It sounds like a movie. Picture a vast store of treasure, waiting to be claimed amid silent subterranean depths, in a vault. The vault? Well, it’s impenetrable, save for a key. The key belongs to one man, and one man alone.
The man? Only he knows the whereabouts of the key, or what the key even looks like.
He’s dead. Fade to black.
There lies $190 million, tied up in crypto that no one will seemingly be able to recover … maybe ever. Therein lies a conundrum in digital security. What does it mean when so much can be lost when a single heartbeat is silenced?
The news was, and is, thus: Crypto exchange QuadrigaCX, based in Canada, apparently cannot get a hold of $190 million in crypto held on behalf of clients — spanning bitcoin and Ethereum, amid other digital currencies. That’s because the firm’s 30-year-old founder, Gerald Cotten, who died in India in December 2018, was the only person who knew the passwords to “cold storage.” The news was imparted via court filings at the very end of last month by the founder’s widow, Jennifer Robertson. The firm has now filed for protection from creditors.
In the filings, and as reported by Forbes, Robertson said, “Quadriga’s inventory of cryptocurrency has become unavailable and some of it may be lost. The normal procedure was that [Cotten] would move the majority of the coins to cold storage as a way to protect the coins from hacking or other virtual theft. The laptop computer from which Gerry carried out the company’s business is encrypted, and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere.”
The holdings? Roughly 26,500 bitcoin, 200,000 Litecoin and about 430,000 Ether, among other digital currencies.
It’s a tragedy, of course, but also a cautionary tale. The term “cold storage” refers to an offline wallet that is not connected to the internet, which means it is less susceptible to cyberattacks. That lack of connectivity means, too, that getting it all back can be a challenge, and, as this case illustrates, well-nigh impossible amid the news that Cotten left no business records tied to cold storage.
Beyond the death and the frozen coins, the exchange has had problems in the past.
Death By 1,000 Cuts
There are roughly 115,000 customers of the exchange who hold balances with the company. One might assume they are growing restless. Robertson said Quadriga “urgently needs a stay of proceedings, which will allow Quadriga and its contractors additional time to find whatever stores of cryptocurrency may be available, and also to negotiate the bank drafts available to Quadriga,” according to reports. If the cryptos cannot be recovered, the company may consider selling … well, the company itself, in an effort to at least partly reimburse holders.
Obviously, with so much at stake, the idea of a single password holder — should the password be lost, or should the password holder be compromised or even missing — is self-evident as a poor security strategy.
Simply put, the password manager should be much more than a password with a manager. As a survey by Dashlane, an actual password manager, said late last year, cryptocurrency owners were ranked as the third-worst “offenders” when it comes to passwords (behind Kanye West and the Pentagon).
As the firm said in explaining its rankings: “As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out — if they could remember their passwords. The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.”
That may be a bit tongue-in-cheek, but only a bit. The password remains the gateway to assets of all stripes.
Among some fixes proffered by the crypto community is blockchain. After all, as the promise goes, decentralized technology is tied to certificates, and digital keys can be required for devices (and the digital assets stored on them) — and digital signatures are tough to fake.
However, it turns out that blockchain is not as safe as some might think. The “Sybil” attack can create fraudulent nodes that can flood networks with bad or fraudulent transactions.
There’s no easy fix, but the sad tale of QuadrigaCX shows that a single line of defense, with no line-of-succession planning, is among the worst tools in the box when it comes to protecting any manner of holding, from data to digital coins.