A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers’ assets following the sudden death of its founder, who was the only person known to have access the the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it’s tied up in disputes with third parties.
The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX’s sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn’s disease in India in December at the age of 30.
Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a “cold wallet,” meaning a digital wallet that wasn’t connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars (Ars has reported on three such thefts here, here, and here.)
Thursday’s court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers.
“The laptop computer from which Gerry carried out the Companies’ business is encrypted, and I do not know the password or recovery key,” Robertson wrote. “Despite repeated and diligent searches, I have not been able to find them written down anywhere.”
The widow went on to say she has hired experts to attempt to decrypt the laptop. One of the experts “has profiled Gerry and attempted to hack into Gerry’s computers. In addition, an encrypted USB key has been provided to the expert, which has not yet been able to be accessed.”
The expert, she added, has already accessed Cotten’s personal and work email accounts and is now trying to gain access to an encrypted email account. Cotten also used an encrypted messaging system, but the chances of successfully reading the communications appear dim because, the expert has reported, “messages would disappear from the encrypted messaging system after a short period.”
The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten’s death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.
The debacle should be unthinkable for any financial institution, but sadly it’s just one of many similar issues to hit a cryptocurrency exchange in recent years. Attorney, educator, and lawyer Pamela Morgan penned an article in 2015 outlining the disaster preparedness steps cryptocurrency holders should take to ensure they can recover digital tokens when unexpected events strike. Based on Robertson’s sworn testimony, it’s a good bet QuadrigaCX didn’t follow any of these best practices. It’s an equally good bet that most competing exchanges don’t either. And that raises questions about the judgement of people who continue to entrust their funds with these services.