When Gerald Cotten, 30, the CEO of Canadian crypto exchange QuadrigaCX, died in a hospital in Jaipur rather suddenly and almost mysteriously, he also took to his grave the password with which he operated the exchange. And with that vanished nearly $190 million in cryptocurrency, spanning Bitcoin, Litecoin, Ethereum and other digital currencies, which his investors trusted would be safe in his vault. A major portion of this fortune was owned by some 100,000 users across Canada, most of them surprisingly not cryptocurrency millionaires, but common people, eager to secure a better return for their money invested.
The best of security experts have failed to retrieve Cotten’s password, that was the only password to the ‘cold storage’ to access the cryptocurrencies. QuadrigaCX has now filed for creditor protection. There are whispers of misappropriation and the company facing cashflow problems. The fact that Cotten, who was suffering from Crohn’s disease, had made a will just before his death bestowing everything to his wife, is also a talking point. The gross value of his personal property was about $9.6 million.
Cotten is said to have been running his company from his encrypted laptop to which he only had the access. He used to move the majority of the coins to the ‘cold storage’ to protect them against virtual thefts or hacking. He had not shared the password with anyone or kept any recovery key.
The matter having reached a Canadian court of law, it is now possible that the government would step in. It may find a way to compensate the investors. In some immediate future, security experts may also evolve a method to retrieve lost passwords. There would also be calls to bring cryptocurrencies under regulatory control.
Quadriga CX’s case is an extraordinary instance, where encryption, which is supposed to be a safeguard, is acting against the interests of the users. It also points out to some of the fallacies in the realm of technology – one is that a strong password is a must to eliminate hacking, to prevent frauds and to ensure security. This is also in line with our cover story that explores risk management in the digital ecosystem.
This failure is sure to give risk managers new fodder to think about. Do some of the lessons of risk management need to be unlearnt? Is 100% trust in technology a risk? What new invisible risks are we racing towards as we ride the digital wave?
