QuadrigaCX, one of the largest Canadian cryptocurrency exchanges, recently left users in the lurch when it took its website offline and filed for creditor protection in Nova Scotia. The firm’s court filings state that it owes customers approximately $190 million (USD), but the exchange also claims to have considerable assets, approximately $147 million (USD) in cryptocurrency, as well as millions of dollars in fiat currency. There is just one problem: Quadriga cannot retrieve its cryptocurrency holdings because it cannot access the cold wallets where it stored the majority of its cryptocurrency. In addition to a headline grabbing story, Quadriga’s failure provides a lesson on why firms in the cryptocurrency and digital asset industry need to develop compliance protocols for handling digital assets.
According to Canadian court filings, the Quadriga exchange was launched in December 2013. Users could trade a variety of cryptocurrencies, e.g., Bitcoin, Bitcoin Cash, and Ether. Trades on the exchange were recorded in a database and backed up on cloud servers. Cryptocurrencies credited to a user on the exchange were held by Quadriga in either a hot wallet, i.e., one connected to the internet, or cold wallet, i.e., a separate physical device not connected to the internet. In an effort to enhance security, Quadriga kept only a minimal amount of user currencies in hot wallets and the bulk of user assets were held in encrypted cold wallets. Despite controlling hundreds of millions of dollars belonging to hundreds of thousands of users, only the firm’s founder, Gerald Cotten, had control of the cold wallets. Cotten manually controlled the transfers and no personnel or machine backed up Cotten’s role as keeper of the cold wallets.
According to court filings, Cotten died unexpectedly in India on December 8, 2018 at the age of 30. Cotten’s wife, Jennifer Robertson, filed an affidavit stating that when he died, Cotten was the only person who knew the passwords for Quadriga’s cold wallets. Efforts by the company to access the cold wallets after Cotten’s death have been unsuccessful and the laptop Cotten used to run the business is also encrypted and inaccessible. In other words, Cotten died as the only person with access to $147 million in digital assets belonging to the exchange’s customers. As if getting locked out of over 100 million dollars in digital assets was not bad enough, the company’s court filings also indicate that payment processors have refused to release millions of dollars in fiat currency and there appear to be no set of proper books and records for the company.
The story of Cotten’s death and Quadriga’s inability to refund its customers has, unsurprisingly, raised a number of conspiracy theories about whether Cotten is really dead and whether the hundreds of millions of dollars are really inaccessible. Indeed, it is not a stretch to suggest that Cotten (or an accomplice) simply ran off with the assets and his wife concocted the password story to cover his tracks. Some internet posters have even identified what they claim to be activity by Quadriga’s supposedly locked cold wallets.
Set aside for a moment the conspiratorial angle and some real lessons emerge for any firm that holds or works with digital assets. Most notably, the Quadriga saga proves why firms in the digital asset industry need to develop a set of compliance protocols. The digital asset and cryptocurrency industry has often shunned compliance and legal protocols as unnecessary layers of bureaucratic nonsense. But if Quadriga had adopted even rudimentary compliance protocols for the handling and transfer of its digital assets, the whole fiasco after Cotten’s death and the missing millions would likely have been avoided. Regardless of whether Cotten is a criminal mastermind or merely the only guy with the password, a few simple SOPs for the handling of its customer assets would likely have prevented Quadriga’s customers from being stiffed on $190 million.