Trying to crack a private key with a brute force attack is a bit like trying to count to infinity: the sooner you begin, the faster you’ll never get there.
- Kai Sedgwick
Imagine a locker in your city square with no locks, no keyholes, no security; just a handle that anyone can open. Would you consider keeping your savings in this locker if anyone could find it, open it and take your savings? It would not be secure at all. Now replace that locker with ten similar structures. In less than a minute, anyone could riffle through and take your savings. It would still not be secure. Now increase the number of lockers to one billion! A billion with a ‘b’. It takes about 32 years to count to a billion without any interruptions. Who in their right mind would spend 32 years going through lockers? Your savings would be safe because it is hiding in a very large number by human standards. Unfortunately bitcoin operates in the realm of specialized computing. The lockers are now slots in a public ledger represented by private keys and the human burglars are now computer agents that crawl data structures.
Because computers perform tasks infinitely faster than humans, a billion slots would be a breeze. It would take about 15 seconds to cycle through. So, what number is large enough to overwhelm the most powerful computers in the world? How big could a number get so that we feel safe knowing it would take forever to hack? How about a Septillion, 10^24! This is the total number of stars in the observable universe. It would take thousands of years for today’s super computers to cycle through a number this big. This should have been enough, but Satoshi Nakamoto went beyond the stars for bitcoin security. He designed bitcoin private keys to be large enough to account for the total number of atoms in the universe; a Vigintillion or 10^77. If someone tries to guess your private key, they probably won't even land in the right solar system, let alone pick the right atom.
“When designing Bitcoin, even aliens need to be accounted for”
-SATOSHI NAKAMOTO
Your private keys are really large numbers in the order of Vigintillions. Every time you generate a new address or private key, you create a number that the world has never seen before. If you copied that number into google, you would get the shortest search result ever. Unless you show them to someone or put them on a blockchain, those numbers will have spent a few seconds on earth never to be seen again. The science of large numbers completely destroys computers and hackers. It is more secure than any bank in the world. If you could generate such a secret, why give an exchange, bank or even worse another individual to guard for you? Why share with anyone?
MT GOX
A JAPANESE EXCHANGE
In late 2006, a software developer by the name of Jed McCaleb built a website for an online fantasy card game with a quasi cult following. His website enabled players trade in-game cards like stock. In Jan 2007, he registered the domain name www.mtgox.com, short for magic the gathering online exchange but after three months, he got bored and shut it down. He kept the domain name.
By mid July 2010, Jed had learned about bitcoin from the famous slashdot1 article. He recognized it as an opportunity and immediately wanted to learn more. So he got his hands dirty and repurposed the old card trading site into a bitcoin exchange.
Mt Gox wasn’t the earliest or the best bitcoin exchange but its customer base grew to around 3000 in record time. Jed was quickly overwhelmed with bank wires in the tens of thousands. The amount of security and attention required to maintain the exchange had crossed the hobby threshold. It was stressful. Jed got bored again. He needed an exit strategy. He needed to hand over his side project.
Fortuitously, fate brought along a French developer by the name of Mark Karpeles. Right place at the right time. The two met through an IRC2 channel where Jed was looking for someone to help integrate with European banks so the exchange could accept euro deposits. Karpeles was eager to please. He finished the job and the two of them kept in touch. At that time, Karpeles was the most qualified person on Jed’s radar. They discussed the possibility of a sale until they reached an agreement to transfer ownership of Mt. Gox to Karpeles in return for future revenue. Jed would keep 12% of the exchange but retain full administrative access so he could audit it and keep Karpeles honest.
Mt. Gox rose to prominence in just three months after Karpeles assumed control. It had grown 20 times its customer base. If you wanted to buy bitcoin, it was the one stop shop. You could visit the website and purchase Bitcoin with US dollars, British pounds, Russian rubles and Japanese yen. Early speculators flocked in droves at a chance to buy and sell. Early miners deposited their hard won bitcoin into Mt. Gox’ custody. Under Karpeles’ leadership, Mt. Gox grew beyond anyone’s wildest dream. Under the same leadership, it would also suffer the biggest fall from grace in bitcoin history.
THE FIRST HACK - 22 MAY 2011
As an early Mt. Gox customer, Karpeles had a rough sense of what they wanted but he had never run a financial service. His experience was in web hosting and baking. Just like everyone else, he was new to bitcoin.
A few months under his management, he hadn’t quite figured out how to store all the incoming bitcoin. He kept some in the company servers hot wallet3, some in a “secure” off-line location and the bulk on his personal computer. During that time, a hacker broke into his computer and took 300, 000 BTC. Just like that, 300, 000 customer BTC was gone. Luckily for him, the hacker grew a conscience and returned it for a 1% finder's fee. He returned 297, 000 BTC. Karpeles dodged a bullet.
