This is a guest post written by the Canadian Privacy Advocate, Blockchain Adjudicator (Telos) Marc-Roger Gagné. Marc-Roger is a prominent voice within legal issues in the cryptocurrency, Blockchain and cybersecurity community. More about Marc-Roger Gagné here.
A lot of crypto customers are learning an expensive lesson this week. Roughly 115,000 customers of QuadrigaCX, a Canadian cryptocurrency exchange, have been cut off from their money, perhaps forever. In total, they’re owed $70 million CAD in fiat and upwards of $180 million in crypto.
The lesson shouldn’t come as a surprise, however, as inklings of trouble began last December. QuadrigaCX’s funds have been locked down since then and it’s only this week that they’re finally getting some clarity on matters — and the news is not good.
Things are Not Going Well for QuadrigaCX Customers
About a week ago, the widow of deceased QuadrigaCX CEO announced that the company has lost access to its holdings. $137 million worth of digital coins, apparently held forever in limbo because her husband took his digital wallet passwords to the grave with him.
It’s a crazy story that began two months ago somewhere in India and keeps getting crazier as it unfolds.
Here’s the timeline:
- Fall 2018: Large withdrawals are curtailed.
- November 27, 2018: Gerald Cotten, CEO of QuadrigaCX, makes a will.
- December 9, 2018: Gerald Cotten dies of Crohn’s Disease in India
- There is no announcement to customers & no obituary, either
- December 2018 – January 2019: customers begin having trouble getting their money out
- Support tickets are marked as resolved even though they’re not
- Funds continue to be accepted into QuadrigaCX accounts
- January 14: It’s finally announced, more than a month later, that Cotten has died.
- January 15: QuadrigaCX sends an email to customers saying they’re processing withdrawals, albeit slowly
- Then, January 31: Jennifer Robertson files an affidavit swearing that her deceased husband was the only person who had access to the wallet that stored $137 million in digital coins
- February 6: QuadrigCX gets a 30-day reprieve from creditors so they can continue to look for the $180M
The “clarity” that Quadriga customers are getting as a result of Ms. Robertson’s affidavit — it actually does more to raise questions than to answer them.
Questionable Security Practices, a Mysterious Death, and a Puzzling Timeline of Events
Let’s ignore the fact that QuadrigaCX waited over one full month to announce Gerry Cotten’s death. And let’s ignore the fact that it’s rare to die from Crohn’s Disease (survival rate is 94%). Let’s also ignore the fact that the exchange continued to accept incoming transfers after the death of Gerry Cotten — not all of which were automatic transfers.
Let’s focus instead on the fact that nobody thought it a tad risky to store $137 million in assets on a laptop that could only be accessed by one person. That’s a very centralized process. Centralized is the opposite of distributed. When just one person holds the key to everyone’s money, the reassurance you get from having a “distributed ledger” just seems to crumbles away.
The Wallet that Vanished into Thin Air
The wallet that contains the lost $137 million is a “cold wallet”, which means it’s stored offline (in this case, on a laptop). It’s a common security protocol that serves to keep valuable digital assets safe from hackers.
Crypto companies usually have both cold wallets and hot wallets which act much like a savings account and a checking account, respectively. Like a savings account, a cold wallet holds the bulk of the money. The crypto companies only transfer the coins to the (more vulnerable) hot wallet as needed — i.e. for customer withdrawals.
The problem is that only one person, Gerry Cotten, had the passwords to access that cold wallet and the laptop it’s on. Sloppy, and not good. But, with nobody overseeing the crypto industry, sloppy CEO’s like Cotten will exist. Sloppy or worse… fraudulent.
There’s Been Some Serious Oversight on Crypto Oversight
Assuming QuadricaCX sloppily handled funds this way for the 5+ years of its existence, it’s surprising it took this long for something to happen.
Every industry has its protocols — best practices that take over where common sense leaves off. And on top of protocols, many industries also have regulations and oversight — just to make sure the right protocols are being followed.
In the crypto ecosystem, there aren’t even any real protocols in widespread use, let alone actual regulations and federal oversight on corporate activity.
Jewelry store sales associates have more oversight than cryptocurrency exchanges like QuadrigaCX. In your typical jewelry store, the store painstakingly and meticulously accounts for the inventory every morning and every night. It’s industry standard to handle jewelry this way, and every shop owner knows this. They also know that anyone who doesn’t follow these protocols is asking to be ripped off — either by their own employees or by slick thieves using sleight-of-hand techniques.
