Slashdot Mirror

← Back to Stories (view on slashdot.org)

Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave (arstechnica.com)

Posted by BeauHD on from the no-good-very-bad-day dept.

A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers' assets following the sudden death of its founder, who was the only person known to have access to the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it's tied up in disputes with third parties. Ars Technica reports: The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX's sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn's disease in India in December at the age of 30. Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a "cold wallet," meaning a digital wallet that wasn't connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars. Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers. "The laptop computer from which Gerry carried out the Companies' business is encrypted, and I do not know the password or recovery key," Robertson wrote. "Despite repeated and diligent searches, I have not been able to find them written down anywhere."

The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten's death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.

42 of 252 comments (clear)

  1. Banking by the seat of your pants. by Fly+Swatter · · Score: 4, Insightful

    This is why well established insured banking establishments are used. But hey, it was your money - do what you want with it, they didn't!

    1. Re:Banking by the seat of your pants. by zlives · · Score: 4, Funny

      did they check the bottom of the keyboard...

    2. Re:Banking by the seat of your pants. by Locke2005 · · Score: 2

      It's usually a post-it note in the top drawer... that's how I "hacked" the Admissions and Records office at the college I went to! (True story!) I then got in trouble for playing games using the Admissions and Record's account (strangely, games were disabled for student accounts but not for staff).

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Banking by the seat of your pants. by zlives · · Score: 4, Insightful

      outlook contacts -notes field was the big find for me... you wouldn't believe how many people use their contacts for saving auth credentials. biggest reason third party mobile apps skimming contacts was an actual topic of conversation with our BYOD deployment.

    4. Re:Banking by the seat of your pants. by ShanghaiBill · · Score: 4, Insightful

      When cryptocoins are lost, the value of the remainder go up. The net loss is zero. If your coin stash was at QuadrigaCX, you lost. If it wasn't, you win.

    5. Re:Banking by the seat of your pants. by PopeRatzo · · Score: 4, Insightful

      When cryptocoins are lost, the value of the remainder go up. The net loss is zero. If your coin stash was at QuadrigaCX, you lost. If it wasn't, you win.

      But when you realize that the entire worth of your bitcoin portfolio can disappear because of someone's stupid behavior and nobody is accountable then everyone who trades in bitcoin loses.

      --
      You are welcome on my lawn.
    6. Re:Banking by the seat of your pants. by NFN_NLN · · Score: 5, Informative

      > But when you realize that the entire worth of your bitcoin portfolio can disappear because of someone's stupid behavior

      Don't use an exchange. You can opt to manage a wallet yourself so you're only beholden to your own stupidity.

    7. Re: Banking by the seat of your pants. by PopeRatzo · · Score: 2

      People are trying to be taken seriously here

      You must be new.

      --
      You are welcome on my lawn.
    8. Re:Banking by the seat of your pants. by Harvey+Manfrenjenson · · Score: 2

      Indeed. As a casual observer this sort of thing makes me absolutely uninterested in participating in any unregulated Bitcoin exchange, not that I had any significant level of interest to begin with. I was curious so I looked at a bitcoin price chart-- doesn't seem to have dropped in response to this news, which is surprising.

    9. Re:Banking by the seat of your pants. by Rockoon · · Score: 3, Funny

      I just can't keep all these new gender pronouns straight.

      Because the new pronouns arent for straight people

      --
      "His name was James Damore."
    10. Re:Banking by the seat of your pants. by vtcodger · · Score: 2

      One possibility is that the price of Bitcoin is being manipulated. Ordinarily, I don'r find conspiracy theories very credible. But because of the poor visibility into who "owns" (i.e. controls) which units of Bitcoin it appears at least theoretically possible for malevolent individuals/organizations to manipulate Bitcoin markets. e,g https://www.cnbc.com/2018/06/1...

      Would "they" do that? If "they" can, "they" probably would.. The world of cryptocurrency is for sure a digital bad neighborhood.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    11. Re:Banking by the seat of your pants. by Joce640k · · Score: 4, Insightful

      "... I do not know the password or recovery key,"

      Yeah, right.

      --
      No sig today...
    12. Re:Banking by the seat of your pants. by squiggleslash · · Score: 2

      Normal people: "It turns out that with Bitcoin you can lose millions if you lose a password, someone just did!"
      Bitcoin advocates: "This is good news for Bitcoin!"

      --
      You are not alone. This is not normal. None of this is normal.
    13. Re:Banking by the seat of your pants. by fropenn · · Score: 2

      It's not complicated. Just ask the person what pronoun would be preferred. Done.

  2. Only one person with password? by jfdavis668 · · Score: 3, Insightful

    $137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

    1. Re:Only one person with password? by Anonymous Coward · · Score: 2

      Anybody else think this is a scam? Hell, even if the original guy is dead, this leaves the possibility for a huge windfall to whoever he decided to share it with.

      Gotta love pirates, thar's truth in them thar words, "Dead men tell no tales" arrrgh

    2. Re:Only one person with password? by bobbied · · Score: 4, Insightful

      $137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

      What kind of security is this?