THE SECOND HACK - 19 JUNE 2011
The following month, hackers stole a small database that contained accounts and passwords. Jed McCaleb’s username and password were among the files stolen. Recall that he still had administrative access to the exchange. This meant he could oversee exchange operations and now so could the hackers. With these admin privileges, the hackers went to work. They created fake bitcoin sell orders on the internal books that quickly crashed the price from $17 all the way down to a cent. The hackers then proceeded to buy cheap bitcoin with their own accounts and withdrew. Fast attentive customers bought cheap coins too during this brief price chaos. It was over in minutes. One trader said;
I’m Kevin and I’m the guy who bought 259,684 BTC for under $3,000 yesterday…. Here’s my side of what happened: I was watching, like many of you, a gigantic sell order burning through the bids. …..The price started at around $17.50, and within minutes was below $10. At this point, I realized …..This was someone attempting to crash the market by selling a huge percentage of the market’s total bitcoins at once.
I had around $3000 USD in my Mt Gox account, from earlier sales I'd made. I looked at the market stats, and realized that there were tons of orders to buy BTC at $0.01 ….. I figured if I put a buy order in for $0.0101, my order would execute first and I could buy a huge amount of bitcoins…….The only problem was that Mt Gox was running slower than molasses at the time……I had to try several times, but eventually I got a buy order in, offering to buy as many bitcoins as I could for $0.0101.
The site stopped responding completely for a while, probably from so many people hitting refresh to see what was going on. When I got back in, I saw in my account:
06/19/11 17:51 Bought BTC 259684.77 for 0.0101
I had just purchased over 250,000 bitcoins for $2613. At the trading price immediately before this large sell order happened, that number would have been worth nearly $5 million. After I regained my breath, I tried to figure out what to do.
Karpeles and the rest of admin panicked and did the only thing they could; they halted all withdrawals and shut down the platform servers. Unfortunately the hackers and a handful of traders had already withdrawn some bitcoin. Keep in mind that most of the coins being withdrawn belonged to users on the exchange. Lucky for them all, Karpeles had set a daily withdrawal limit of $1000. The hacker was only able to get away with 2000 BTC as result. Anything short of this would have spelled an instant death for the fledging exchange. They got lucky again. They eventually figured out how the hacker got in and crashed the market, then rolled back the system to undo all trades during the time of the crash. Mt. Gox came back online with the price restored to $17 dollars per coin. They managed to pay all the customers who lost money due to the incident in full but little did they know that this was just the beginning of things to come. The first in a series dominoes to fall.
THIRD HACK - SEPT 2011
You can only dodge so many bullets on luck alone. In September, there was another systems breach and once again attackers gained write access to account balances. They could create new accounts and credit them with bitcoin out of thin air. It appeared they had learned from the previous incident because this time, they withdrew little amounts from the exchange over a long period of time to avoid detection. The hackers also deleted all the new accounts they created so that any audits were temporarily useless. Karpeles did not detect this breach until after the bitcoins were already transferred out of Mt. Gox. Forensics estimate that about 80, 000 BTC were siphoned out of Mt. Gox in a hack that spanned years.
FOURTH HACK - SEPT 2011
At this point, Mt. Gox was just target practice for hackers who wanted to make steady income. In the same month they lost 80, 000 BTC, more hackers broke into the company servers and copied the main bitcoin hot wallet file containing private keys, public keys and transaction logs. This meant that the hackers could withdraw everything on the exchange at once if they chose to but they didn’t. Since they had keys to the main hot wallet, they could see and access all incoming customer deposits. They quietly siphoned incoming bitcoin for about 2 years, well into 2013. Mt. Gox operated business as usual. By the time Karpeles or anybody detected what was going on, the hackers had withdrawn 650, 000 bitcoins from the exchange. This was the single biggest blow they would endure.
FREE GIVE AWAY - OCTOBER 2011
To the public, Mt. Gox was a technological marvel but they didn’t know Karpeles still wrote most of the code that held it together. You see, when software development is broken up into little sections for different teams, the resulting code is usually easy to read and robust. It is called modular code. But when one person handles a monolithic project in a giant bowl of code, the result is usually unstructured and hard to read. It is called spaghetti code. Karpeles’ spaghetti code started to break. It cost the exchange irreparable damages. The features he built for processing transactions developed a bug which began incorrectly crediting user accounts. Nearly 50 customers received a distributed total of about 45, 000 BTC. None of them had made any deposits. It was a pleasant surprise for the lucky traders. However, the exchange managed to rectify some of the errors, bringing the loss to about 30, 000 BTC.
Instead of hiring professional help, Karpeles deployed a new wallet system himself to fix the bug and mitigate further intrusions. This latest mishap brought the total amount of bitcoin lost to between 700, 000 to 800, 000 BTC. Mt. Gox was still the biggest and most popular exchange.
