QuadrigaCX Was Never Legitimate

QuadrigaCX’s executives are lying about losing access to their reserves. Blockchain evidence proves it.

In my analysis of the QuadrigaCX Ethereum wallet, I claimed that they were operating with an inadequately backed cold wallet. When their Ether hot wallet ran short, they resorted to using outside exchanges, and sometimes even ShapeShift, to gather funds and fulfill customer withdrawals. We saw this in the blockchain, the record of all the Ethereum activity since its genesis. The next step is to investigate the Bitcoin blockchain to establish a pattern of behavior.

Confirming QuadrigaCX’s wallet addresses

I was originally intending to determine QuadrigaCX’s Bitcoin wallet address cluster by correlating their Ethereum transfers to ShapeShift with Bitcoin blockchain activity. Turns out, that was unnecessary. Querying ShapeShift’s API was sufficient, knowing their deposit addresses from the previous analysis.

$ curl https://shapeshift.io/txstat/0x10d6d7e5f04c27244951deb44333087d344b66a7 ; echo

That gives us the following ShapeShift deposit/receipt pairs:

0x75fd454c8118d9598ee588e6ff52b1bb6d08aa74 → 32k2vsbWqwx2PuiLCbkEceRJo1hA42uwpf

0x8eafc0e93a10cbc30aa7fce47b4b5cbedc53a41a→33fzhrvYvBLtGau2TBkyYy3eeKRuzRuHmG

0xa9237c8117dca43e8179666e7928b37d8d5a8f96 →3QjyknRrFWkBupXhXJWAtPDyabqzj6SEpM

0xf8d8a55e230d795996d46d3b70151cbe45e12dc2 → 32ZV2osDjhX9vKidTdDuycm3RhL73hg9SZ

0xfaff49c620cf34da4beea650e70cfdb44d4e5665 →3L96QSb1eCELthXFESDAAGtawSKKLCBTUS

WalletExplorer sees all these destination addresses as part of the [0000092007] cluster, consistent with ProofOfResearch’s analysis.

Watching the Balance in the Bitcoin Hot Wallet

Wallet Explorer conveniently provides a CSV export function that includes cumulative cluster wallet balances. Based on those exported files, I agree with ProofOfResearch’s claim that QuadrigaCX generally never kept more than 100 BTC on hand in their hot wallet.

We can observe how QuadrigaCX used the same pattern of outside exchange funding in critical withdrawal moments. At the peak of QuadrigaCX’s hot wallet balance, they had almost 600 BTC on hand, receiving a ~240 BTC withdrawal from Poloniex. it was drawn down within twenty minutes to less than 40 BTC.

An inadequate hot wallet backed by Poloniex?

Though QuadrigaCX only used ShapeShift to fund their Ethereum hot wallet on that one occasion, they used the service extensively outbound from ETH to service BTC withdrawals. Take, for example, the BTC addresses 3DszGFkceqo3QKRM6ThWXUCB9vNXhccwNh and 32ZV2osDjhX9vKidTdDuycm3RhL73hg9SZ listed above. The first address received ~45 BTC in twenty transactions from ShapeShift, and the latter received ~42 BTC around the same time. The address cluster went from 30 BTC on hand to 120 BTC, only to drop back to 20 BTC.

ShapeShift rescues QuadrigaCX. Again.

The other addresses show a similar pattern; receive funds into the Hot Wallet and spend it within hours. Not minutes, since Ethereum has much faster block times, but still very quickly.

A clear pattern of inbound bursts, followed by a total spend out.

A little less apparent because there were many withdrawals to fulfill this round.

QuadrigaCX’s Modus Operandi

The operating pattern for QuadrigaCX’s hot wallets is now clear. Take crypto deposits from customers into the hot wallet. When it fills up, send some of it to a cold wallet, and some to exchanges for trading and liquidation. When the hot wallet gets empty, call funds back from the hot wallet, trade for funds from the outside exchange, or use ShapeShift when desperate.

I must admit that this pattern is, honestly, rather transparent in retrospect. QuadrigaCX made no real attempts to obfuscate its asset flows. They didn’t use Ethereum mixers at all, instead directly receiving clutch funding from major exchanges. They used reusable ShapeShift addresses instead of one-time addresses. They allowed their own cold wallets to withdraw to ShapeShift, instead of mixing them with other client deposits through their hot wallet. Tracing through this was cumbersome, but I would not describe it as technically challenging. Gerald was known to be a very security-conscious person; why would he have been so careless with covering his tracks?

