Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bitcoin Businesses Canada Digital Encryption Privacy Technology

Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave (arstechnica.com) 252

A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers' assets following the sudden death of its founder, who was the only person known to have access to the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it's tied up in disputes with third parties. Ars Technica reports: The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX's sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn's disease in India in December at the age of 30. Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a "cold wallet," meaning a digital wallet that wasn't connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars. Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins. Robertson testified that Cotten stored the cold wallet on an encrypted laptop that only he could decrypt. Based on company records, she said the cold wallet stored $180 million in Canadian dollars ($137 million in US dollars), all of which is currently inaccessible to QuadrigaCX and more than 100,000 customers. "The laptop computer from which Gerry carried out the Companies' business is encrypted, and I do not know the password or recovery key," Robertson wrote. "Despite repeated and diligent searches, I have not been able to find them written down anywhere."

The mismanaged cold wallet is only one of the problems besieging QuadrigaCX. Differences with at least three third-party partners has tied up most or all of an additional $53 million in assets. Making matters worse, many QuadrigaCX customers continued to make automatic transfers into the service following Cotten's death. On Monday, the site became inaccessible with little explanation, except for this status update, which was later taken down. On Thursday, QuadrigaCX said it would file for creditor protection as it worked to regain control of its assets. As of Thursday, the site had 115,000 customers with outstanding balances.

This discussion has been archived. No new comments can be posted.

Digital Exchange Loses $137 Million As Founder Takes Passwords To the Grave

Comments Filter:
  • by Fly Swatter ( 30498 ) on Monday February 04, 2019 @06:14PM (#58070694) Homepage
    This is why well established insured banking establishments are used. But hey, it was your money - do what you want with it, they didn't!
    • by zlives ( 2009072 ) on Monday February 04, 2019 @06:18PM (#58070718)

      did they check the bottom of the keyboard...

    • Schadenfreude (Score:5, Insightful)

      by Brannon ( 221550 ) on Monday February 04, 2019 @06:43PM (#58070860)
      I'm not proud to say that one of the things I find most satisfying is watching anti-establishment types painfully discover why the establishment exists.

      Yep, this is why we have real banks, dummies.
      • Why do you think banks don't do stupid things with security, I used to work for a bank and I assure you they do. Ok when the screw up they get bailed out by the public, that is better? maybe? The lesson here is you need base your trust in the company that you invest in on something, that should require having transparency of process. also, was there a backup for this laptop?
        • Re: Schadenfreude (Score:5, Insightful)

          by SirSlud ( 67381 ) on Monday February 04, 2019 @08:21PM (#58071256) Homepage

          It's because of insurance. No system, company, etc is perfect. Of course banks do stupid shit. But they're insured. It's the social arrangements that make them valuable, not that they're magically filled with perfect people.

          • It's because of insurance. No system, company, etc is perfect. Of course banks do stupid shit. But they're insured.

            It's got nothing to do with insurance. Banks aren't insured against stupidity. Smallish demand-deposit accounts are insured by the FDIC against bank insolvency, but that isn't really relevant to why these kinds of things don't happen to banks.

            The real reason that this isn't a problem for traditional banks is that mistakes -- and fraud -- are nearly always reversible, because the security and integrity of the systems is based on auditability, not on perfect correctness. If Chase had accidentally deleted

        • yes they get bailed out because they are insured either by the government or by 3rd party that is why I keep my money in a bank. What insurance did QuadrigaCX's depositors have?
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I think it's more what happens when establishment types go and recreate the establishment, poorly. The whole point of cryptocurrency is that it's decentralized; there's a hash that you hold yourself either electronically or written down which the network recognizes as having value. Why would you then give your money over to someone who maintains a centralized spreadsheet? It's not like these coin exchanges do loans to earn a return on idle money.

      • Comment removed based on user account deletion
  • Obviously, these people have never heard of Business Continuity Management. Fits however nicely with the "greed and stupidity FIRST" mindset of the cryptocurrency community. This is hilarious!

    • by zlives ( 2009072 ) on Monday February 04, 2019 @06:20PM (#58070734)

      or she gots the wallet and now everyone else is on a wild goose chase... how can anyone prove otherwise, including her.