DESTROYED BITCOIN - 28 OCTOBER 2011
Shortly after giving away free bitcoin to lucky exchange customers, Karpeles did something far worse than murder for which men should be publicly shamed and chastised. He destroyed 2609 BTC by sending them to an un-spendable address. Bitcoin is programmable money with a scripting language that lets you determine how the recipients spend it. For example, you could send bitcoin to your child and set conditions that they can only spend it after they reach 18 years old. The default condition people set is that the recipient has control of the public address and the private keys but there is much more you can do.
Karpeles was experimenting with the bitcoin client. He wanted to see how many inputs per transaction it could handle. While this is perfectly fine, he could have used a fraction of a coin but instead he risked the exchanges’ profits for the week.
that’s a problem, but not the worst problem we ever faced…just spent one week of BTC-only income
Because bitcoin operates on a public ledger, there was no hiding this mistake. Experts weighed in and confirmed that the bitcoin was indeed lost forever. You can see them here in bitcoin limbo. It was only worth $8000 back then, but be cruel to yourself and do the math today.
The outrage among early of bitcoiners was palpable. They started to lose faith in the leadership of Karpeles.
And this is the guy whom 90% of Bitcoin users trust their money to...
WILLY & MARKUS - 2013-2014
For most of its existence, Mt. Gox operated a fractional reserve with dwindling reserves. Karpeles wanted to keep this information away from the public as it would have harmed their reputation. He reached out to Jed, the former owner, for advice. Amongst other things, they explored the possibility of counter-trading customers. To put this in context, imagine Binance or Coinbase counter trading their clients. Scratch that. This was a desperate attempt to claw back as much bitcoin as possible and shift debt around in their favor.
In November of 2013, people started noticing strange patterns on the Mt. Gox order books. About every 10 minutes or so, a purchase of between 10 and 20 BTC was made. This suspicious behavior continued round the clock and soon became a pass time for traders who were bored from staring at charts all day. They would guess the next purchase amount every 10 minutes or so. Through out the month of November, the mystery buyer spent $112 million on more than 250, 000 BTC, sending the market to a boiling frenzy as it ignited new waves of speculators. The price shot up fast from $200 to $1300 in a roar that could be heard around the world. Bitcoin had arrived.
In January the following year, the bull market collapsed with a discharge felt by everyone who enjoyed the ride up. It is customary for exchange platforms to go offline during rush cycles as they frequently did. For 90 minutes on January 7, Mt Gox API went offline for everyone in the world. Everyone but the same mystery buyer who had been scooping bitcoin every 10 minutes or so albeit in smaller amounts this time. This called for more serious inspection.
When independent analysts studied the logs, they discovered that the mystery buyer was an algorithmic trading bot owned by Mt Gox which operated several accounts. Let’s call this bot Willy. Willy operated accounts with higher ID numbers than regular trader accounts and it didn’t have any user_country
or user_state
attached to it.
Things got even more bizarre when analysts found another trading bot with an unusually high ID number as well. This one had a more erratic buying pattern, it didn’t pay any trading fees and it didn’t spend anything to get bitcoin. It simply took them for free. Let’s call this one Markus.
Willy and Markus purchased a combined total of about 650, 000 BTC by inside trading and stealing from Mt Gox customers. “The house always wins” but not if the house is Mt. Gox. Willy still lost about 22, 000 BTC, which was about 10% of its total purchase.
SHUT DOWN & ARREST - FEB 2014
The walls were closing in on Karpeles. He had lost more customer funds than he let on and their dissatisfaction with services grew more vocal. It didn’t help that the exchange halted all withdrawals on February 7, 2014. The reserves had dried up. There wasn’t enough for every one. Karpeles blamed the withdrawal freeze on bitcoin code but nobody was buying that. As soon as withdrawals resumed, there was a thunderous exodus for what little liquidity was left. On February 17, they suspended withdrawals again. Anyone who still had bitcoin on the exchange got the sense it was over.
On February 24, the website went offline without warning. That was the last time anyone would set eyes on the troubled exchange site again. Shortly after, Mt. Gox filed for bankruptcy. The most stubborn optimists finally succumbed. Their money, hopes and bitcoin disappeared that day along with the Mt. Gox website. Meanwhile, Karpeles started receiving daily death threats. He was no longer the public darling of the bitcoin community and the Japanese media were unforgiving. All his indiscretions were made public. They had found their scapegoat.
It was August 1st, 2015, Karpeles couldn’t sleep. He was staring at business cards from the IRS, FBI and Homeland Security on his desk when the phone rang at five in the morning. The Japanese police were doing him a courtesy before the morning papers made the rounds. He had known for a while this day would come. There would be paparazzi and media. This was the last time he would be seen on TV for a while. He couldn’t decide whether to wear a suit and hold his head high or just surrender as he was. The arrest was quiet. Karpeles didn’t resist, they took him away in a blue t-shirt and a baseball cap. He was charged for embezzlement and reckless endangerment of customer funds.