      TRUE security requires TWO factors (or more) so why in blazes didn't they store multiple copies of the key where multiple people have only part of the key? Then your backup to this "offline key" is having multiple partial copies of it in different hands, with the assurance that at least TWO or more people would be required to agree to provide their portion of the key to open the encrypted file.

      Handing any one person the key for "safe keeping" is stupid. You should always have accountability and require agreement of more than one person for such things.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Only one person with password? by dmesg0 · · Score: 2

      Such scam is impossible to hide: the cold wallets are very easy to trace (the blockchain database is visible to anyone), but impossible to withdraw without knowing the private key.

  3. Re:Lowest possible amateur level by zlives · · Score: 4, Interesting

    or she gots the wallet and now everyone else is on a wild goose chase... how can anyone prove otherwise, including her.

  4. Re:They say.... by Narcocide · · Score: 2

    And will any of us be as sorely missed as he? Probably not.

  5. Re:Lowest possible amateur level by Narcocide · · Score: 4, Interesting

    Well, it could have been worse. The money could all have been stolen. At least this way they know where it is. In a sense, it is still perfectly secure, too...

  6. Re:Did he REALLY die? by Barny · · Score: 5, Informative

    See, now this is the thing. Crohn's disease doesn't kill you. I have it, and as you can imagine I looked into what it does that will eventually kill you. It doesn't.

    Since it's an autoimmune disease, however, you need to take two kinds of meds to deal with it:

    Anti-immune drugs
    Anti-inflamatory drugs

    Unless he had a severe reaction to either, the main killer of a crohn's sufferer is infection due to lowered immune system. While this definitely is dangerous, like diabetic patients it is drummed into you that if you get ANY kind of infection, you go straight to hospital to have it dealt with.

    If the person died, they died of stupidity (either their own or whatever doctor they ran to not taking it seriously enough), but they didn't die of crohn's disease.

    --
    ...
    /me sighs
  7. Re:Did he REALLY die? by Narcocide · · Score: 2

    The only real mystery is how he survived this long with such a huge target hanging around his neck.

  8. Re:Did he REALLY die? by gweihir · · Score: 4, Insightful

    Well, it is probably not that hard to get an official death certificate in India while still alive.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Dunning-Krugerrands by MAXOMENOS · · Score: 4, Funny

    I don't know who coined this term, but given the very expensive rookie mistakes I keep seeing, not to mention the claims of security that keep falling apart, the term "Dunning-Krugerrand" for BitCoin seems apt.

    --
    Finding God in a Dog
  10. Schadenfreude by Brannon · · Score: 5, Insightful

    I'm not proud to say that one of the things I find most satisfying is watching anti-establishment types painfully discover why the establishment exists.

    Yep, this is why we have real banks, dummies.

    1. Re:Schadenfreude by ewibble · · Score: 2

      Why do you think banks don't do stupid things with security, I used to work for a bank and I assure you they do. Ok when the screw up they get bailed out by the public, that is better? maybe? The lesson here is you need base your trust in the company that you invest in on something, that should require having transparency of process. also, was there a backup for this laptop?

    2. Re: Schadenfreude by SirSlud · · Score: 4, Insightful

      It's because of insurance. No system, company, etc is perfect. Of course banks do stupid shit. But they're insured. It's the social arrangements that make them valuable, not that they're magically filled with perfect people.

      --
      "Old man yells at systemd"
    3. Re:Schadenfreude by Anonymous Coward · · Score: 2, Insightful

      I think it's more what happens when establishment types go and recreate the establishment, poorly. The whole point of cryptocurrency is that it's decentralized; there's a hash that you hold yourself either electronically or written down which the network recognizes as having value. Why would you then give your money over to someone who maintains a centralized spreadsheet? It's not like these coin exchanges do loans to earn a return on idle money.

    4. Re: Schadenfreude by swillden · · Score: 2

      It's because of insurance. No system, company, etc is perfect. Of course banks do stupid shit. But they're insured.

      It's got nothing to do with insurance. Banks aren't insured against stupidity. Smallish demand-deposit accounts are insured by the FDIC against bank insolvency, but that isn't really relevant to why these kinds of things don't happen to banks.

      The real reason that this isn't a problem for traditional banks is that mistakes -- and fraud -- are nearly always reversible, because the security and integrity of the systems is based on auditability, not on perfect correctness. If Chase had accidentally deleted a row in their ledger system that held $137M (I'm sure it's happened plenty of times), they can examine the transaction logs and recover the state. And even if they somehow lost their logs, and all of their backups (data that needn't be kept secret is much easier to back up), all of the parties they transact with have their own logs, and can prove what money should have been where.

      BTC is an interesting case because the transaction ledger is intact (the blockchain is a transaction ledger, no more, no less), but the identities that transact are defined by the ability to produce cryptographic signatures., and in this case the keys that define those entities have been lost.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Re:Lowest possible amateur level by godel_56 · · Score: 2

    Well, it could have been worse. The money could all have been stolen. At least this way they know where it is. In a sense, it is still perfectly secure, too...

    And it's perfectly safe because the only copy is stored on a laptop.

