QuadrigaCX Chain Analysis Report (Pt. 1): Bitcoin Wallets

By Zerononcense

This report provides an in-depth analysis of QuadrigaCX’s Bitcoin holdings.

The exposition of this report’s context will be added to the top of this document at a later time in the near future. For the time being, the information provided below will be a collection of all evidence, wallet addresses and other pertinent, relevant facts collected during the investigation of QuadrigaCX’s Bitcoin holdings.

Below are the findings made by the author of this report:

  1. It appears that there are no identifiable cold wallet reserves for QuadrigaCX.
  2. It appears that QuadrigaCX was using deposits from their customers to pay other customers once they requested their withdrawal.
  3. It does not appear that QuadrigaCX has lost access to their Bitcoin holdings.
  4. It appears the number of bitcoins in QuadrigaCX’s possession are substantially less than what was reported in Jennifer Robertson’s (wife of allegedly deceased CEO and Owner Gerry Cotten) affidavit, submitted to the Canadian courts on January 31st, 2019.
  5. At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.
  6. After completing the analysis, it is the author’s opinion that QuadrigaCX has not been truthful with regards to their inability to access the funds needed to honor customer withdrawal requests. In fact, it is almost impossible to believe that this is the case in lieu of the empirical evidence provided by the blockchain.

The investigation involved in-depth research into the Bitcoin, and Ethereum wallets of QuadrigaCX. We will begin with Bitcoin.

Most of the transaction information from customers at QuadrigaCX was aggregated from the following Reddit thread (created by the author):

There is a possibility that there may be fraudulent representations of the author of this research in order to obfuscate/skew information and distort the narrative.

To verify and validate the author’s identity — consult these sources: Twitter, Telegram, and Reddit.

Any information or posts that are not reflected through one of these sources should be seen as illegitimate.

Since the wallet addresses for QuadrigaCX were widely unknown, deposit information from customers was aggregated from the Reddit thread posted above as well as information shared through direct message.

At the onset of this endeavor, only 100% verified transactions with the exchange were consulted in order to ascertain more information about QuadrigaCX’s holdings. These initial addresses were verified using personal identifying information from a few select sources that served as volunteers. The original sources also provided substantial proof that they were indeed customers at QuadrigaCX and had initiated deposits with the exchange. Using this information, the author was then able to ascertain a few known locations that QuadrigaCX had used to either store or send Bitcoin.

Once these initial addresses that QuadrigaCX used were verified, they were then used as a baseline to validate all additional information being submitted by the community at large.

All identities of those that contributed information to this endeavor are omitted from this report with respect to their anonymity.

In the process of aggregating information, the following Bitcoin wallet addresses are a small sample of all those that were confirmed to belong to QuadrigaCX:

