A mysterious death and the disappearance of millions in cryptocurrencies has led to an explosion of public interest into the workings of the Canadian-based cryptocurrency exchange Quadriga. The death of Quadriga CEO Gerald Cotten and the apparent vanishing of roughly $137 million in cryptocurrencies such as Bitcoin, Litecoin, and others has captured public attention and fueled speculation as to salacious or conspiratorial angles. The incident also highlights the difficulty of balancing security with operational effectiveness and emphasizes key vulnerabilities in the risk management models of cryptocurrency-focused organizations.
Gerald Cotten died in India in early December as the result of complications from Crohn’s Disease. At the time of his death, he had not shared the log-in information or recovery key for his encrypted personal computer, on which he ran much of Quadriga’s operations. It is believed that he was also the only person with the private keys necessary to access much of the exchange’s reserves. Quadriga kept its cryptocurrency reserves in what are known as “cold wallets’, digital devices that are disconnected from the internet when utilized so as to prevent hacking by malicious actors. Court-ordered auditors were finally able to access Quadriga cold wallets earlier this year, only to find that they contained no currency and had been empty since April 2018, 8 months before Cotton’s death.
The ultimate fate of the missing cryptocurrency – which belongs to Quadriga’s 115,000 users – remains unknown. Auditors from Ernst and Young continue to search for the missing funds, and both the US Federal Bureau of Investigation and the Canadian Mounted Police have begun investigating the case. The crypto-exchange platform Kraken has offered a $100,000 reward for information on the missing currency, and other exchanges are examining their records for transactions from Quadriga-based accounts around the time of Cotten’s death. The ongoing mystery surrounding the event has drawn interest and sparked various conspiracy theories about Quadriga, the nature of Cotten’s death, and the ultimate location of the $137 million.
The affair highlights some of the key mistakes that can be made when cybersecurity is effectively addressed but operational vulnerability is overlooked. The usage of cold wallets prevents most forms of cyberattacks, but also means that millions can vanish if a wallet goes missing. In the case of Quadriga, it remains a possibility that there are other cold wallets hidden somewhere that contain the missing funds. The encrypting of Cotten’s laptop is a commonsense security measure, but one that greatly hampered investigators seeking to trace the missing Quadriga reserves. Cotten’s position as the sole point for accessing the funds made him a critical vulnerability in Quadriga’s operating structure. His death demonstrated just how catastrophic this vulnerability was.
Given the nature of these various lapses in operational risk mitigation, it is clear why suspicion abounds around the nature of these events. This suspicion is further amplified by Quadriga’s minimal internal record-keeping and claims that another Quadriga co-founder is actually a former money-launderer living under an assumed name. These factors have led many to believe that there must be deeper explanations for all these events.
Regardless of the ultimate explanation, however, the affair demonstrates how advances in cybertechnology can solve some questions of security but not others. Cryptocurrencies remain an effective tool for transferring value privately and securely, but while blockchain reduces the need for trust in one particular sense, but it cannot solve the question of which vendors can be trusted to manage it properly. For any exchange, a trusted third-party represents a security vulnerability. The Quadriga affair highlights just how much of a security risk an untrustworthy vendor, payment processor, or other third party can be.