  12. Re:Did he REALLY die? by bobbied · · Score: 4, Informative

    It most surely *can* kill you.. True, it can usually be managed if you *know* what it is... However, not everybody who has it, knows what it is and is being properly treated for it.

    And yes, I have experience with this. My Mother in law has Crohn's and she very nearly died from it. They mis-diagnosed the problem and her gut leaked for days until they opened her up to take a look. She lost the majority of her small intestines, all of her colon and spent nearly a year in the hospital, half in a coma in intensive care. She now must be given IV fluids every other day and can barely get enough nutrition to stay alive eating.

    It was woefully managed by her doctors, but Crohn's all but killed her.

    So I'm not as ready to dismiss this story as impossible. It most assuredly IS possible.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  13. Re:Did he REALLY die? by HornWumpus · · Score: 3, Funny

    Likely easier than after you're dead. Bribes don't pay themselves.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  14. Rest of the quote by 93+Escort+Wagon · · Score: 3, Funny

    “Despite repeated and diligent searches, I have not been able to find them written down anywhere. I am forced to proceed to the next stage of the recovery plan - spending long periods at numerous luxury villas around the globe, tirelessly searching for the location of that elusive password! Do not despair... I will not halt my efforts, no matter how many decades it may take, until your funds are completely spent. I mean RECOVERED. Yes, recovered is the word I was looking for.“

    --
    #DeleteChrome
  15. Re:Did he REALLY die? by dnaumov · · Score: 2

    What on Earth could possibly make you think crypto is untraceable? The whole point of a PUBLIC blockchain is literally the opposite.

  16. Re:Lowest possible amateur level by Kjella · · Score: 2

    And it's perfectly safe because the only copy is stored on a laptop.

    Where the money is located is on the blockchain that's distributed for the whole world to see. They can point to it and say here's our cold wallet with the $137 million that we lost the key to. It wouldn't bring the money back but it would prove nobody else took it as part of a scam. Now if they say we don't know where the cold wallet is and that information was only on the laptop too then I'm thinking exit scam.

    --
    Live today, because you never know what tomorrow brings
  17. Re:Did he REALLY die? by Barny · · Score: 2

    Fair point. But I imagine it doesn't "suddenly" kill. I had symptoms of crohn's disease for six months before the anal bleeding actually started (that's kinda a good wakeup call). My doctor had it diagnosed within a week (colonoscopy) and had me on powerful anti-inflammatory drugs, anti-immune drugs, and antibiotics.

    The immune inhibitors suck ass pretty badly, but not as much as the pain when you're not on them.

    I guess I should have included a statement that "sudden" death from crohn's doesn't happen, and death from it is unheard of if it is being managed properly.

    --
    ...
    /me sighs
  18. Re:Did he REALLY die? by quantaman · · Score: 2

    Did he actually die...?

    Just think about the implications of $137mil of untraceable funds that aren't strictly controlled by any national regulations.

    It seems a bit suspicious:

    As many as 115,000 account holders are owed $250 million, which is locked up in “cold storage” only accessible to the recently deceased founder and CEO, Gerald Cotten

    At the time of the bankruptcy filing, QuadrigaCX held 26,500 Bitcoin worth $120 million, 430,000 Ether worth $60 million and several million dollars worth of Bitcoin Cash SV, Bitcoin Gold, and Litecoin, according to court documents.

    QuadrigaCX’s troubles started early last year when CIBC froze accounts affecting 388 customers worth $28 million, citing confusion about ownership of those funds. Those funds were finally released by an Ontario court in December, according to a statement from QuadrigaCX.

    Just days later, Jennifer Robertson announced that her husband Gerald Cotten, 30, had died of complications due to Crohn’s disease in India on Dec. 9, while opening an orphanage.

    So already we seem to be looking at a gap of 250 - (120 + 60 ( +28 ? ) ) either 30 or 60 million if I'm reading properly, and then in the midst of these legal issues he's off in India opening an orphanage when he suddenly dies.

    Then again this shouldn't be a subject of debate. It's not the 1800s, if someone dies in India the body is repatriated as a standard practice.

    If there's a body it's trivial to confirm it's him and it lays some really ugly speculation to rest. If there's no body then a new batch of questions pop up.

    Btw, I'm guessing the identity of those "lost" coins are known, if he were faking I don't think he'd be able to dip very far into that bank before people figured out what was happening.

    --
    I stole this Sig
  19. Re:nice by Hognoxious · · Score: 4, Funny

    You can't recoop money, only chickens.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  20. Re:Lowest possible amateur level by thegarbz · · Score: 2

    how can anyone prove otherwise

    Maybe if Bitcoin had some sort of public ledger we can establish if anyone ever accessed the funds... It's a shame they didn't implement such a feature.

  21. Re:Lowest possible amateur level by willaien · · Score: 2

    Indeed. In fact, there's some evidence that coins are being transferred out of some of the "cold" wallets. https://cointelegraph.com/news...

  22. Re:When the keystone cops are your banker... by ichimunki · · Score: 2

    If they both disappear at the same time, it's an obvious scam and scrutiny will be intense. Either they are waiting for the heat to die down before she joins him or like you said, she's just a patsy in all this.

    --
    I do not have a signature