  1. 36aenge8ZXwjRxHvtbt3HkvJRzxPNnMfeY
  2. 3Hz4NRi2fMZkUrfJXUbYygi5zoo86QXGg6
  3. 3FtVrDgvnhfAiGNHKazmjNwC7kBbT9fktX
  5. 358ugsYE2hKDr8Bcyob5TUXgc5n5FHxtjj
  6. 3HVkrkZj7YNscV6KrtaSpWPSGVqVum6RAR
  7. 3FYCpaMxvZ5dX8VCyUwcTkuCvteAUgys3c
  8. 3Bei6hrKrsbE2NTg9gNXwRP6EVPmYcZ7Zx
  9. 3LZfJoPiZGUt5cDAsFwibVFLyjMbq1H2Us
  10. 33x4GqFGJi4fu3WEKNk7qQ6bF3uzyATqS8
  11. 39b59sQb4azPuUdoEXtUL7K2QQLQzC9knT
  12. 3Q8KJEBP58wVK4RDgeuPAKgi5vZQHcUAYu
  13. 3HyNBSg8HjbxUuycfiJ8cU4dfNTYeSrGpA
  14. 3J1ywusNW48i9qAWGeXwh4CURii7ieoZUv
  15. 3NAWo2VV2XSmxckfG8xinrtJ46queEp1w7
  16. 35gtPDp3nvACjLPFg2PC1mXsgfaoYYjFSX
  17. 35r88wsFESp4CXmwKRnXPykTARwWnVH1sq
  18. 3JEasHVpmkn9Vivf1KEhJEXJjrGF1KejpJ
  19. 3MNaurs8trMJmJwZewSB1gY7dmDgCziris
  20. 335hbW2xXygr7rrmoddchYjchzykiYtELw
  21. 3LGgMA2uw6VWyCQ8U2dM6GAaNAKzRr9Wrr
  22. 34hoZWYmv4WnoUDzV4BQvvFAcwUbL54G5X
  23. 36qBVXUpZB8ByHo1cqEyTSRa9V3bSrLdXa
  24. 3PssBQxdXoq2HLrD8W56QZNi7eH2vko4mB
  25. 3KYEyqY2av6PzbAKwJvLsT4wKRPrnsV8Mu
  26. 35pnEcngU5SnRViZNHiAFRqUuXAWJtVBhD
  27. 3FWxEN9ebgnbCvZqLK6mbmZ5f8PAtT4nEJ
  28. 35k2kwnn1Uhk55ZCVUzRpWKrdGeNobYsHm
  29. 3MVfvS31Si4oiK8sTn5TuHt59bQyZUoebM
  30. 34jprabSiFXPiFuDBmzzVwf2B19MiUU6Ld
  31. 3L5t5tzjsgqRbdWVdgBNTQJM48LhhSMf7o

These above addresses (among several others) were saved into an excel spreadsheet. The Google Drive link to this spreadsheet will be spread in the very near future (see note at the bottom of this piece about expediting the release of information for the benefit of customers at QuadrigaCX).

The benefit of WalletExplorer is that the original creators were knowledgeable about the Hierchical Deterministic (HD) wallet structure of many of the most popular wallet providers for the Bitcoin protocol.

In fact, WalletExplorer was created and is still ran by Chainalysis. It does not contain the exact same suite of tools, unfortunately, but the same analysis can be performed — it just requires a bit more manual labor.

HD wallets are built by wallet providers and they come with the added feature of producing/creating millions of different wallet addresses. The purpose of these wallets is to help enhance user security by providing a different, unique wallet address for each transaction that the user makes.

Given the fact that it is more than likely true that QuadrigaCX used such wallets for the management of client funds on their exchange, tracking each wallet on a one-by-one basis would be a futile and infeasible effort.

However, the website, walletexplorer.com, is able to prevent this time expenditure.

Walletexplorer.com is able to associate wallet addresses with related transactions via a process called ‘address clustering’.

For more information about how address clustering, the following source should prove sufficient:

QuadrigaCX’s main ‘hot’ clustered wallet address was determined to be:

This finding was further reinforced and validated by using the transaction information from dozens of customers that had provided over 100 Bitcoin transaction IDs, deposit and withdrawal wallet addresses altogether.

Each one of the wallets listed above were either directly sent to the cluster address or had at least part of the deposited funds sent to the cluster address at some point in time.

  1. None of the withdrawal addresses provided by customers led to a wallet that could be considered anything comparable to a ‘reserve’ wallet.
  2. The beginning number of the wallet addresses (‘3’) denotes that the wallets used by QuadrigaCX all had multi-signature capability. Whether this security feature was deployed or not, however, is unknown.
  3. After analyzing the cluster address, there is no indication that QuadrigaCX ever held a substantial amount of capital (>100 $BTC) in their possession.

The key takeaway from the deposit information provided by customers is that QuadrigaCX more than likely never held enough $BTC to account for the customer funds. In the next section, the customer withdrawal information related to $BTC transactions on the exchange reflect that QuadrigaCX was clearly re-routing payments from customers to satisfy withdrawal requests from other customers on their exchange, effectively operating a shell exchange or a ponzi.

