Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave

A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers' assets following the sudden death of its founder, who was the only person known to have access to the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it's tied up in disputes with third parties. Ars Technica reports: The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX's sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn's disease in India in December at the age of 30. Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a "cold wallet," meaning a digital wallet that wasn't connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars. Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers. "The laptop computer from which Gerry carried out the Companies' business is encrypted, and I do not know the password or recovery key," Robertson wrote. "Despite repeated and diligent searches, I have not been able to find them written down anywhere."

The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten's death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.

Banking by the seat of your pants.

[Fly+Swatter]

This is why well established insured banking establishments are used. But hey, it was your money - do what you want with it, they didn't!

Re:Banking by the seat of your pants.

[zlives]

outlook contacts -notes field was the big find for me... you wouldn't believe how many people use their contacts for saving auth credentials. biggest reason third party mobile apps skimming contacts was an actual topic of conversation with our BYOD deployment.

Re:Banking by the seat of your pants.

[ShanghaiBill]

When cryptocoins are lost, the value of the remainder go up. The net loss is zero. If your coin stash was at QuadrigaCX, you lost. If it wasn't, you win.

Re:Banking by the seat of your pants.

[PopeRatzo]

When cryptocoins are lost, the value of the remainder go up. The net loss is zero. If your coin stash was at QuadrigaCX, you lost. If it wasn't, you win.

But when you realize that the entire worth of your bitcoin portfolio can disappear because of someone's stupid behavior and nobody is accountable then everyone who trades in bitcoin loses.

Re:Banking by the seat of your pants.

[Joce640k]

"... I do not know the password or recovery key,"

Yeah, right.

Only one person with password?

[jfdavis668]

$137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

Re:Only one person with password?

[bobbied]

$137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

What kind of security is this?

TRUE security requires TWO factors (or more) so why in blazes didn't they store multiple copies of the key where multiple people have only part of the key? Then your backup to this "offline key" is having multiple partial copies of it in different hands, with the assurance that at least TWO or more people would be required to agree to provide their portion of the key to open the encrypted file.

Handing any one person the key for "safe keeping" is stupid. You should always have accountability and require agreement of more than one person for such things.

Re:Did he REALLY die?

[gweihir]

Well, it is probably not that hard to get an official death certificate in India while still alive.

Schadenfreude

[Brannon]

I'm not proud to say that one of the things I find most satisfying is watching anti-establishment types painfully discover why the establishment exists.

Yep, this is why we have real banks, dummies.

Re: Schadenfreude

[SirSlud]

It's because of insurance. No system, company, etc is perfect. Of course banks do stupid shit. But they're insured. It's the social arrangements that make them valuable, not that they're magically filled with perfect people.

Re:Schadenfreude

I think it's more what happens when establishment types go and recreate the establishment, poorly. The whole point of cryptocurrency is that it's decentralized; there's a hash that you hold yourself either electronically or written down which the network recognizes as having value. Why would you then give your money over to someone who maintains a centralized spreadsheet? It's not like these coin exchanges do loans to earn a return on idle money.