REKT
Karpeles had good intentions. He stumbled upon a disruptive technology before anyone was prepared for its consequences. He didn’t have any experience running financial services. He just happened to be at the right place too early for his own good. This cost him peace of mind and it set bitcoin back years. It was a painful but necessary lesson that needed to be learned.
Mt. Gox problems started before Karpeles assumed ownership. Just before the transfer of ownership, under Jed’s management, hackers broke into the servers and stole a hot wallet file containing 80,000 BTC. Those coins have not been moved since the hack and are still sitting there. The hackers may have forgotten about them or destroyed the keys by accident. The easiest way to steal 80, 000 BTC is to gain access to 80, 000 BTC in one place. The exchange customers didn’t want to take responsibility for their bitcoins so they handed them over to Jed. This only made his hot wallet a bigger score for hackers.
After the second hack, the very next day, customers of other custodial exchanges reported that their accounts had been hacked too and their bitcoin stolen. You see, at the time, only a handful of people owned bitcoin. Most of them cycled through the few bitcoin services available. They had not yet understood what it meant to “be your own bank”. Naturally they used the same passwords across every web service on the internet like normal people do. The second order effect of the Mt. Gox admin hack became dubiously obvious. There was little time to react for users who had been too lazy to think of new passwords. In a coordinated effort, the hackers hit exchange after exchange and made easy money from repeat customers who reused passwords.
In August 2011, Karpeles acquired a Polish exchange called Bitomat. This acquisition was applauded as expansion but Bitomat was no asset. It was a liability. They had just lost a file containing 17, 000 BTC due to an Amazon virtual machine reset. Another genius exchange operator. Having the business IQ that he did, Karpeles thought it was a bargain to absorb the loss in exchange for their customer base. This horrendous acquisition was paid for with Mt. Gox customer funds who were content to trade IOUs on the exchange.
The whole Mt. Gox tragedy can be boiled down to one fault on the users. They committed the cardinal sin of transferring ownership of their bitcoins when they deposited to Mt. Gox wallets. This gave Karpeles full reign to pilfer, embezzle and lose funds in unimaginable ways. Historically, when you give people control over your money, they always take it from you. Mt. Gox was no different.
According to forensic analysis by individual investigators, Mt. Gox was insolvent for most of its existence. They ran a fractional reserve exchange with no reserves. In regular finance, this limitation is overcome by printing more money but bitcoin doesn’t allow free printing. You must work for your bitcoin.
LESSON
You have seen what passes for internal behaviour on exchanges subject to the whims of incompetent founders. That is what early adopters had to go through. Today, there are better systems in place that prevent the sort of thing Karpeles did. These systems are still not entirely in our best interest. Let’s say for example that you fill out a KYC form and deposit your coins on an exchange like a law abiding citizen. Then your President tells the American President to eat glass on twitter. Suddenly, you become persona non grata. A new system can be put in place to stop you from withdrawing your money.
If you must trade, which I strongly advise against, do it on a decentralized exchange from the security of your hardware wallet. And if you must use a custodial exchange, make sure you withdraw immediately and pray that you are not cancelled in that period.
To sum things up nicely, DON’T LEAVE YOUR COINS ON AN EXCHANGE any longer than you have to. They are not your friends. They are your new financial babysitters.
In regular monetary law, possession is nine-tenths of the law. In Bitcoin, it is ten-tenths of the law - ANDREAS ANTONOPOLOUS
QUADRIGA
A CANADIAN EXCHANGE
How many people walk around the city with a hundred million dollars of other people’s money on their laptop? This is the story about a young Canadian who ran an exchange out of his laptop for 4 years while everyone believed it was regulated by the government.
In 2013, a cheerful young man and an older acquaintance announced that they were going to build an exchange at “Bitcoin Co-op”, the oldest bitcoin meetup in Canada. Bitcoin Co-op organized presentations and workshops because they wanted to build a community back in 2012. Nobody ever reached out to them until Gerald Cotten and Michael Patryn.
Cotten had blond hair, a large oval head which rested on a small frame. He wore rectangular nerdy glasses that accentuated his smile; it put everyone around him at ease. His accent was Canadian with a hint of Scottish. He was not a bitcoin expert but he knew enough to fool everyone in 2013. People loved him. Patryn was Indian and had a sturdier build. His eyebrows and beard were meticulously trimmed, intensifying his presence. You could tell he was experienced the way he sounded like a Silicon Valley VC who frequently had drinks with bankers and regulators. Cotten and Patryn slowly networked their way into the heart of Canada’s young bitcoin community.
If you were Canadian in 2013, there weren’t many places you could buy or sell bitcoin. But if you had to get your hands on some, because your computer was locked by hackers in Iran, your best option was to wire money to Japan and wait several weeks for a paper receipt containing your private keys. During that excruciating wait, you would have watched the price swing both directions of the pendulum. Cotten and Patryn were going to fix that market inefficiency with an exchange where you could buy and sell bitcoin directly from your Canadian bank account. Cotten would be the face, and Patryn the operational brains behind it.
