Lost Access to Cryptocurrency Cold Storage Puts $200 Million on Ice
February 5, 2019 | Security and Risk | Andrew Silberman
After the death of its founder, Canadian crypto exchange QuadrigaCX has not been able to access close to $200 million worth of cryptocurrency. Gerald Cotton, QuadrigaCX’s founder, was the only person who knew, or had any access to the passwords for the account that held the majority of the firm’s cryptocurrency assets. He opted to hold these company assets in “cold storage,” which is a way of storing Bitcoin or other cryptocurrency offline, as opposed to a “hot wallet” that are run on internet connected devices, and are therefore susceptible to cyberattack. Cryptocurrency cold storage is more common for holding large amounts of cryptocurrency, whereas hot wallets are used for more day-to-day type transactions and store smaller amounts of crypto, so there’s nothing out of the ordinary in QuadrigaCX’s using cryptocurrency cold storage. The real problem occurs when the only person who can gain access to the money isn’t around anymore.
However, only having one person that’s able to access these credentials presents its own inherent level of risk. Both Cotton’s widow and technical experts have so far been unable to bypass the encryption that safeguards QuadrigaCX’s money and QuadrigaCX’s clients are looking to recoup their investments. Reports have the firm trying to employ sophisticated decryption methods, digging through old notebooks, spreadsheets and everything in between to get into Cotton’s cryptocurrency cold storage.
It’s, frankly, a testament to Cotton that no one has been able to access his company’s most important assets even after his death. However, his decision to keep his privileges to himself has left his company – and his wife – in dire straits. Nobody associated with the firm has been able to recoup a password, as it appears they were not written down, stored in a spreadsheet, or passed along to anyone else. Of course, to avoid security breaches involving privilege, privileged credentials should never be left out in the open, on Post-it notes, on thrown away notebooks, or kept on spreadsheets (gasp). But, as we’ve seen with QuadrigaCX, keeping everything to yourself has its own dangers. Management is key.
Unfortunately, we’ve seen attacker use all of the above to get into various organization’s networks, so it’s worth repeating that privileged credentials should be guarded and kept secret from anyone who doesn’t require that level of access in order to do their job. But, when only one person knows the credentials, there is no method for disaster recovery or shared access in the event that the “knower of passwords” isn’t able to provide them. The risks associated with keeping credentials and assets offline, especially when only one person is able to access them are severe and demonstrate the importance of having a centralized, encrypted repository that can safeguard privileged credentials, passwords, keys, secrets, and more.