in your firm might be able to gain access to that data if you were ever to come to an unexpected sticky end.
Similarly, Google Inactive Account manager provides a way for you to share data with pre-designated individuals if you have been “inactive” for a certain period of time.
Of course, none of these methods are going to help much if the wallets have already been emptied…