      • by 93 Escort Wagon ( 326346 ) on Monday February 04, 2019 @07:41PM (#58071106)

        “Despite repeated and diligent searches, I have not been able to find them written down anywhere. I am forced to proceed to the next stage of the recovery plan - spending long periods at numerous luxury villas around the globe, tirelessly searching for the location of that elusive password! Do not despair... I will not halt my efforts, no matter how many decades it may take, until your funds are completely spent. I mean RECOVERED. Yes, recovered is the word I was looking for.“

      • I don't know wouldn't you see the wallet in the block chain if it was used?
      • how can anyone prove otherwise

        Maybe if Bitcoin had some sort of public ledger we can establish if anyone ever accessed the funds... It's a shame they didn't implement such a feature.

    • by Narcocide ( 102829 ) on Monday February 04, 2019 @06:22PM (#58070748) Homepage

      Well, it could have been worse. The money could all have been stolen. At least this way they know where it is. In a sense, it is still perfectly secure, too...

      • Well, it could have been worse. The money could all have been stolen. At least this way they know where it is. In a sense, it is still perfectly secure, too...

        And it's perfectly safe because the only copy is stored on a laptop.

        • by Kjella ( 173770 )

          And it's perfectly safe because the only copy is stored on a laptop.

          Where the money is located is on the blockchain that's distributed for the whole world to see. They can point to it and say here's our cold wallet with the $137 million that we lost the key to. It wouldn't bring the money back but it would prove nobody else took it as part of a scam. Now if they say we don't know where the cold wallet is and that information was only on the laptop too then I'm thinking exit scam.

  • by jfdavis668 ( 1414919 ) on Monday February 04, 2019 @06:17PM (#58070710)
    $137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.
    • by Anonymous Coward

      Anybody else think this is a scam? Hell, even if the original guy is dead, this leaves the possibility for a huge windfall to whoever he decided to share it with.

      Gotta love pirates, thar's truth in them thar words, "Dead men tell no tales" arrrgh

      • by dmesg0 ( 1342071 )

        Such scam is impossible to hide: the cold wallets are very easy to trace (the blockchain database is visible to anyone), but impossible to withdraw without knowing the private key.

    • by gweihir ( 88907 )

      Banks do it because they are required to. This was just an amateur with something that is not actually money.

    • by MAXOMENOS ( 9802 ) <mike@mikesmYEATS ... n.com minus poet> on Monday February 04, 2019 @06:34PM (#58070822) Homepage
      I don't know who coined this term, but given the very expensive rookie mistakes I keep seeing, not to mention the claims of security that keep falling apart, the term "Dunning-Krugerrand" for BitCoin seems apt.
    • by bobbied ( 2522392 ) on Monday February 04, 2019 @06:41PM (#58070854)

      $137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

      What kind of security is this?

      TRUE security requires TWO factors (or more) so why in blazes didn't they store multiple copies of the key where multiple people have only part of the key? Then your backup to this "offline key" is having multiple partial copies of it in different hands, with the assurance that at least TWO or more people would be required to agree to provide their portion of the key to open the encrypted file.

      Handing any one person the key for "safe keeping" is stupid. You should always have accountability and require agreement of more than one person for such things.

      • TRUE security requires TWO factors (or more) so why in blazes didn't they store multiple copies of the key where multiple people have only part of the key? Then your backup to this "offline key" is having multiple partial copies of it in different hands, with the assurance that at least TWO or more people would be required to agree to provide their portion of the key to open the encrypted file.

        Something like this? [wikipedia.org]

      • $137 million, and they didn't think to store the password somewhere it wouldn't be lost? They didn't think to ask the guy before he died? What a stupid company.

        What kind of security is this?

        TRUE security requires TWO factors (or more) so why in blazes didn't they store multiple copies of the key where multiple people have only part of the key? Then your backup to this "offline key" is having multiple partial copies of it in different hands, with the assurance that at least TWO or more people would be required to agree to provide their portion of the key to open the encrypted file.

        Handing any one person the key for "safe keeping" is stupid. You should always have accountability and require agreement of more than one person for such things.

        It's wonderful security. A password that only you know is a password that you don't have to trust anyone else with. Sure there's a risk that you get kidnapped and tortured for it, or you get a head injury and forget it, but otherwise it's really great security. If you're the founder.

        If you're an employee it's less great but still decent, you don't need to bother with the red tape of a distributed system and if something ever does happen to the founder you can just get a new job.

        If you're a customer it obvio

    • If he memorized it, there's a good chance it could be brute forced. You can get through a lot of passwords with $137million worth of hardware.

      Not that I care, everyone involved seems like an awful person.
    • People are saying [forexlive.com] that this "convenient" "stupidity" as you call it is simply an attempt to defraud their customers.

      • More like the intentional stupidity was its own insurance device...

        ..but somebody killed him anyways
  • Did he actually die...?

    Just think about the implications of $137mil of untraceable funds that aren't strictly controlled by any national regulations.

    • by Barny ( 103770 ) on Monday February 04, 2019 @06:27PM (#58070770) Journal

      See, now this is the thing. Crohn's disease doesn't kill you. I have it, and as you can imagine I looked into what it does that will eventually kill you. It doesn't.

      Since it's an autoimmune disease, however, you need to take two kinds of meds to deal with it:

      Anti-immune drugs
      Anti-inflamatory drugs

      Unless he had a severe reaction to either, the main killer of a crohn's sufferer is infection due to lowered immune system. While this definitely is dangerous, like diabetic patients it is drummed into you that if you get ANY kind of infection, you go straight to hospital to have it dealt with.

      If the person died, they died of stupidity (either their own or whatever doctor they ran to not taking it seriously enough), but they didn't die of crohn's disease.

      • by bobbied ( 2522392 ) on Monday February 04, 2019 @06:50PM (#58070898)

        It most surely *can* kill you.. True, it can usually be managed if you *know* what it is... However, not everybody who has it, knows what it is and is being properly treated for it.

        And yes, I have experience with this. My Mother in law has Crohn's and she very nearly died from it. They mis-diagnosed the problem and her gut leaked for days until they opened her up to take a look. She lost the majority of her small intestines, all of her colon and spent nearly a year in the hospital, half in a coma in intensive care. She now must be given IV fluids every other day and can barely get enough nutrition to stay alive eating.

        It was woefully managed by her doctors, but Crohn's all but killed her.

        So I'm not as ready to dismiss this story as impossible. It most assuredly IS possible.

        • by Barny ( 103770 )

          Fair point. But I imagine it doesn't "suddenly" kill. I had symptoms of crohn's disease for six months before the anal bleeding actually started (that's kinda a good wakeup call). My doctor had it diagnosed within a week (colonoscopy) and had me on powerful anti-inflammatory drugs, anti-immune drugs, and antibiotics.

          The immune inhibitors suck ass pretty badly, but not as much as the pain when you're not on them.

          I guess I should have included a statement that "sudden" death from crohn's doesn't happen, and d

      • by Khyber ( 864651 )

        "Crohn's disease doesn't kill you"

        Tell that to my pal sitting in the ground right now, dead from the shock of the pain Chron's inflicts upon you.

        Fucktard.

      • by guruevi ( 827432 )

        On the other hand he was in India. Not sure if you want to go to a hospital in rural India as you most likely will get more infections if you're already immunocompromised. Even the US has problems with hospital-grade diseases.

      • While this definitely is dangerous, like diabetic patients it is drummed into you that if you get ANY kind of infection, you go straight to hospital to have it dealt with.

        If he was stupid enough to be the only person with access to the cold storage he was certainly stupid enough to not go to a hospital with an infection.

    • The only real mystery is how he survived this long with such a huge target hanging around his neck.

    • by Hentes ( 2461350 )

      Unlikely, withdrawing the cash from the wallet would give it away immediately.

    • by gweihir ( 88907 ) on Monday February 04, 2019 @06:33PM (#58070812)

      Well, it is probably not that hard to get an official death certificate in India while still alive.

    • Untraceable? How do you figure? The blockchain on which Bitcoin is built contains a record of both the payer and payee for each and every transaction. At best it's pseudonymous, but there's nothing untraceable about it in the least. If that cold wallet ever sees a transaction, everyone will know something hinky is going on.

      • If that cold wallet ever sees a transaction, everyone will know something hinky is going on.

        So . . . ? So everyone knows that somthing hinky is going on.

        Is anyone capable of doing anything about it . . . ? Can the coins be blocked from further trading . . . ? Or from being exchanged for cash . . . ?

        It seems to me like it will be, "We know we've been robbed . . . but we can't catch the thief!"

        • Fraud is fraud, so yes, there are a number of enforcement agencies that can taken action if someone starts moving those coins. And yes, a lot of exchanges will block conversion to cash. And yes, they can tell who a thief is by tracking how the coins get spent or transferred and then subpoenaing the records of whoever they go to, given that most of these organizations are required by law to obtain and retain certain records across a number of jurisdictions.

          Right now, this is like a treasure ship sinking in t

          • And yes, they can tell who a thief is by tracking how the coins get spent or transferred

            The problem with you is that you know some things about bitcoin, but then you say this shit proving that you barely know anything about it, but amazingly are acting like an expert.

            There are dozens and dozens of anonymity services that will co-mingle coins with others from other wallets and then redistribute them to fresh wallets.

            • The problem with you is that you know some things about bitcoin, but then you say this shit proving that you barely know anything about it

              Alternative and actual explanation: I intentionally left it out. I saw no reason to point it out, particularly when it only speaks to one of the things I was saying. It’s a valid confounding factor to part of what I said, but that’s no reason for me to be the one to bring it up.

              Even so, fair point, and I don’t object at all to your contention that it would make tracking significantly more difficult.

    • by dnaumov ( 453672 )

      What on Earth could possibly make you think crypto is untraceable? The whole point of a PUBLIC blockchain is literally the opposite.

    • Did he actually die...?

      Just think about the implications of $137mil of untraceable funds that aren't strictly controlled by any national regulations.

      It seems a bit suspicious [vancouversun.com]:

      As many as 115,000 account holders are owed $250 million, which is locked up in “cold storage” only accessible to the recently deceased founder and CEO, Gerald Cotten

      At the time of the bankruptcy filing, QuadrigaCX held 26,500 Bitcoin worth $120 million, 430,000 Ether worth $60 million and several million dollars worth of Bitcoin Cash SV, Bitcoin Gold, and Litecoin, according to court documents.

      QuadrigaCX’s troubles started early last year when CIBC froze account

  • You would think it would be worth it to brute force the password for that much money.

    • by gweihir ( 88907 )

      If the encryption is sound (e.g. LUKS with a reasonable password), then that is not possible. Also, who pays for it? The coins in there still belong to somebody.

      • If the encryption is sound (e.g. LUKS with a reasonable password), then that is not possible. Also, who pays for it? The coins in there still belong to somebody.

        Hmm, 137 million... no one thought to write another copy down or adhere to any kind of best practices. I bet the password is the same as his TSA certified luggage.

  • I guess this is what you get. It sounds like everything was stored on a laptop as well, so even if he didn't die but just had the laptop lost/stolen/destroyed/etc. then the data was gone too. Since crypto-currency is nothing but data, poof goes your equity. Assuming of course that this whole story isn't just about a scam where he didn't really die but is on a yacht somewhere in the Mediterranean instead.
    • by gweihir ( 88907 )

      You know, the more I think about it, the more this looks like a scam to me. What is interesting is that the wive is still visible, but maybe he got rid of her this way too.

      • If they both disappear at the same time, it's an obvious scam and scrutiny will be intense. Either they are waiting for the heat to die down before she joins him or like you said, she's just a patsy in all this.
  • and that would be the one with the backup copy, which nobody knows about for obvious reasons.
  • ... the guy who died without a password post-it in his safety deposit box or people that converted their actual cash into imaginary money and trusted it to some random 30 year-old with a laptop. I'd posit that the customers got what was coming to them.

  • It's certainly a cunning plan, worthy of the great Baldrick himself! A single laptop and only one person knows the password, that man has a chronic disease and is travelling in a third world country *facepalm*
  • Their customers who are out the money are such geniuses for avoiding central banks and pesky things like deposit insurance. I really can't feel sorry for anyone who loses money when things like this happen, they're victims of their own ignorance.
  • Since that BTC is now lost forever, this means the remaining pool of accessible BTC is even more valuable. Oh, the joys of a deflationary currency!

    Everyone holding BTC just got wealthier. So get to it, and start figuring out how to sabotage the wallets of everyone else, and you will eventually be the richest person on earth. (Cue the dramatic music.)

    • Since that BTC is now lost forever, this means the remaining pool of accessible BTC is even more valuable. Oh, the joys of a deflationary currency!

      Nice whoosh porn: the inscrutable superposition of a bag of hammers with an gloating, goateed hipster.

      Interestingly, it made think just enough to realize that the limited supply of gold is not nearly a sufficient condition: gold must itself be limited, but also gold-like things must also be limited. What cryptocurrencies have done is to make the category of gold-

  • Charon [wikipedia.org] now accepts Bitcoin, though $137M seems a bit stiff for a ferry ride -- let's face it, cryptocurrency people are probably all going to Hell...
  • "Thursday's court filing, however, demonstrates that cold wallets are by no means a surefire way to secure digital coins."

    Time will tell, but this seems pretty good way to assure they are secure. Probably guaranteed. If that address records transfers, then we have an issue. The security issue is the idiots that allow transfers to be made by a third party (and allow them to stagnate there).

    Excuse my ignorance but isn't elimination of a third party to facilitate transfer a major reason to r

  • Sounds like a multi-cluster fuck
  • Comment removed based on user account deletion

Avoid strange women and temporary variables.

Working...