Again, more screenshots and walkthroughs of the actual addresses will be provided shortly. For time’s sake and in hopes of providing strong leads for the rest of the community, the aggregated deposit address information from QuadrigaCX customers as well as the discovered ‘hot’ cluster wallet address for QuadrigaCX has been listed so that readers may independently verify this information in the meantime.

After verifying the cluster address, an attempt was made to locate the existence of a potential cold wallet address.

In order to do so, the author of this study also extracted significant information from customers regarding their withdrawals at QuadrigaCX.

In specific, this section will analyze that withdrawal information and examine conclusions (if any) can be made from it.

Let’s start with a batch of withdrawal transaction ID’s submitted by QuadrigaCX customers. Again, this information was verified independently via chain analysis by checking time stamps, reported amounts, and the flow of transactions from and to known wallet addresses on the Bitcoin protocol, specifically those positively identified as belonging to QuadrigaCX.

  1. 2e31256d6e5c6b549f4a1a3640e591fd07782115cd5d7037689a24c2cfba4812
  2. ce754512ae789f630399524477e7cfab8059dcb81130fd9d95fee898118d9d4a
  3. 20c3a34539964e5e13116ec48520f7835ca7c49fe1693f1c2e17abcf96a54f35
  4. 43764980ce045528e4c3297b737c97368925ecb67efda7514a09362899bdec68
  5. fed9ab175eefe90aa3635c8986c45f50063459050c003c34061d98312ac6feb3
  6. d3b8c635bd070211df6d9129af5aeb6cc2b46220b68c27b362aae84d8df6130d
  7. 18504732321d6478acd3c91f01096eac6bd327528ab54f4fca6ed162fa7e22e9
  8. cbe6ab34a527b8a90a227f2ccab84e98c6ed1438f8c5e02db069c8ff0dc66d13
  9. 88f92e37b564c6f7a172b87cb5e5c377334a189722886d0f4a5fb24782af59fd
  10. 6bf41d5ebbc927ded85d202ddd0d1bd837e944868eee8c24e5a10c0d8e3858c2

The above ten transaction IDs were selected from a host of several dozen verified transaction IDs sent by former clients at QuadrigaCX’s exchange and they have been verified independently as well.

To get a better idea of the methodology that QuadrigaCX employed to send customers requested withdrawal amount of bitcoins, we’ll look at the first transaction ID provided above (2e31256d6e5c6b549f4a1a3640e591fd07782115cd5d7037689a24c2cfba4812)

If we visit https://walletexplorer.com and input this transaction ID, we should see the following screen:

The customer requesting a withdrawal requested the .32737521 $BTC amount in the transaction above.

This is annotated in the screenshot below for convenience:

What is particularly noteworthy in the screenshot above is that the funds were sent from a cluster address that was created no more than 4 hours beforehand.

The first amount shown in the transaction log of this cluster address [72714eea7af9c022] is negligible (0.00679 $BTC). However, the second (1.20771943 $BTC) was not.

Therefore, that cluster wallet was pursued.

The following chain of links were followed:

  1. https://www.walletexplorer.com/wallet/05e981e66fadc1f0 ; This was yet another cluster address with a relatively small number of bitcoins (1.20811207 $BTC) in it before they were all sent. The last in-flow of currency into the wallet was made on September 28th, 2018.
  2. https://www.walletexplorer.com/wallet/f69188b0061ce118 ; This cluster address contained only 0.37663 $BTC in it, which was transacted into the cluster address on February 23rd, 2018.
  3. https://www.walletexplorer.com/wallet/1e0b3ff0013f2b2b ; This link was derived by following the only incoming transaction into the cluster address found in #2.

#3 was most interesting, because it does not appear to be a personal wallet from a customer. . This is indicated by the numerous cluster wallets that have been positively identified as belong to other exchanges via research and verified wallet identifications.

