SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Crypto exchange in limbo after founder dies with password

By Danny Bradbury, Sophos

February 5, 2019

Customers of Canadian cryptocurrency exchange QuadrigaCX are missing over $250 million CAD in fiat and virtual currency (a total of around $190m in US dollars) after its founder died without telling anyone the password for his storage wallet.

QuadrigaCX enabled users to trade between fiat currency and cryptocurrencies including Bitcoin, Bitcoin Cash, Litecoin and Ethereum.

Gerry Cotten, the 30-year-old founder of the Vancouver-based exchange, passed away in India on 9 December 2018 due to complications from Crohn’s disease. In an affidavit to the Supreme Court of Nova Scotia, his partner Jennifer Robertson explained that cryptocurrencies had been stored in a cold wallet under his sole control.

In cryptocurrency trading, a wallet is a repository for cryptocurrency addresses that contain assets, along with private keys to access them. There are two kinds of wallet: hot, and cold.

A hot wallet is a software program connected to a blockchain, enabling it to make cryptocurrency transactions. A hot wallet can be vulnerable to hacking via software compromise.

A cold wallet stores address and private key details off the blockchain. It can take several forms. A paper wallet stores the details in writing, while a hardware wallet stores addresses and keys in a device. A cold storage wallet could even be a simple text file containing the appropriate addresses and keys. It can still be physically stolen, but because it isn’t connected to a blockchain it isn’t vulnerable to online compromise.

It is good practice for cryptocurrency exchanges to keep the majority of their funds in a cold wallet to stop them being hacked, and this is apparently what Cotten did. The mistake he made was in being so secure that he didn’t share the access details with anyone else. His untimely death left Robertson, who had not been previously involved with the company, unable to access the funds for the customers.

In the affidavit, which supported an application for bankruptcy protection for QuadrigaCX, Robertson said:

The laptop computer from which Gerry carried out the Companies’s [sic] business is encrypted and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere.

The company continues to try and access to cold storage, she went on. It has hired an external expert, Chris McBryan, to try and hack into Cotten’s computers. He is also trying – so far unsuccessfully – to access an encrypted USB key.

Cotten was the sole officer and director for the company, and Robertson explained in the affidavit that she couldn’t find any business records. The search for any pertinent business documents, along with access to Cotten’s computer, is ongoing.

Meantime, Robertson has been dealing with social media comments from those that refuse to believe Cotten is dead, accusing him or others of stealing the coins as part of an exit scam. She has received threatening messages and one person even messaged everyone in her Facebook contact list.

Further complications

To further complicate matters, QuadrigaCX had also been denied access to around CAD$25 million in funds following a dispute between CIBC (one of the Big Five banks in Canada) and one of its payment processors, called Costodian. This service, engaged by another payment processor of QuadrigaCX’s called Billerfy, had its accounts frozen by the CIBC bank after they became overdrawn. CIBC then refused to permit any other withdrawals from the Costodian account until it could be proven who owned the funds.

The money was held in trust by the court, which eventually accepted that it belonged to QuadrigaCX. It released the money as a bank draft to Costodian, which cannot find a bank to accept them. QuadrigaCX couldn’t open a bank account of its own in which to deposit the drafts either.

The details in the affidavit, uploaded by cryptocurrency news site Coindesk, showed just how much the back end of this cryptocurrency exchange was patched together. QuadrigaCX had no corporate bank accounts, but instead conducted all its business via personal ones. This is because Canadian banks didn’t want to deal with a cryptocurrency company, according to the affidavit.

If there’s one lesson that any cryptocurrency user should take away from this it is that you should limit the amount of ‘ready money’ lying around in an exchange. You should store cryptocurrency securely at home, offline, in a cold wallet. Then, decide how to backup the password so it can be reconstructed by your executors in the event of your death.

Terms of Use | Copyright © 2002 - 2019 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement