Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty

Wallets were empty eight months before cryptocurrency exchange CEO’s death.

Find QuadrigaCX's missing $190 million, and you could win a $100,000 bounty

There has been another twist in the curious case of QuadrigaCX, a Canadian cryptocurrency exchange.

As we discussed in a recent episode of the “Smashing Security” podcast, QuadrigaCX was thought to be holding approximately $250 million CAD (US $190 million) in “cold storage” beyond the reach of hackers.

Now, normally that would be a good thing. After all, past hacks of cryptocurrency sites have proven that you’re more sensible to store digital currency somewhere hackers cannot easily access it, offline, and protected by a hard-to-crack password and strong encryption.

Sign up to our free newsletter.
Security news, advice, and tips.

But things aren’t so good… if you can’t remember the password.

Or, in the case of QuadrigaCX, the problem isn’t so much that the password to the cold storage cannot be remembered, but rather that the only person who knew it had died.

As the company announced on January 14 2019, their CEO and co-founder Gerald Cotten had suddenly and unexpectedly died in India.

Quadriga facebook post

It is with a heavy heart that we announce the sudden passing of Gerald Cotten, co-founder and CEO of QuadrigaCX. A visionary leader who transformed the lives of those around him, Gerry died due to complications with Crohn’s disease on December 9, 2018 while travelling in India, where he was opening an orphanage to provide a home and safe refuge for children in need.

Gerry cared deeply about honesty and transparency–values he lived by in both his professional and personal life. He was hardworking and passionate, with an unwavering commitment to his customers, employees, and family.

Gerald Cotten, it was revealed in a court filing at the end of January, was the only one who knew the password to Quadriga’s cold storage… Meaning 115,000 cryptocurrency wallets were no longer accessible, and clients’ US $190 million worth of holdings could not be repaid.

(One has to presume they tried obvious possible passwords like “letmein”, “password1”, and “qwerty”.)

You can hear more about this case in the podcast we recorded with Jack Rhysider from the “Darknet Diaries”:

Smashing Security #114: 'Darknet Diaries, death, and beauty apps'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

But now there’s a new twist in the tale.

As Wired reports, an investigation by Ernst & Young has revealed that the wallets in question were actually empty eight months before Cotten’s supposed death. As if folks weren’t suspicious enough about QuadrigaCX’s inaccessible millions before this turn of events…

Another Bitcoin exchange, Kraken, says it is offering a US $100,000 reward to anyone who can provide “information leading to significant progress or discovery of all or some of the missing client funds.” Kraken says it will pass any tips it receives on to law enforcement.

It’s hard to say right now if what happened at QuadrigaCX is a classic case of cock-up or conspiracy, but I would advise cryptocurrency investors to be very wary of trusting others to look after their cryptocurrency wallets. You should perhaps consider investing in your own personal hardware wallet instead.

And, if you are the one person in a company who knows a piece of crucial information or password, perhaps consider how others in your firm might be able to gain access to that data if you were ever to come to an unexpected sticky end.

Password managers like LastPass and Dashlane allow you to grant emergency access to individuals you have approved in advance.

Similarly, Google Inactive Account manager provides a way for you to share data with pre-designated individuals if you have been “inactive” for a certain period of time.

Of course, none of these methods are going to help much if the wallets have already been emptied…

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty”

  1. BaliRob

    Another two examples of the absurdity of Crypto currencies

  2. heh

    hmm…I wonder how much a fake death certificate costs in India?! well played sir

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.