Since the Canadian crypto exchange QuadrigaCX filed for bankruptcy protection last month after claiming that its founder and CEO, Gerald Cotten took the private keys to the exchange’s cold-storage wallets to his grave after dying suddenly in Jaipur, India in December, several new details have emerged that have called the exchange’s story into question.
Crypto experts have claimed that the exchange’s refusal to share the public keys to its wallets was suspicious, and other analysts who believe they have pinpointed the public addresses of the wallets in question say that there were some suspicious coin transfers in the weeks after Cotten’s death, which would seem to undercut the company’s story that he alone had the ability to move the coins (though, to be sure, it’s possible those transfers had been set up prior to Cotten’s death).
While both the company and Cotten’s widow say attempts to hack into Cotten’s encrypted laptop, from which he purportedly ran Quadriga’s operations, have met with “limited success”, Bloomberg reported another wrinkle in the story on Friday that would seem to cast doubt on the company’s claim that Cotten was the only employee who had access to the private keys.
In a 2014 interview recently unearthed by Bloomberg, Cotten can be heard explaining to the hosts of a podcast called “True Bromance”, how to safely store private keys in a way that would prevent them from being lost to the ether, but also make it extremely difficult for hackers to obtain them.
Though he may have changed his strategy for protecting the exchange’s coins as the assets held on Quadriga ballooned in recent years, Cotten explained that the best thing to do would be to store them in what he called a “paper wallet” – not the cold storage technique that Quadriga has described in its court filings. That is, take the private keys, print them out, and store them in a safety deposit box or vault. That way, the only way for thieves to access the coins would be to break into the physical safe.
While Cotten, who last resided in Halifax, may have changed his procedures over the years, back in 2014 he was a big fan of protecting cryptocurrencies with a very low-tech solution: paper.
“The paper wallet is a great way to store your Bitcoins. Basically, all you need to send Bitcoins is your private key, which is a string of, a ton of numbers and letters,” he said. “The best way to do it is take your private key, print it off, store it offline in your safety deposit box, vault, whatever, and then take the public key, which is your address, and use that to send money to it. So that way you can never have your Bitcoin stolen, unless someone, like, breaks into the bank, steals your safety deposit box and gets into your private key and so forth.”
He told his hosts that this was the method he used to store Quadriga’s coins.
“At Quadriga CX, we’re obviously holding a bunch of Bitcoins that belong to other people who have put them onto our exchange,” Cotten said. “So what we do is we actually store them offline in paper wallets, in our bank’s vault in a safety deposit box because that’s the best way to keep the coins secure.
“Essentially we put a bunch of paper wallets into the safety deposit box, remember the addresses of them,” he said. “So we just send money to them, we don’t need to go back to the bank every time we want to put money into it. We just send money from our Bitcoin app directly to those paper wallets, and keep it safe that way.”
Cotten added that, though it would be “annoying” to retrieve the coins using this method, at least they would be relatively safe.
“It’ll be a little annoying because we’ll have to clean up whatever mess the hackers make, however they won’t actually be able to steal any of the funds,” Cotten said, adding that while they could “see the address of where the coins went” hackers couldn’t actually access it.
So, did Cotten decide to change his security strategy at some point between then and now? Or is there something Cotten’s widow and the company are deliberately hiding from public view? Because, given that Cotten filed a will just 10 days before his death, one would think that he would at least leave instructions regarding how his customers’ coins could be retrieved.