In September 2013, the young founders posted several jobs on black site forums. There weren’t many LinkedIn profiles with bitcoin experience but Cotten knew exactly what he wanted:
I am looking for a programmer who is familiar with Bitcoin to develop a website that is very similar to Bitstamp. Bitstamp.net has a variety of features, including….4
Cotten and Patryn were quick to market. In November 2013, they incorporated QaudrigaCX, short for Quadriga Coin Exchange. A month later, they became the first bitcoin exchange in Canada to successfully apply for a money services business license from FinTRAC5. FinTRAC, among other things, decides who could be a money transmitter in Canada. The exchange opened its doors to customers for the first time on Boxing Day. By January 2014, they were celebrating the 1000th customer. Quadriga was at every important event in the country. A reporter at a conference asked Cotten:
“What do you believe is the factor that got you guys from where you guys started to how big you guys got?”
His response:
“So one of the differences between quadrigaCX and a lot of our competitors is that I come from a background where I’ve dealt with digital currencies in the past. …. So when we launched QuadrigaCX, we were all already quite aware of the current situation with the banking relations and basically how to integrate bitcoin with the current payment network……We’ve gone from 0 market share to now 80% market share as most of our competitors have fizzled out.”
Quadriga out-innovated everyone else in speed, simplicity and fees while offering more funding and withdrawal options than any exchange in Canada. They were the first to trade gold for bitcoin and vice versa. The number of registrations started as a trickle but new traders told their friends about it. The slow trickle eventually became a torrent of signups.
As the exchange grew, so did the popularity of the meetups. Cotten became director at Bitcoin Co-op while still running the business and he always carried his laptop with him. The meetups grew larger than residential spaces could accommodate, so Cotten offered to host them at Quadriga’s headquarters. He sponsored multiple events, buying himself and his new exchange a generous amount of public goodwill. One day, during a meeting, a 78 year old woman walked in. They thought she was lost but she came to learn about bitcoin. It was a good day.
In 2014, the largest exchange in the world was taking its final operational breath in Japan. They had fallen victim to multiple hacks. Quadriga was going to do things different according to Cotten. They were going to use the “most sophisticated security” to store a new digital asset. This was their chance to not only capture the Canadian market, but a global market too.
HOW THEY ONBOARDED CUSTOMERS
Cotten and Patryn operated the exchange like a casino. Financial institutions were clueless about bitcoin in 2014 and so they stayed away from Quadriga as it expanded. This is where Patryn’s previous experience as a money transmitter came in handy. He setup partnerships with payment processors that received money from customers on behalf of Quadriga. Some of these payment processors were companies while some were single individuals; in fact one of them was a girl Cotten had recently met on Tinder6. A few payment processors were Canadian while others were international and collectively, they routed all customer funds. In order to complete a bitcoin purchase, you had to send money to one of their partner processors through bank wire, draft or whatever means they hacked together and once Quadriga received your money, they credited your account with QuadrigaCX Bucks which was an IOU for “real” dollars. Most customers were ignorant of this because they never read the terms of services.
BITCOIN BULL RUN
Quadriga grew 2000% partly due to the gradual increase in price of bitcoin between 2016 - 2017 and the continuous onramp of new traders. There were traders who completed thousands of orders. There were also sophisticated traders who used automated bots that analyzed market activity. And on the lower end of the spectrum, there were retail traders who heard about bitcoin from neighbours and colleagues. The bull market brought in new registrants everyday to the point Cotten had to hire external contractors to keep up with demand. Regardless of who signed up for an account, they all assumed Quadriga was regulated by the government and therefore safe. After all, it was a Canadian company.
Cotten grew successful to a point where people were throwing money at him. One of Quadriga’s major clients; the president of Canadian Bitcoin ATM company would sometimes meet to discuss alternative investments but at the end of their conversations, he always handed over a suitcase full of cash to Cotten. After the exchange, the president flew back to his office in a private jet. That’s how Cotten conducted business with V.I.P clients.
Cotten’s purchasing power rose with the price of bitcoin and his tastes outgrew his humble beginnings. One time he went yacht shopping but not for just any yacht. He wanted one that could sail straight to the Caribbean without stopping. When the sales person offered him an electric motor life raft, Cotten couldn’t resist the opportunity to show off; he pointed at his Tesla in the parking lot and said
“Sure, I love electric”
Just like that, he purchased a $600, 000 yacht. This was no oligarch cruise line but mere mortals simply don’t buy yachts. Cotten purchased many more luxury toys including a private plane, real estate in enviable area codes and a handful of nice cars. The bull market brought out his inner child. Cotten would often go home from work and tell his girlfriend that bitcoin was going to the moon. She didn’t understand what any of that meant but she always celebrated with him.
