The case of the disappearing bitcoin

    2 March 2019

    Imagine that you lost the keys to your house and neither locksmith nor fire brigade with battering ram could pick the lock or break down the door. That is how 100,000 angry investors who used the QuadrigaCX exchange to purchase cryptocurrency must now feel. The apparent sudden death in December of Canadian Gerald Cotten, the exchange’s 30-year-old founder, has left them in a £200 million-shaped hole.

    Cotten, who had Crohn’s disease, is said to have died while on honeymoon in India after his bowel became perforated during what is reported to have looked at first like a bad case of Delhi belly. With him, we are led to believe, went the only crypto key to the place in which QuadrigaCX investor money is stored — repositories known as offline ‘wallets’.

    Either fortuitously or suspiciously, depending on your perspective, Cotten made a will 12 days before dying, leaving his £6 million estate to his wife and a £60,000 trust fund for his two chihuahuas. A death certificate has been issued by the government of Rajasthan and a spokesman for the Jaipur hospital to which Cotton was brought has stated publicly that he died there, but naturally not everyone believes he is dead, especially now that research by crypto sleuths has raised the question: was QuadrigaCX nothing more than a Ponzi scheme?

    A detailed report on the Zerononcense blog alleges that QuadrigaCX had no offline wallet reserves at all. ‘It appears that QuadrigaCX was using deposits from their customers to pay other customers once they requested a withdrawal. It does not appear that QuadrigaCX has lost access to their bitcoin holdings,’ the report states. It adds the quantity of bitcoin held by QuadrigaCX was ‘substantially less’ than was reported in a sworn affidavit submitted to a Canadian court last month by Cotten’s wife.

    What chance do QuadrigaCX investors have of getting their cash back? Sam Reed, chief technology officer of the world’s largest bitcoin exchange, BitMEX, is not optimistic. ‘Well, if he’s actually dead and nobody can get into his laptop that contains the keys, then basically zero,’ he says. He adds it strikes him as very odd Cotten made no contingency plans. ‘It would mean he never made a back-up, paper or otherwise, that he made accessible to anyone at any time. That could be the case. It’s not great security and it’s not very responsible, but I suppose it’s possible.

    ‘As an exchange operator myself, I find it hard to believe that anybody would not take those steps. At BitMEX, we think all the time about the safety of the money we hold. And we have multiple contingency plans such that if we die or the data centre explodes… it can happen without everyone losing their money. I find it hard to believe that that sort of due diligence wouldn’t have been done in Cotten’s case. But it’s crypto, so anything can happen.’

    Reed suggests QuadrigaCX investors’ best hope now lies in authorities somehow cracking the code for Cotten’s laptop and then discovering the lost crypto key, because, he says, guessing the combination for the key itself would be impossible: ‘There’s more possibilities for that key than there are atoms in the universe.’

    While the QuadrigaCX case is undoubtedly fascinating, in this age of electronic banking and investment where money exists only in binary code, is it not possible a similar event could at any time befall anyone who uses a traditional bank? According to Ross Anderson, professor of security engineering at Cambridge university’s computer laboratory, the answer is yes. He says in recent years a number of major international banks have had ‘scary near misses’ after getting their digital accounting systems into a mess.

    He says: ‘Over the past 30 years, banking systems have become more and more complicated. It’s been made particularly complicated by the arrival of real time settlement systems. So you no longer automatically checkpoint things overnight, and if you get things in a fankle whereby the bank is out of balance because there are bugs creating errors which in turn cause more errors and still more errors, then the whole thing can cascade and you can end up screwed. On the occasions where we have come close to losing a bank, that is what has happened.’

    He says banks on the whole today use legacy digital computing systems that have been modified and patched up since the 1990s, meaning they are far from perfect.

    ‘We had a near miss at NatWest, there was a big screw-up with TSB and there have been other cases where banks have sought to replace systems and the project has dragged on for several years more than was planned and cost several hundred million more than was planned.’

    In the cases of NatWest (2012) and TSB (2018), hundreds of thousands of customers were locked out of their accounts or shown other people’s account details in error. In the end, no customers lost money but the TSB failure alone, which cost CEO Paul Pester his job, took longer than six weeks to fully resolve.

    Professor Anderson is unequivocal that in the case of a really big bank failure caused by a computing system error, proving the existence of funds held in your account would be nigh-on impossible.

    He says: ‘If you turned up with a bundle of paper bank statements, your bank would say, “Fuck off sonny, we only believe the computers.” And the computers will be down for the next eight months, while the forensic accountants go through them.’

    That said, Anderson, who until recently refused to use online banking at all, says he still prefers traditional banking systems to the brave new world of crypto.

    He says: ‘Overall, financial IT has been pretty dependable over the past 50 years without any major catastrophes, despite the occasional extended outages.

    ‘Cryptocurrencies are scams and anybody who puts any money into them and loses the lot only has themselves to blame.’