Further analysis of the cluster wallet addresses show that it was receiving money from personal wallet addresses belonging to clients or from client accounts on different exchanges. This conclusion was made by analyzing the cluster addresses that had sent funds to the cluster address depicted above. The pattern of transactions in those wallets largely matched those of confirmed customer wallet addresses.

The above analysis led to the conclusion that the overarching cluster wallet that granted the customer their withdrawal request (72714eea7af9c022) was only able to do so after aggregating funds from other customers that had deposited on to the exchange.

More specifically, it appears that the exchange had attempted to create individual cluster wallets for customers at one point in time, yet found itself in a situation (more toward the end of 2018), where customer funds that had originally been apportioned for others were eventually redirected to compensate new customers requesting their withdrawals.

This is evidenced by the fact that the specific TX that was analyzed in this case (2e31256d6e5c6b549f4a1a3640e591fd07782115cd5d7037689a24c2cfba4812) that serves as the base point for examining how a customer received their funds from the QuadrigaCX exchange reflects the following:

  1. QuadrigaCX did not have a designated hot or cold wallet to send the customer their funds. In specific, they were forced to aggregate funds from disparate, disorganized locations in order to ensure that the withdrawal was successful.
  2. Since the funds came from various, unrelated customer deposits located in disparate cluster wallet addresses, it is more than likely that bitcoins which were originally apportioned for specific customers had to be redirected in order to satisfy customer withdrawals.

It is worth noting that there is no guarantee that the above analysis represents a factual truth for QuadrigaCX. However, when comparing their withdrawal practices to that of other known solvent exchanges (Coinbase, Bittrex, Bitstamp, Binance, etc.), the movement of bitcoins to satisfy customer demand is highly unorthodox and extremely inefficient for any legitimate exchange.

It is also worth noting that this withdrawal transaction occurred in November 2018, which is within a period of time when the exchange’s financial and functional troubles were at their height.

While there are a number of customer complaints with regards to the exchange’s failure to complete fiat withdrawal requests, further research into the exchange’s numerous crypto withdrawal delays seems to corroborate the theory posited above.

The following Reddit posts serves as cogent examples:

The last Reddit thread shown above, specifically, shows responses from several customers that were forced to wait a significant amount of time before receiving their bitcoins (up to a day at times).

After QuadrigaCX shuttered the metaphorical doors on its website on January 28th, 2019, it posted a statement (which is still on the website currently) approximately three days later that stated that the team was looking for its ‘reserve keys’, and that its failure to find said keys has resulted in their inability to fulfill customer crypto withdrawal requests.

Read below:

The statement above does not attribute the failure to locate the alleged existence of QuadrigaCX’s reserve wallets to Gerry Cotten’s passing, but this is stated in an affidavit from Gerry Cotten’s widow, Jennifer Robertson, later the same day.

As stated toward the beginning of this analysis, a definitive ID of QuadrigaCX’s main cluster wallet address has already been made via chain analysis and further confirmed through the analysis of hundreds of transactions going to and from the exchange to its customers:

Again, for posterity purposes, below is the link to Bitfury’s research explaining how Hierchical Deterministic (HD) wallets work on the Bitcoin protocol and what features of Bitcoin transactions and wallet addresses make address clustering an extremely reliable method of aggregating addresses belonging to one entity.

Given the above information, it is worth noting that there are several outgoing transactions that have been made since the alleged date of Gerald Cotten’s passing (December 9th, 2018).

Below are numerous examples:

As one can see in the screenshots above, QuadrigaCX transferred approximately 3.53 $BTC from its platform (approximately $12,381 USD worth) from the evening of January 24th through the 25th.

This movement strongly contradicts the idea that there are no funds that QuadrigaCX has access to.

Of course, the natural counter to this argument would be that the cluster address does not contain the hot wallet.

However, it is worth noting that this cluster address contains over 200,000 wallet addresses that have been used by QuadrigaCX:

One cluster address that deserves a significant amount of scrutiny can be found here:

It is unknown what the purpose of this wallet is, but it has received significant deposit amounts from QuadrigaCX’s main hot wallet cluster address.

