by Patrick Burke
The cryptocurrency world is still grappling to understand just what happened at Quadriga CX, the virtual currency exchange whose CEO who is alleged to have died without sharing the private keys to millions in customers’ cryptocurrency. Did the CEO really die, or is it a hoax attempting to separate Quadriga CX’s customers forever from their cryptocurrency?
In either case, it offers some solid lessons for virtual currency consumers. First, cryptocurrency investors should conduct at least some due diligence into whether their chosen exchange has proper safeguards in place to ensure the safe keeping of the virtual currency left in their custody. Second, for consumers not adept at conducting their own due diligence, would it be wiser to do their trading on platforms subject to government oversight on security and consumer protection? Lastly, what form of recourse is available when an exchange claims to have lost the private keys to the cryptocurrency they are holding on your behalf?
Given the paucity of regulation of virtual currency exchanges — outside of New York’s BitLicense — investors can be particularly vulnerable to outright losses as happened to Quadriga CX’s customers. How does a consumer determine which unregulated exchange to trust? I asked a cryptocurrency security expert how to do that. “You need to ascertain their physical and cybersecurity profiles,” said Matthew Johnson, Head of Product for Digital Asset Custody Company, “In a robust custodial solution, there will be no single point of failure. Key man risk should be mitigated by strong operational procedures and separation of duties.”
Johnson’s points are well-taken, but not all crypto-investors are in a position to conduct that sort of due diligence, which is why demand seems to have increased for crypto exchanges that offer consumer protections and general legal compliance. One such exchange – Gemini – touts its licensing by the New York State Department of Financial Services and currently is running an advertising campaign with the tagline “Gemini – The Regulated Cryptocurrency Exchange. ”Quadriga CX highlights the value of such regulation, and the peace of mind it can bring to consumers and investors who lack the resources and expertise to conduct their own crypto-security due diligence.
None of this helps the unfortunate Quadriga customers whose cryptocurrency the CEO’s widow claims is lost. There has been some conjecture that perhaps the CEO’s death is a hoax and, if so, whether the customers’ “lost” cryptocurrency will someday be unlocked and spent by the non-deceased CEO (and/or his wife). This is where the lawyers come in.
As it happens, Drew Hinkes has just published an excellent article on this very dilemma. Hinkes, an Adjunct Professor at NYU School of Law and NYU’s Stern School of Business, notes that “determining whether claims of lost or forgotten keys are genuine or are bad faith attempts to protect assets will be a challenge for Courts, which will be forced to confront complex, technology-specific evidence and will be required to determine whether that loss is bona fide or ‘self-created impossibility.’” Hinkes proposes that legislators create contempt sanctions to allow for liens to be placed on identifiable cryptoassets at issue, possibly creating registries listing identifiable cryptoassets subject to turnover orders, similar to state UCC registries. That way, cryptocurrency exchanges like Quadriga would be disincentivized from faking the loss of private keys in the hope of using them later to spend the customers’ identifiable cryptoassets, because any later transactions on the blockchain in customers’ identifiable crypto assets would be detected, their fungibility destroyed, and their commercial value reduced. “The lien against identifiable cryptoassets would have no impact on parties who actually lose private keys,” writes Hinkes, “but would facilitate recovery of crypto assets in the case of a hack or theft.”
As Professor Hinkes writes: “[P]eople forget things and lose things, including extremely important things.” But sometimes parties act in bad faith and merely claim to have lost private keys, and may just try to wait it out and try to use those keys later. We’ll see what category the Quadriga CX owners fall into – their customers may only get their assets back if its hoax.
Hinkes, Andrew, THROW AWAY THE KEY, OR THE KEY HOLDER? COERCIVE CONTEMPT FOR LOST OR FORGOTTEN CRYPTOASSET PRIVATE KEYS, OR OBSTINATE HOLDERS. (February 4, 2019). Northwestern Journal of Technology and Intellectual Property, Vol. 16, Vol 17.1, 2019. Available at SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3328870. Hinkes is also the Co-Founder, Chief Legal Officer and General Counsel of Athena Blockchain, a financialservices advisory firm focused on the tokenization of investments.
Patrick Burke heads the Data Technology and Cybersecurity practice at Phillips Nizer LLP. He previously served as a Deputy Superintendent at the New York State Department of Financial Services, where he oversaw the “BitLicense” program.