Bank of Quadriga

One charitable possibility of this behavior is that he designed QuadrigaCX to store crypto assets on outside exchanges’ wallets, held in account. That would mean that some assets are potentially recoverable. It would also explain the urgency of decrypting Gerald Cotten’s laptop: it’s not cold wallet passwords they want, it’s cryptocurrency exchange accounts and passwords. Still, I consider this to be a very unlikely scenario; I believe any associated accounts using the previously mentioned withdrawal addresses to be near emptied.

Once again, “not your keys, not your coins.” A bank can last indefinitely so long as its reserves can withstand its customer withdrawal flows long enough to be replenished from deposits and other inflows. That’s how banks make money, after all: they take your deposits and send your money back out the door, to borrowers. Unlike a Ponzi scheme, QuadrigaCX never promised any absurdly high returns on cryptocurrency that required building a larger and larger customer base to sustain operations. Cotten could have stolen half the reserves, and you wouldn’t have known it. It might not have even mattered in the end.

That’s all Cotten left for your account at QuadrigaCX.

So what precipitated QuadrigaCX’s collapse? The major event in 2018 for them was their incompetent mismanagement of client withdrawals. A massive $28 million CAD ended up frozen by a bank in January 2018, badly slowing down withdrawals. Combine that with a prolonged crypto bear market, now over a year old, that would depress fiat inflows, and the natural result is that QuadrigaCX would start to face pressure on its crypto reserves.

And that’s exactly what happened in October 2018. With fiat withdrawals taking months instead of days to clear, customers had a choice. They could continue to waiting months for fiat cash, or buy crypto and withdraw that out, despite the QuadrigaCX market premium. Not surprisingly, crypto withdrawals then slowed to a crawl, just like fiat. Banks run on confidence; if one loses the confidence and trust of its depositors, total collapse becomes inevitable.

QCX executives are lying about losing access to their reserves

Both Bitcoin and Ethereum blockchains show QuadrigaCX insiders pulling funding from their exchange, even as late as mid-January. On the BTC side, WalletExplorer data showed a withdrawal from QuadrigaCX’s hot wallet of 140 BTC on December 19th, after Gerald Cotten’s death.

When you see a burning building, run in and steal everything!

This withdrawal is incredibly suspect, since:

Inbound BTC into the Bitcoin Hot Wallet was also unusually active; the wallet was nearly empty on the morning of the 19th, filled up to over 220 BTC, and went back to single digits by 16:00. The same pattern occurred on the 20th for the 100 BTC withdrawal.

Somebody had access to QuadrigaCX’s outside BTC reserves after Gerald Cotten’s death.

On the Ethereum side, the address 0x57b727dc48b5d9261958e0fb9f94fa02dc328bf6 address remains active, even into mid-January 2019. It’s a Poloniex deposit address, yet we know this to be a QuadrigaCX address because QuadrigaCX’s “Old Wallet” transferred funds to it on March 10th, 2016, before Ether funding and trading went live on the exchange. (A hat tip to Taylor Monahan, again, for highlighting the address for detailed review.)

QuadrigaCX was fractional from the start. ShapeShift proves it.

Don’t get me wrong, I think all exchanges, especially the explicitly identified ones, should freeze all the accounts that withdrew to the aforementioned inbound funding addresses for QuadrigaCX, at least until they complete their own independent investigations. But I think it is unlikely to bear much fruit; the evidence is in the blockchain.

The smoking gun, once again, is ShapeShift. As I argued previously, a bank can last indefinitely so long as it had sufficient reserves to satisfy all withdrawals requests. It didn’t need to satisfy all balances. And QuadrigaCX could have used exchanges as a “cool” wallet. After all, customer crypto withdrawals were all satisfied through 2017 and most of 2018. But the story that ShapeShift usage tells is that they couldn’t satisfy BTC withdrawals from their reserve, whether in a cold wallet or on an exchange. They needed to trade Ether, and incur all the fees associated with conversion, to fulfill BTC withdrawals. And that was in the white-hot crypto market of 2017, not the crypto winter of 2018 and 2019.

As for how to prevent future frauds like QuadrigaCX? Aside from never keeping your funds on an exchange until necessary, I think the Proof of Keys idea is a good one. Force all exchanges to prove its reserves on a regular basis. And not on the word of lawyers and accountants, who can be paid to shred evidence. Because the final book of accounting lies in the blockchain; it’s how we now know QuadrigaCX was a fraud from the beginning.