Under the illusion of continued growth, Cotten and Patryn decided to take the company public with a reverse listing through a shell company. They started the paperwork, then stopped after a while. Nobody knows what happened but Patryn was uncomfortable with the attention that accompanied a public listing so he left in February 2016 with some senior staff. His resignation was not even announced. Cotten was now the sole director at Quadriga.
WITHDRAWAL ISSUES
Cotten managed the day to day operations and presided over a remote team of contractors who maintained the technical aspects of the platform, verified account IDs and responded to customer inquiries. Most importantly, he was the only person responsible for deposits and withdrawals. Him and his mysterious laptop. Who could you trust with other people’s money? By mid December 2017, the price of bitcoin began to plummet and shortly after, there was an increase in withdrawal requests. Under normal circumstances, Qaudriga would have managed the high demand in withdrawals but he didn’t have enough money in the company reserves. Where have we seen this before?
CIBC FREEZES FUNDS
The departure of Patryn unravelled the payment operations at the exchange. At the same time the Canadian Imperial Bank of Commerce (CIBC) froze one of their payment processors accounts. It got harder to process withdrawals and complaints started to pile on social media.
“I requested a withdrawal via EFT on Nov 25. The status was shown as completed a couple of days later. It is now Dec 8 (13 days or 10 business days) and I have not received my withdrawal. I submitted a support ticket on Dec 5 and have not received any reply as of today (more than 72 hrs ago). I have also tried to PM the admin for Quadriga on reddit and has not been resolved. Anyone else having problem with EFT withdrawal?”
Quadriga was quick to respond.
“Your withdrawal pretty much certainly failed, most likely due to an incorrect branch or account number. We should get to this tomorrow.”
Quadriga’s response to all complaints were the same; that banks were the real enemy and that they didn’t want bitcoin to succeed. They blamed banks for maliciously cutting their money supply and inadvertently delaying customer withdrawals. It was a credible alibi for the time being. In extreme cases, Cotten honored withdrawal requests with money from his “personal” account. One time, an old member of the Bitcoin Co-op needed to make a down payment for a house. Cotten made sure the withdrawal went through no matter what.
“He was in touch with me personally, he helped make sure that the transfer went through on time……And when the wire was taking a long time, then he actually went out of his way to go and do a direct deposit at the bank for me so I could get the money”
COTTEN GOES TO INDIA
He had met a girl on Tinder in 2014 and they grew close over the years. They got married in 2018. On December 8th, Cotten flew his new bride to Jaipur in India on a packed itinerary for their honeymoon. Jaipur is a well preserved city with regal palaces and rugged fortresses, famously dubbed the “Paris of India”. Cotten and his wife booked a deluxe suite at the ostentatious Oberoi Rajvilas hotel. A night cost $923.
The following day, the couple were going to grace the opening of the “Jennifer Robertson and Gerald Cotten home”, an orphanage eponymously named after the newly weds. They had donated $190,000 for construction and upkeep. They never got to attend. That night, Cotten felt a discomfort in his stomach. He was taken to a hospital where he entered cardiac arrest and was resuscitated twice. It was 7:26 pm on December 9, 2018. Cotten passed away.
His death sent shockwaves when it was announced on Facebook nearly a month later. The Quadriga community had lost their charismatic leader and with him, all their money for he was the only one who could access the exchange funds.
REKT
In the month leading to the tragic announcement, Quadriga continued accepting customer deposits while management kept Cotten’s death a secret. The exchange owed $215 million that they could not pay back when he died. Customers and regulators alike had questions; how did a single person control all customer funds in Canada’s largest exchange? Where did all the money go? What could the victims have done differently? And just who were Cotten and Patryn? Let us examine the series of events that led to this historical footnote.
WHEN PATRYN MET GERALD
Cotten and Patryn met through an underground messaging board in 2003 called Talkgold. It was a digital black marketplace that attracted people who wanted to get rich quickly through high yield investments. The same investors competed for the same investments schemes in a zero sum game. The operators designed them differently each time to keep things fresh and entertain the participants who would lose their money but inevitably come back for more like junkies on mETH. Cotten was 15 when he met a 20 year old Patryn. They were trying to con each other but ended up getting along nicely. This wasn’t normal behaviour. Long term friendships didn’t cultivate in environments like that. Cotten and Patryn were the exception.
MISCHIEF AT TALKGOLD
The new besties were quick studies. They learned how Ponzi schemes operated and began to cooperate on their own. When one of them posted a Ponzi, the other would vouch with kind words, to encourage suckers, under a different alias. As a result, they needed many aliases so they learned how to create anonymous identities, cover digital footprint and hide geolocation through virtual private networks. These technical skills were useful but not as lethal as the confidence they developed while orchestrating increasingly bigger scams.
Right before a Ponzi imploded, Cotten and Patryn would disappear. And after a cooling down period, they always resurfaced with new identities to start again.
PATRYN’S FORMER LIFE
Patryn was in charge of the operational and payment processor side of the exchange despite his checkered past. He went by different names, changing it each time he got in trouble with the law. As “Omar Dhanani”, he was a member of a notorious syndicate called ShadowCrew dot-com. They were the forerunners of modern cybercrime forums and marketplaces. Amongst other things, they trafficked in stolen identities and credit cards. Patryn provided anonymous money laundering services for a 10% fee. After getting caught in the United States, he spent 18 months in prison before he was deported to Canada where he returned to his passion; moving money for criminals.
He registered Midas Gold Exchange under the name “Omar Patryn” and became a money exchanger for Liberty Reserve. Liberty Reserve was a centralized digital currency service that allowed users to transfer money with only a name, e-mail address, and birth date. It allegedly laundered $6 billion7 worth of transactions in credit card fraud, child pornography, identity theft before it was shut down in May 2013. Patryn was already familiar with digital currencies so when bitcoin showed up on his radar, it fit like a pair of gloves.
By the time Cotten and Patryn decided to launch Quadriga in 2013, they already had a questionable resumé between them. Bitcoin provided the technology and community to scale their mischief.
QUADRIGA DIDN’T HAVE ANY INTERNAL ACCOUNTING
Despite what Cotten said in public about decentralized custody, Quadriga was a custodial exchange. When a customer transferred bitcoin or U.S dollars to Quadriga, they relinquished control to the exchange. The customer only had a claim against Quadriga for the value of the transferred assets. That claim could then be traded with the claims of other customers like chips in a casino. Nothing was recorded on the blockchain unless a withdrawal was made. As a result, Quadriga’s internal book keeping was a mystery to its customers and the law.
They ran a fractional reserve with no reserves like Mt. Gox. Every bitcoin was part of a general asset pool. In other words, if a customer’s account balance reflected 1 BTC, it did not mean that Quadriga held a bitcoin to back that account entry. They mixed all funds because they were betting that only a small percentage of customers would apply for a withdrawal at any given time.
WHY DIDN’T THEY HAVE ENOUGH BITCOIN?
Cotten frequently moved assets out of Quadriga to other exchanges where he tried to turn a profit. Since he held the private keys, he could authorize transactions of any size from his laptop. And he did so regularly. A lot of the bitcoin he moved out never found their way back to the exchange. It is estimated that he lost about $28 million in customer assets on other exchange platforms.
Quadriga management always told customers that their bitcoins were held in secure off-line storage following the highest standards in the industry. This was not true. When you transfer bitcoin to an exchange, you are at the mercy of their security policies. Cotten not only exposed customer bitcoins to his poor trading practices, but also to the security policies of the exchange platforms he traded on.
WHY DID COTTEN NEED TO TRADE ON OTHER EXCHANGES?
He lost money counter-trading his own customers on the Quadigra exchange so he sought to find less skilled traders and new liquidity pools elsewhere. His administrative privileges meant he could create alias accounts and conjure up any amount of fake dollars or bitcoin. It was as easy as setting up a new Amazon account and filling up a wishlist. The problem was that the assets he created were not real and he could not withdraw them out of the exchange without risking an audit. For the sake of argument, let’s say Cotten created $1000 of fake USD. At the same time a customer, Bob, funded an account with 1 bitcoin he got from a friend earlier. Bob wants to sell his bitcoin for $1000. Cotten takes the other side of the trade and buys with fake US dollars. Now Bob has $1000 and Cotten has 1 bitcoin. A week later, the price of bitcoin dropped to $900 and Bob wants to cash out. Cotten is short. He can only sell his bitcoin for $900 so he borrows $100 from Alice. She just funded her account with $300 since all her neighbors are talking about bitcoin. Cotten now has to keep track of this new debt while figuring out who to rob when Alice is ready to cash out. Cotten did this thousands of times with several alias accounts. One in particular stood out; “Chris Markay”.
Through this account alone, he completed over 250, 000 trades between 2015 and 2018. This meant that almost everyone on Quadriga likely traded with Chris Markay at some point without knowing it. Cotten even traded with himself through his multiple aliases. While Quadriga dominated trading volumes in Canada, Chris Markay dominated within Quadriga. In 2017 he credited the Chris Markay account with $100 million in a single deposit. The following year, he credited another $50 million. While everyone else had to work or steal for their money, Cotten simply added zeros to his fictional account like a central bank. He could trade as much as he wanted and transfer all the risk to his unsuspecting customers. Cotten accumulated over $115 million in losses, over the business life of the Quadriga.