From November 8th to December 8th, this wallet received 760 bitcoins from the QuadrigaCX main wallet address. It is unknown what happened to these bitcoins or why they were moved, but they are no longer in the cluster wallet address.

The cluster wallet was created on May 25th, 2018 and since its inception, QuadrigaCX has sent 3,363 bitcoins to this location.

When calculating the USD value of these transfers (using the estimated value of transaction by multiplying by Bitcoin’s strike price at the time of transacting), it appears QuadrigaCX sent approximately $12.7 million worth of bitcoins to this address over the last 7 months.

If one examines the link provided above underneath the subheading for this section, it is more than likely that the following will be noticeably apparent:

In total, 2,241 bitcoins have come from this cluster address. It is unknown whether the specific wallets that have sent Bitcoin funds into the address have a direct relationship with Mt. Gox, however, this seems to be yet another observation worth noting as well.

One of the more prevalent claims made by QuadrigaCX through their website, interviews/articles, social media, and court filings is that there exists a vast ‘cold’ reserve where a significant number of bitcoins are stored (as well as cold wallets for Ethereum, Litecoin, and the other crypto assets sold on their exchange).

On their support page, which is still up for the time being, QuadrigaCX posted a message on January 9th, 2018, explaining why there may be delays in receiving Bitcoin transactions.

The message is posted below:

Link to the Support Article: https://support.quadrigacx.com/support/solutions/articles/9000139532-where-is-my-bitcoin-withdrawal-

Archived Link (in case of deletion/removal): http://archive.is/TKwBu

In specific, the statement, “If you have successfully entered your Transaction PIN and Email Confirmation Code to confirm the Bitcoin (XBT) withdrawal from your account, then it will be sent within 10 minutes unless for some reason the hot wallet balance is low and needs to be topped up” implicitly suggests that there is a cold wallet reserve or a more extensive funding source that the exchange would pull from in the instance that its ‘hot wallet’ was bereft of funds.

In a now widely shared CoinDesk article, Gerry Cotten, the exchange’s former CEO and Owner that allegedly passed away in India nearly two months ago, stated in an interview with the publication that the exchange engaged in “extensive security measures”.

The excerpt from this CoinDesk article is posted below:

As highlighted above, the key sentence to focus on in the CoinDesk article is the one where it states, “Cotten, in turn, spoke to Quadriga’s security strengths, noting that the exchange uses multi-signature cold storage to secure bitcoin holdings.”

In specific, many have focused on the ‘multi-signature’ part of the phrase in recent days to make the argument that speculation about Gerry Cotten’s death is a moot point because the multi-signature nature of the wallets would enable QuadrigaCX to still access their funds.

The speculation about why QuadrigaCX may or may not be able to access their crypto funds began because QuadrigaCX has claimed in recent days that they are unable to honor customer withdrawal requests due to the fact that they no longer have access to their reserve wallets.

As a side point, it is worth noting that the highlighted statement in the CoinDesk article only contained a claim made by Gerry Cotten that there was a Bitcoin cold/reserve-wallet, rather than a cold/reserve wallet for all cryptocurrencies offered to traders on QuadrigaCX.

Specifically, information about the alleged cold reserves of QuadrigaCX can be found in Jennifer Robertson’s (wife of reportedly deceased CEO, Gerald Cotten) sworn affidavit, which was submitted to the Supreme Court of Nova Scotia (Canada) on January 31st, 2019 in furtherance of QuadrigaCX’s petition for Creditor Protection from the courts.

