What one man’s death taught us about cryptosecurity
The maelstrom generated by QuadrigaCX owner Gerald Cotten’s sudden death in December, which locked away around £110 million of investors’ money and in turn led to the collapse of Canada’s largest cryptocurrency exchange, has precipitated a torrent of questions about safe storage and security for the industry.
Mr Cotten, who died aged 30 from complications with Crohn’s disease while in India, effectively ran QuadrigaCX alone, on his personal computer. There was no business continuity in place, seemingly, to ensure the operation of the exchange should anything happen to the chief executive.
Cryptosecurity is not about how strong the door is, it’s about who has the key and how often you open the door
“The laptop computer from which Gerry carried out business is encrypted and I do not know the password or recovery key,” swore Jennifer Roberston, Mr Cotten’s widow, in an affidavit in February. “Despite repeated and diligent searches, I have not been able to find them written down anywhere.”
QuadrigaCX situation revealed naivety around cryptosecurity
Failure to locate the necessary codes means QuadrigaCX’s users have no way to access their funds. Last month, by order of the Nova Scotia Supreme Court, the exchange transferred its remaining holdings to EY, though many investors are fearing the worst. “We don’t know whether or not we’re going to get our money back,” says Tong Zou, who has his £325,000 life savings locked in the exchange.
Such is the risk with investing in a largely unregulated asset class and in an industry that has plenty of maturing to do, says Gavin Smith, chief executive at crypto exchange Panxora. “The QuadrigaCX situation shows that many in the crypto industry are still naive when it comes to setting up their security systems,” he says, advising investors to conduct due diligence.
Iqbal V. Gandham, UK managing director of global multi-asset investment platform eToro, agrees. “The QuadrigaCX story is not about crypto, it is about poor business practices. Any business of a reasonable size should have a risk management framework in place, which covers scenarios such as key employees leaving the firm.”
New security options have been introduced- but are they enough?
This is not the first time significant cryptoasset holdings have gone astray. In early-2014, the Mt. Gox exchange was handling more than 70 per cent of all global bitcoin transactions. In February that year it suspended trading and terminated its exchange service after announcing approximately 850,000 bitcoins, worth £343 million at the time, belonging to both customers and the organisation, were missing, likely stolen.
In the handful of years since then, crypto has developed more robust defences in a bid to keep cybercriminals at bay. Online (hot) and offline (cold) digital wallets offer investors another layer of security and peace of mind that their cryptos are protected. At the end of last month, it was a big moment when Samsung revealed its revolutionary native crypto wallet on the Galaxy S10 smartphone. But none of these are perfect solutions. If passwords are not known or hard drives lost then the cryptoassets will be irretrievable, as evidenced by QuadrigaCX’s fall following Mr Cotten’s death.
“While cold wallets are certainly the best option for protecting customer assets, the fund withdrawal process also needs to be taken into account,” says Mr Smith. “Crypto exchanges would do well to take this opportunity to learn from traditional banking. They are just as capable of setting up a process where withdrawing funds requires multiple parties to sign a transaction and passwords are stored in secure offline locations. This means spreading risk throughout an organisation, preventing the actions, or the loss, of one person from compromising an entire business.”
The rise of cryptocurrency asset planning
There is a growing list of examples of crypto shockers. Banking heir Matthew Mellon, for instance, died last April and left an estimated £382 million in XRP stored on Ledger Nano drives in multiple unknown locations. In 2013, Welshman James Howells accidentally threw away a hard drive containing 7,500 mined bitcoins, which would have been worth around £114 million at the cryptocurrency’s peak in December 2017.
Chainalysis, an anti-money laundering software organisation, estimated last summer that more than £15 billion of bitcoin is currently lost. Little wonder a rash of cryptocurrency recovery organisations have emerged; there is even a US hypnotist in South Carolina, called Jason Miller, who charges half a bitcoin to recall forgotten keys, whether successful or not.
More certain is that simply leaving cryptocurrency in a will is insufficient. For matters of personal wealth, legal professionals have developed cryptocurrency asset planning. They include an inventory of coins, determining what is transferable to whom, structuring cryptocurrency estates and periodically revising plans.
Collapse of QuadrigaCX will prompt cryptosecurity to evolve
It will be no consolation to the individuals stung, but QuadrigaCX’s collapse will serve to strengthen and evolve cryptosecurity. While this latest incident is likely to further delay mass adoption, cryptoassets remain the future of money, many in the industry argue resolutely.
“Crypto gives individuals more flexibility and security in how they store their assets,” says Mr Gandham. “You have the choice to store your crypto with a third party or, if you feel comfortable to do so, store it yourself. Compare this with cash; you’d struggle to safely store a million pounds in cash yourself.”
Phil Mochan, founder and chief commercial officer of custody and settlement services platform Koine Finance, concludes: “This is part of the process is flushing out the bad actors. There are over 380 trading venues and more opening all the time. There will be a significant contraction in coming years.
“The risk-taking pioneers, having staked out the new territory, need to give way to the engineers who will build solid foundations for growth. Corporate investment will continue to flow into the sector, unaffected by these events. Ultimately, cryptosecurity is not about how strong the door is, it’s about who has the key and how often you open the door.”