PERSONAL BANK ACCOUNT
Another reason why the exchange books didn’t add up was because Cotten acquired expensive tastes which he paid for with exchange funds. His salary was a modest $65,000 a year according to his 2015 employment contract but he could afford luxury automobiles, a plane, a yacht and premium real estate. It was as if Cotten operated Quadriga like a personal bank account; one time, he transferred $24 million to himself and his girlfriend. They took regular trips and always stayed at the nicest hotels. Cotten took care of his immediate family. He even left $100, 000 for his 2 chihuahuas in his will.
BULL RUN OVER
Cotten assumed that his good fortune would continue indefinitely but all good things come to an end. If the markets were a symphony, then December 2017 was a long deafening crescendo that erupted in orgasmic exuberance. People started mortgaging their houses and pillaging college funds to buy in at the top of the cycle. This catastrophic timing is a skill in itself. Contrary to great symphonies, the ending wasn’t a standing ovation but a stampede for the exit. When the world ran out of people willing to pay higher for each bitcoin, people started selling. They caught Cotten with his pants down. The thing he feared the most had befallen him; everybody wanted their money at the same time and he didn’t have it.
The price of bitcoin dropped fast. Every time you refreshed your screen, you grew poorer. Cotten’s knee-jerk reaction was to trade his way out using the Chris Markay account. That didn’t work so he returned some of the money he took earlier. Even that wasn’t enough. Just then, the CIBC froze one his payment processors. With very few options and growing vocal dissatisfaction, Cotten committed the cardinal sin of trading; he sold bitcoin at a bottom low. The selling pressure from his desperation punched a hole through the bottom and took prices even lower. But it still wasn’t enough to stave off angry customers. So he paid off the loudest ones8 first because they were likely to be as vocal in celebrating their success as they were in decrying outrage. A redditor said;
With all of the negativity lately, I would like to thank Quadriga for getting my withdrawal to me. Although it was a little late they came through
Cotten got desperate. He started sending cash envelopes across Canada to people whose withdrawals were taking too long. He sent cash in paper bags and shoeboxes to coffee shops, laundromats, and pool halls. The CEO of Canada’s largest exchange had been reduced to a postman.
Right before he died, he was still sending out money from his personal account on his laptop. Up until he died in India, Cotten was the only person with the passwords to the accounts holding Quadriga’s funds worth approximately a quarter billion U.S. dollars. Except there were no funds. An external contractor, Ernst & Young, brought in to audit the accounts might as well have been in a science fiction movie. The accountants were confused by all of it. Instead of bank account numbers, they had to trace long alphanumeric addresses on a public blockchain. They finally identified six bitcoin addresses used by Quadriga in the past. Five of those wallets had been empty since April 2018. The accountants got lucky and found some bitcoin but they sloppily transferred it to the wrong address. It was funny. Then it was scary. They had sent bitcoin to a dead man’s wallet.
The investigating policemen were more out of place than the accountants. They looked like they would’ve been more comfortable with a dead body and a murder weapon. What good was a badge against bitcoin’s security? Cotten had robbed his clients in life and in death.
LESSON
Your private keys are the only thing standing between you and your bitcoin. If you give them away, they are no longer yours. Don’t become a statistic in the next mass exchange hack or gross administrative mismanagement. Keep your coins yourself in a hardware wallet that you have properly backed up and don’t need to access regularly. After all, you don’t check into your Swiss savings everyday.
There are many ways to acquire bitcoin now. You could work for it or buy it from a decentralized exchange that only requires a wallet address. If don’t have access to any of these and you must use an exchange, then make it quick. Don’t get comfortable leaving your coins there. Someone is working hard, consciously or unconsciously, to take your coins from that exchange. It could be a hacker, a regulator or even a terrible employee. NEVER leave your bitcoin on an exchange no matter who it is regulated by.
Now you know the story of Mt. Gox and Quadriga. When you see them on the news, you will be one of the few people who knows what they did wrong. Next, we learn why you should never use the same bitcoin address twice. You will read a story of how some criminals got caught because they reused a bitcoin address many times and lead the police to their door steps in “CHAPTER 4”. Don’t forget to comment and tell your friends. Lord Thoth appreciates you.
Internet Relay Chat (IRC) is a text-based chat system. It enables discussions among any number of participants in so-called conversation channels, as well as discussions between only two partners - source: wikipedia
A hot wallet is a wallet that is connected to the internet. Its physical equivalent would be a cash register where you keep cash to service clients. Never keep your savings in a hot wallet.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) is Canada’s financial intelligence unit (FIU). The Centre assists in the detection, prevention and deterrence of money laundering and the financing of terrorist activities. FINTRAC's financial intelligence and compliance functions are a unique contribution to the safety of Canadians and the protection of the integrity of Canada's financial system. https://www.fintrac-canafe.gc.ca/fintrac-canafe/1-eng
The girl on Tinder later became his wife. She set up a firm called Robertson Nova Consulting Inc. to process payments for Quadriga. Mr. Cotten told her where to send funds and paid her a commission that typically amounted to $1,000 a month.