The full affidavit has been posted on Scribd, and can be accessed below:

Source: https://www.scribd.com/document/398721572/Jennifer-Robertson-Affidavit#from_embed?campaign=SkimbitLtd&ad_group=100652X1574425X640a8d8f2590c81acce9575c8078b8fc&keyword=660149026&source=hp_affiliate&medium=affiliate

Specifically, the following statements (located on page 5 of the affidavit), are of relevance to this section:

  • “Any coins credited to a user on the platform were stored by Quadriga, either in a hot wallet or a cold wallet. Coins withdrawn by a user would be stored in a wallet controlled by that user.”
  • “Quadriga keeps only a minimal amount of coins on the server (in a hot wallet). The normal procedure was that Gerry would move the majority of the coins to cold storage as a way to protect the coins from hacking or other virtual theft.”
  • The amount of coin kept on the server versus in cold storage was originally set at a fixed amount. Transfers could happen automatically or manually. The threshold requirement for Quadriga’s hot wallet was removed some time ago and, after that, Gerry manually controlled the flow of coins between the hot and cold wallets of the coins credited on the Quadriga platform.
  • Transfers from the cold wallet to the hot wallet would occur when the hot wallet was running low and withdrawals were being sent to users. The transfer of coins from the cold wallet to the hot wallet was performed manually by Gerry.”
  • “There is no defined standard in the cryptocurrency industry for how coins are stored, but the normal practice for any exchange or person dealing in cryptocurrency is to keep the coins in a cold wallet for security purposes.”
  • “The database would keep track of useres, and there are currently approximately 363,000 registered users in the Quadriga database. As at the date of filing this affidavit, approximately 115,000 users (the “Affected Users”) of the Quadriga website held balances in their personal accounts, representing obligations payable by Quadriga to the Affected users in the form of: (i) cash obligations; or (ii) obligations to hold cryptocurrency units on their behalf. Quadriga currently owes its Affected Users $70 million, plus cryptocurrency, cumulatively valued (based on cryptocurrency market pricing as of December 17, 2018) at approximately $180 million. Total obligations due to the Affected Users approximate $250 million as of December 17, 2018.”
  • “As of January 18, 2019, the following cryptocurrency balances were recorded — Bitcoin: 26,488.59834, Bitcoin Cash: 11,378.79082, Bitcoin Cash SV: 11,149.74262, Bitcoin Gold: 35,230.42779, Litecoin: 199,888.408, and Ethereum: 429,966.0131”

In order to protect the author of this study (legally) from any potential legal ramifications, it must be stated that the following statements are not being asserted as empirical truths, but rather observations from the author based on the analysis that they have conducted independently. These statements are not intended as libel, but rather to serve as an accurate representation of fact, to the author’s knowledge, at this point in time.

Based on the analysis of dozens of aggregated wallet addresses and transaction IDs for bitcoin withdrawals and deposits on the exchange, there is no evidence that a cold wallet for QuadrigaCX is currently in existence.

No withdrawal transaction has been sourced to a significant pool of bitcoins (i.e., cluster address) that were not positively identified (objectively) as belonging to another exchange.

In addition, thorough analysis of QuadrigaCX’s main hot wallet cluster address has failed to provide evidence that there has been any movement of bitcoins to an outside wallet address (or cluster address) that contains any significant holding of bitcoins.

Again, via thorough inspection of several dozen verified Bitcoin withdrawals and deposits, the estimated aggregated total number of bitcoins in QuadrigaCX’s possession is south of 1,000 $BTC, with 1,000 being a very generous estimate at this point in time.

Chain analysis shows that the vast majority of holdings in the wallets and addresses that QuadrigaCX owns have already been liquidated or moved to an exchange.

Due to the time sensitive nature of this issue (QuadrigaCX plans on appearing in court Feb. 5th to submit their appeal for creditor protection), this report is being published slightly premature.

There is a lot of additional information from the analysis that the author will include throughout the day (February 3rd, 2019), and in the next few days.

All edits will be annotated at the bottom of the article and announced via all social media platforms owned by the report’s author.

Please feel free to reach out on any of those platforms if you have any additional information or questions about the report. Crowdsourcing reliable information and attempting to make the findings contained within as solid as possible is in the interest of the greater crypto community.

If you’re interested in donating/contributing to the author (this was all done pro bono), feel free to submit a $BTC tip here: