In January, the Canadian cryptocurrency exchange Quadriga announced that its CEO and founder Gerald Cotten had passed away a month earlier from complications of Crohn’s disease while on honeymoon in India. Quadriga was, at one point, Canada’s largest cryptocurrency exchange and processed billions of dollars in trades. Cotten’s death, however, revealed a critical flaw in the cryptocurrency giant’s infrastructure: He was the only person who had access to the $180 million of cryptocurrency that its users held in their accounts. Some of Quadriga’s traders are now alleging that Cotten might have faked his death in order to abscond with their funds. Lawyers representing these traders sent a letter to Canadian law enforcement on Friday asking to exhume the body in Cotten’s grave to perform an autopsy.
This, obviously, raises lots of questions about how a crypto CEO might have gone about faking his own death—as well as one that’s more technical: How is it possible that a single person had sole access to the funds of one of Canada’s biggest cryptocurrency exchanges?
Cotten was able to maintain this level of control over his customers’ assets in part because Quadriga had kept most of it in “cold wallets,” or hardware that allows exchanges to store cryptocurrency offline. Exchanges typically use cold wallets as bank vaults because they’re less vulnerable to hackers than hot wallets, which are connected to the internet.
“Best practices involve putting the bulk of the funds in cold storage and keeping on hand only a small amount of coins for the day-to-day operations [of an exchange],” says Emin Gün Sirer, a computer science professor at Cornell University who co-directs the Initiative for Cryptocurrencies and Contracts.
In order to retrieve the funds in cold storage, you have to unlock the wallets with cryptographic keys, which are essentially strings of code. Cotten kept Quadriga’s keys only on his personal MacBook Pro. Vanity Fair reported that Cotten once caused a “momentary hysteria” by leaving his laptop on his yacht, which had already departed the dock. Cotten’s widow now says that no one can log in to the encrypted laptop, because he was the only one who knew the password. “It’s shocking, completely unbelievable that someone would have a multibillion-dollar operation run out of one laptop,” says Preston Byrne, a lawyer at the cryptocurrency-focused firm Byrne & Storm P.C. “They were really playing with fire there.”
Besides an untimely death, there are a number of scenarios in which using a personal laptop for key storage could be disastrous. Assuming that Cotten had connected his MacBook to the internet and used it for everyday tasks, a hacker may have been able to infiltrate or incapacitate the device. If he’d left it out in the open, someone could have stolen information manually. And based on prior reporting, it seems like he took laptop with him at least on occasion when he traveled, increasing the chance that it could’ve been lost or stolen.
According to Sirer, the most reliable way to secure an exchange’s cache of cryptocurrency is to split access between multiple individuals. Companies will oftentimes distribute what are known as key shares to three senior people. Any two of those key shares can be combined to unlock the funds. Sirer says, “It’s a good idea because the loss of any one share doesn’t affect the operation, and it takes two people to steal funds.” And rather than using a personal laptop, you’d typically want to store the cryptographic information on a hardware security module, which is a device specifically designed for managing digital keys, and lock it away in a vault.
The only apparent reasons why someone would keep all the key information on a single MacBook Pro would be either due to extreme sloppiness or to engineer an exit scam in which a CEO disappears with customers’ cryptocurrency. Most CEOs don’t have sole access to key information nowadays, though you would have been more likely to see this sort of risky key storage with small- or medium-sized exchanges in the early days of cryptocurrency at the beginning of the decade. “Back then, pretty much every exchange operation, with maybe the exception of Coinbase, was pretty amateurish,” says Byrne. “Now, the bigger exchanges tend to be better funded and more sophisticated, and I don’t think you really see a whole lot of them doing this. But who knows? We just don’t know.” When choosing a cryptocurrency exchange, it can be difficult to discern just how secure it is. However, you can check to see whether the company has been audited by an independent firm, which would likely involve reviewing how it stored its cryptographic keys—as well as any other, um, interesting risks.