Edited June 23, 2019
- Dec. 9, 2018 — Gerald Cotten QuadrigaCX CEO dies of complications from Crohn’s disease while in India.
- Dec. 10, 2018 — Jaipur Police release NOC (No Objection Certificate) to Cotten’s widow, allowing her to return to Canada with the body of her husband.
- Jan. 2019 — QuadrigaCX announces CEO’s death. It owes $180 million CDN worth of cryptocurrency to its 115,000 customers but is unable to repay because Cotten had sole control of the private keys connected to those funds.
- Feb. 5, 2019 — QuadrigaCX in open letter to customers files for creditor protection in Canada, and Canadian Court appoints independent third-party Ernst & Young (E&Y) to oversee proceedings.
- Feb. 7, 2019 — Gerald Cotten’s death certificate was discovered.
- Feb. 12, 2019 — E&Y’s report claims that Quadriga accidentally transferred $470k in bitcoin to its cold wallets on Feb. 6.
- Feb. 14, 2019 — QuadrigaCX’s online wallets for Bitcoin, Ethereum, and other cryptocurrencies have nearly been emptiedand the funds sent to the failed cryptocurrency exchange’s court-appointed monitor, E&Y. All remaining cryptocurrencies were transferred to Ernst and Young.
- Mar. 1, 2019 — E&Y reveals that the cold wallets are almost empty.
- Mar. 2, 2019 — Kraken launches a bounty campaign for the QuadrigaCX investigation and offers cash prize of $100,000 to anyone who can provide tips and evidence to missing funds.
- Mar. 13, 2019 — Gerald Cotten’s widow issues a statement.
- Apr. 1, 2019 — E&Y locates $400,000 of assets and declares that bankruptcy is QuadrigaCX’s only option.
- Apr. 30, 2019 — Indictment published by The United States Department of Justice shows connection between QuadrigaCX and two high-profile crypto exchange controversies.
- May 2, 2019 — Latest E&Y report released outlining three legal entities affiliated with the exchange- Quadriga Fintech Solutions Corp., Whiteside Capital Corporation, and 0984750 B.C. Ltd.
- May 9, 2019 — E&Y reports that QuadrigaCX has around 20.8 million dollars in assets and 160 in liabilities as of April 12, 2019.
- June 3, 2019 — United States Federal Bureau of Investigation seeks victims in QuadrigaCX investigation.
- June 19, 2019 — Fifth report released by the Supreme court of Nova Scotia alleges that deceased QuadrigaCX CEO transferred user funds off the exchange and used them as a security for his own margin trading on other platforms. It appears that Cotton stole over 200 million USD of customer assets.
In the biggest crypto scandal since the Mt. Gox debacle, QuadrigaCX filed for bankruptcy protection after the Canadian crypto exchange said it could not locate $190 million USD worth of its customers money following the death of CEO Gerald Cotten.
Cotten unexpectedly died last December during a trip to India. Unfortunately, it appears that Cotten was the only person who knew the passwords to the company’s “cold wallets,” digital vaults that are not connected to the Internet and therefore hackers cannot access.
Since Cotten’s death, more disturbing details have emerged. The court hired accounting giant Ernst & Young to conduct a forensic audit of QuadrigaCX’s systems and discovered that six cold wallets that were supposed to contain $137 million were, in fact, empty. QuadrigaCX had also created dozens of fake accounts for unknown reasons.
News outlets also reported that Cotten was an ex-convict who was who previously jailed under a different name.
Why this matters
Engadget probably said it best when it proclaimed the scandal “the messiest Bitcoin saga yet.” The operative word is yet. Cryptocurrencies and Blockchain in general have yet to gain mass acceptance partly because institutional investors don’t yet trust the technologies and surrounding regulations environment. In order for Bitcoin to gain traction, it needs respected, institutional money, not just retail. QuadrigaCX’s failures does nothing to alleviate concerns over security and transparency.
“QuadrigaCX will mainly enter the Hall of Fame of most dramatic ‘SFYL’ (Sorry For Your Loss) moments in Bitcoin history,” said Leohnard Weese, president of the Hong Kong Bitcoin Foundation. “Future technology providers will include this example in their marketing material and exchanges will advertise that they are protected against this, until the next big platform fails for the next big stupid reason.”
The real question is how regulators will respond. Following the Mt. Gox bankruptcy in 2014, Japanese regulators tightened oversight over the industry.
Prior to the Cotten’s death, it appears that the British Columbia Securities Commission weren’t even aware that QuadrigaCX operated as a crypto exchange that traded financial assets.
Given the fallout from the scandal, the government will likely pay attention now. Perhaps QuadrigaCX’s quagmire will force Canadian regulators, like in Japan, to finally craft rules for proper oversight of the industry and therefore create confidence in digital assets.
Could QuadrigaCX have prevented this mess? At first glance, it seems the scandal owes more to bad management than faulty technology.
The processes used by the exchange provide a glimpse into just how badly operated crypto exchanges are. For example, QuadrigaCX had also transferred nearly 103 Bitcoins worth $468,675 into a cold wallet that the company is “currently unable to access,” according to the Ernst & Young report. “The Monitor is working with Management to retrieve this cryptocurrency…if possible.”
Companies that hold digital assets have been trying to figure out how to best protect assets while ensuring easy access to funds for authorized parties.
Swissquote recently launched a partnership with Cryptostorage AG to place the private keys to its customers’ digital assets in computer servers located in a former military bunker in the Swiss Alps capable of withstanding a nuclear blast.
Storing cryptocurrency private keys in digital vaults, which can only be accessed by those who have the privilege to do so, might make the most sense since anything on the Internet is susceptible to hacking. That is likely why QuadrigaCX chose cold (offline) wallets. The company had previously claimed that it used multi-sig (signature) technology, in which a wallet requires more than one person to open it. But that apparently didn’t happen.
Unless QuadrigaCX finds the missing cash, it appears customers have little legal recourse to recover all of their assets.
Unfortunately, given how nascent the crypto space is, most consumers are at the mercy of current providers who are operating in the ‘gray’ areas of law. Regulators have not yet provided clear guidance on how each of these platforms should be operating and the types of standards they should be benchmarking themselves too – unlike the traditional securities world.
Each exchange or OTC provider has its own rules. But let’s take a specific look at the world’s largest crypto exchange, which trades over $1.1 billion a day: Binance.
In case of something like a cyber theft, Binance’s updated terms and conditions says that the company is only liable for the fees consumers paid it in the 12 months leading up to the event.
“In no event will the liability of Binance…shall exceed the amount of fees paid by you to Binance under this agreement in the twelve-month period immediately preceding the event giving rise to the claim of liability,” the company said.
In other words, Binance is not responsible for the lost crypto assets, only the fees it collected for its services. In fact, Binance’s previous terms and conditions were even less generous: the company claimed zero liability for “damages for loss of data, information, revenue, profits, or other business or financial benefit arising out of or in connection with the performance or non-performance of the services.”
“…it highlights why people should take control of their coins with hardware wallets and not trust custodial exchanges to keep their coins safe,”
— Patrick McCorry, Assistant Professor at King’s College London in “The QuadrigaCX crypto mystery deepens as wallets turn up empty” on March 4, 2019