In the crypto world, there is apparently no common knowledge like this. No shared common sense, Best Practices, protocols, regulations, or anything to guide exchange owners and protect customers.
It’s the industries where consumers are vulnerable that require the strongest oversight. Think healthcare, finance, public health, the environment, insurance, food, cosmetics, automobiles, etc). Whether it’s watchdog organizations, government agencies, or third-party consulting companies, there’s an historically proven need to have a protective layer that exists between two parties during any type of transaction. Otherwise, it’s the unwary consumer pitted against the hungry, opportunistic mongrels who come from the underbelly of commerce.
In the case of QuadrigaCX, we don’t know what really happened (yet). For all we know, it’s Gerald Cotten himself who dealt the sleight of hand on this one. Mr. Cotten and his wife, perhaps, if she was in on it too.
Be Careful of What You Ask For – Were these early adopters really ready for the Wild West of Finance?
If you’re at all skeptical about the circumstances surrounding Cotten’s death, you’re probably already thinking that a lot can happen to people’s money when nobody’s looking.
Oversight and regulation are partly for consumer protection. But cryptocurrency consumers are a different breed of consumer. For them, one of the attractions of cryptocurrency is the very lack of third-party “interference”.
Cryptocurrency early adopters feel that the beauty of cryptocurrencies lies in their lack of oversight. Plus, they like that there are very few touchpoints with the government (no government-issued ID necessary, etc). It all hearkens back to the Satoshi Nakamoto Crede which cites mistrust of traditional financial institutions as a major raison d’etre for Bitcoin, the original cryptocurrency.
But can we say “be careful of what you ask for”?. Where’s Cotten now? And more importantly, where’s all that money? Right now, experts say that it’s most likely that those passwords — and the money — are gone forever.
It ’s the ultimate I told you so. Perhaps these consumers (the early adopters of cryptocurrency) weren’t actually ready for the wild, wild West of finance with its lack of regulation and third-party “interference”.
What Happens Now for QuadrigaCX
As I write this, reporters are busy uncovering the details of Cotten’s death (has anyone interviewed the doctor on call at the hospital in Jaipur where he died?) As for the investors and customers of QuadrigaCX, it may be a waiting game. Waiting for the courts to pry the truth (and the cold wallet passwords?) out of Cotten’s wife. Meanwhile, QuadrigaCX is pretty much an abandoned ship of lost hope, crashed fortunes, and despair.
As for what happens next — like every other crypto disaster, it’s in the hands of the courts. As I write this, the laptop containing the cold wallet is being handed over to the court. They will also be examining the veracity of Mr. Cotten’s death (it’s customary for courts to require more than what has been provided so far as proof of death).
What Happens Now for The Traders?
Right now, QuadrigaCX customers just have to sit and wait for the next 30 days as the court-appointed stay plays out. During this time, the company is shielded from lawsuits and customers are essentially stranded. Their rights? If Ms. Robertson had a say, they have none. The QuadrigaCX platform may be sold to interested parties in order to raise cash to pay back traders. However, she wrote, if traders start suing the company that will negatively affect the sale price.
Traders have lawyered up anyway, and are already gathering around the court proceedings in Halifax, where Cotten is from and where he and his wife have a home.
What Happens Now for Everyone Else?
Clearly, there’s a lot to uncover in the days ahead on this story.
So perhaps the real question is: what happens now for the rest of us?. It’s very easy to look back and extract lessons about security and crypto regulation but what’s the real takeaway? Zoom out for a second and think of the bigger picture. The bigger picture being the context in which this grim drama unfolded before our very eyes.
- A new technology
- An uninformed public
- Lagging regulation
- Lack of accountability at top levels of government
It’s time to move forward on lassoing this industry into the corral so everyone can ride the crypto wave and benefit from its advantages. In the meantime, crypto customers need to be extra wary and extra vigilant on researching the people to whom they’re forking over their fortunes.
The views, the opinions and the positions expressed within guest posts such as this one are those of the author alone and do not necessarily represent those of https://www.cryptowisser.com/ or any company or individual affiliated with https://www.cryptowisser.com/. We do not guarantee the accuracy, completeness or validity of any statements made within this article. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author. Any liability with regards to infringement of intellectual property rights also remains with them.