Ride the Lightning

Crypto Exchange Founder Dies – And His Password Died With Him

February 6, 2019

Naked Security reported on February 5th that customers of Canadian cryptocurrency exchange QuadrigaCX are missing over $250 million Canadian Dollars (CAD) in fiat and virtual currency (approximately $190 million in US dollars) after its founder died without telling anyone the password for his storage wallet.

QuadrigaCX enabled users to trade between fiat currency and cryptocurrencies including Bitcoin, Bitcoin Cash, Litecoin and Ethereum.

Gerry Cotten, the 30-year-old founder of the Vancouver-based exchange, passed away in India on December 9. 2018 due to complications from Crohn’s disease. In an affidavit to the Supreme Court of Nova Scotia, his partner Jennifer Robertson explained that cryptocurrencies had been stored in a cold wallet under his sole control.

In cryptocurrency trading, a wallet is a repository for cryptocurrency addresses that contain assets, along with private keys to access them. There are two kinds of wallet: hot, and cold.

A hot wallet is a software program connected to a blockchain, enabling it to make cryptocurrency transactions. A hot wallet can be vulnerable to hacking via software compromise.

A cold wallet stores address and private key details off the blockchain. It can take several forms. A paper wallet stores the details in writing, while a hardware wallet stores addresses and keys in a device. A cold storage wallet could even be a simple text file containing the appropriate addresses and keys. It can still be physically stolen, but because it isn’t connected to a blockchain it isn’t vulnerable to online compromise.

It is good practice for cryptocurrency exchanges to keep the majority of their funds in a cold wallet to stop them being hacked, and this is apparently what Cotten did. The mistake he made (and oh boy, what a whopper of a mistake) was in being so secure that he didn’t share the access details with anyone else. His untimely death left Robertson, who had not been previously involved with the company, unable to access the funds for the customers.

In the affidavit, which supported an application for bankruptcy protection for QuadrigaCX, Robertson said, "The laptop computer from which Gerry carried out the Companies’s [sic] business is encrypted and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere."

The company continues to try and access to cold storage, she went on. It has hired an external expert, Chris McBryan, to try and hack into Cotten’s computers. He is also trying – so far unsuccessfully – to access an encrypted USB key.

Meantime, Robertson has been dealing with social media comments from those that refuse to believe Cotten is dead, accusing him or others of stealing the coins as part of an exit scam. She has received threatening messages and one person even messaged everyone in her Facebook contact list.

There's a movie script waiting to be written there . . .

The lesson drawn for cryptocurrency users?

You should limit the amount of ‘ready money’ lying around in an exchange. You should store cryptocurrency securely at home, offline, in a cold wallet. Then, decide how to back up the password so it can be reconstructed by your executors in the event of your death.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson