Recently, CoinDesk posted an article on their site that referenced a Reddit user’s analysis into the 103 bitcoins that QuadrigaCX (Canadian Exchange) claims that it sent to a cold wallet by accident.
Specifically, CoinDesk cites this Reddit post:
Despite the fact that it is visibly clear that the funds were removed out of the cluster address that it was sent to, the Reddit user argues that this, in fact, is okay because the true cold wallet addresses for QuadrigaCX are a list of five addresses, which they self-identified.
The author states:
1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa Balance of 36.37786282 BTC
1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB Balance of 33.19556316 BTC
1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M Balance of 19.54328527 BTC
1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe Balance of 10.34268585 BTC
1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R Balance of 4.87560516 BTC
For a total of 104.33500226 BTC. Notably, every address was inactive since April 2018 and the majority of their received BTC was either directly from the QCX hot wallet or a wallet 1 transfer removed from the hot wallet.
With all this information this we can confirm:
These 5 addresses are a portion of the QCX cold wallet addresses.”
This information was covered and re-blogged/retweeted/shared by numerous credible news outlets since it was originally shared and published by CoinDesk (approximately 48 hours ago).
Given the opaque nature of these funds, the author has taken it upon themselves to perform due diligence and research into the nature of these ‘cold wallets’.
This report makes no claims as to whether these are legitimately cold wallet funds or not, but rather examines the nature of these wallets to ascertain their activity in order to get a better idea of what these wallets may have been used for.
Findings From the Report
- In total, QuadrigaCX sent and liquidated down $400M+ in each of the associated addresses plus the wallet address (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP). The latter wallet address was included because research from blockchain firm ‘Trinide’ concluded a significant correlation between the above address and the cold wallet addresses (more on this in the conclusion plus a linked to the 200+ pulled transactions).
- These ‘cold wallets’ are associated with a significant amount of criminal activity. This criminal activity includes but is not limited to; dark markets, child pornography, fraud, identity theft, hacking, blackhat services, drug trafficking, and human trafficking. There were no potential ‘middle men’ between the operator of the cold wallets and the recipient/sender of the funds from these sources. To be clear, there were hardly any ‘legitimate’ (i.e., legal) transactions in some of these wallets.
- Significant amounts of customer funds were siphoned into some of these wallets as well. Those customer funds were usually pooled, aggregated, then liquidated down. The research was careful to ensure and demonstrate that the funds were not aggregated, then sent to another ‘cold wallet’ location. Final destinations were verified with advanced blockchain software and multiple other identity verification sources.
- The exchange, Bitfinex, in specific, received tens of millions of dollars from these cold wallets. Some of the funds that were sent to Bitfinex were of questionable legal nature.
- Some of the transactions that occurred within the cold wallets significantly implicated involvement with Payza/Obozo/Egopay controlled entities.
It should be noted that an additional wallet address (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) was included in the estimated total that was liquidated due to the results of the transaction analysis that was performed by blockchain analytical research firm, Trinide, between this wallet and the fourth QuadrigaCX cold wallet that will be covered in this analysis.
Below are the notes from that transactional analysis:
- In total, there are 266 transactions that involve both of the addresses (a significant number).
- Out of that 266, 86 of them have both addresses listed as inputs.
- Given this fact, as well as the amounts transacted between both wallets, the blockchain research firm concluded that these wallets are either: a) Owned by two entities that are essentially operating in coordination with one another; or b) The wallets are, in fact, owned by the same entity.
All 266 transactions were aggregated, along with their transaction IDs and uploaded to a PasteBin document.
That upload can be accessed at this link: https://pastebin.com/zYjrvzrf
Analysis Strongly Indicates That QuadrigaCX Was a ‘Front’ Business
It is the author’s firm opinion that QuadrigaCX was essentially running the exchange as a ‘front’ business. This conclusion derives from both blockchain analysis as well as fundamental research.
There are several indicators that this was the case, which are as follows:
- The blockchain analysis shows that QuadrigaCX received tens of millions of dollars worth of bitcoins from objectively illegal sources (such as dark market wallets) in such a way where it cannot be argued that they were ignorant to these transactions. In other words, the following research will show that the argument that a customer was interacting with these illicit sources and then sending the funds directly to QuadrigaCX, unbeknownst to them, is entirely implausible. In fact, the report will show that it is more than likely that QuadrigaCX was either initiating these deposits manually or lending their address to these entities directly.
- Funds from the cold wallet addresses were ‘mixed’ in an attempt to obfuscate their origin, which is highly unusual for any legitimate, legally operating entity in the position of QuadrigaCX.
- Much of the money that QuadrigaCX had access to is inexplicable. For instance, the estimated liquidated total far exceeds what QuadrigaCX should have been able to glean from simply absconding all of their customer funds.
- Funds from the cold wallet addresses were sent directly to illicit parties such as SilkRoad, hacked exchanges, and known Ponzi schemes. Transfers to dark market websites are simply indefensible in any circumstance. Again, it must be reiterated that these were not user-generated withdrawals or deposits. Thus, these were transactions that QuadrigaCX initiated manually themselves.
The best way to explain QuadrigaCX’s activity is to relate it to a real world example of running a ‘front business’.
Essentially, analysis shows that QuadrigaCX operated in the same manner as an illegal night club, gentleman’s club, bar, laundromat, car wash, or similar type of business that receives a lot of cash.
If these business are being used as illegal ‘fronts’, they will still operate in a manner that closely resembles a “legal” operation. In theory, there will actually be a laundromat, gentleman’s club, car wash, etc., that is in existence. However, the true income garnered from running the business will be substantially lower than the income reported. This is because the owners of these enterprises (if they are illegal money laundering fronts) will often mix in funds from illegal sources in order to ‘clean’ the money.
Money must be ‘cleaned’ when it comes from illicit sources because the financial systems of the world are designed to quickly flag individuals that are transferring significant sums of money that are unaccounted for.
For instance, if John Doe walks into his local bank, opens up an account, then deposits $3 million into the account without a verified source of income or legitimate, verified reason for why John possesses such money, then John Doe’s account will more than likely be flagged and frozen, then there will be a subsequent investigation of John by his nation’s tax and law enforcement agencies. At the very least, John will lose his money, which defeats the purpose of John acquiring it in the first place.
However, if John has a legitimate source of income on paper that appears to validate why John would have so much money, John can successfully access his money.
This is why cash businesses are generally preferred in the ‘real world’ when it comes to money laundering. Banks keep strict financial records which mean that there is a very easy-to-follow paper trail when it comes to digital/credit transactions. However, this is obviously not the case with cash. There’s no way to validate whether a night club received $5,000 in cash on a Friday night or $10,000. Thus, if they did receive $5,000, they could elect to add in an extra $5,000 to that total that stems from outside funds. This money is then reported as legitimately earned income, and now the illicitly earned money has been “washed”.
It appears that this was how QuadrigaCX was functioning. While yes, it is true that customer funds were absconded, this does not appear to be the primary reason for why QuadrigaCX was in business. The following blockchain analysis will show that QuadrigaCX received tens of millions of dollars that could not have derived from customer deposits. Given the general public’s (and law enforcement/financial institutions) unfamiliarity with blockchain, the obfuscation of their wallet addresses, and poor tracking of customer deposits/withdrawals on the exchange, QuadrigaCX was in a position where they could easily most of their illicit funds stemmed from customers.
Thus, one of the goals of this report, after uncovering the actual nature of Quadriga’s alleged cold wallets, is to show, without equivocation, that QuadrigaCX received tens of millions of dollars from known criminal entities, effectively laundering the money for them.
If this claim is not true, it is incumbent upon QuadrigaCX to provide significant evidence attesting otherwise. Conveniently, QuadrigaCX has reported that it did not ‘keep books’ nor do they have any objective knowledge (in the absence of Gerry Cotten, their CEO) on where their crypto was stored. Therefore, they are only able to give a rough estimate of the customer funds that are ‘missing’ or ‘unavailable’.
However, there is no way to validate that this number is actually correct without verified, validated customer records and stringent accounting on their part.
Given the lack of any accounting records, the in-flow of tens of millions of dollars stemming from illicit/criminal enterprises, and the inexplicable failure on the part of the exchange to share knowledge of the company’s primary assets with more than just one individual (Gerry Cotten), the above conclusion by the author and all associated researchers stand behind the conclusion made in this section of the report.
Methodology Behind the ResearchThis report makes zero leaps in logic. The assertions stated above are supported entirely by the transactions in the wallets themselves. This information is corroborated by software, graphic visualization, consultation with a few outside blockchain experts and each finding is associated with specific wallet addresses, transaction IDs, transaction times and amounts (in both USD and BTC).
It should be noted, however, that there were thousands of transactions total among all of the wallet analyzed. Therefore, the report does not include an explicit dissection of each and every single transaction. That does not mean that such an analysis was not performed by the author and associated researchers; it just means that not all transactions were analyzed in the report because it would be impractical or infeasible to do such.
To compensate for this practical constraint, dozens of screenshots, wallet addresses, transaction IDs, and known entities that these wallets transacted with are included within this report. Contrary to the prior report, these connections are not simply listed, they are explained in enormous detail with accompanying links and corroborating information from verified sources.
All information included within the report can be independently verified and more than enough information has been provided to allow any interested parties to independently corroborate the veracity and accuracy of the information included in this report.
Given the aforementioned constraints of posting an analysis of each and every single transaction, there are some insights into the nature of these wallets that are yielded by the author and the researchers that are not explicitly shown. Again, it must be reiterated that no extrapolations/conclusions are made in this report that are unsupported by the data and analysis.
No Cluster Address Methodology Was UsedThere was absolutely no cluster address methodology used in the compilation of this research. Instead, each wallet is analyzed individually and the transactions to corresponding wallets are analyzed on a transaction by transaction basis as well.
QLUE Analysis SoftwareOne of the major differences between the prior analysis (pt. 1) and this one is that professional blockchain analysis software was conducted in the curation of this report. This software is called, ‘QLUE’.
What is QLUE?QLUE stands for Qualitative Law Enforcement Unified Edge and it was created by the ‘Blockchain Intelligence Group’. Its purpose is to provide more powerful insight regarding blockchain data by wielding a suite of proprietary tools and analytical techniques that one cannot find on regular online blockchain analysis websites.
This software is generally used by law enforcement to assist them in their investigations in the crypto sphere.
Perhaps the biggest benefit of this software is that it allows for a visual analysis of the flow of bitcoins, rather than forcing us to settle for a letter/number based analysis.
Author’s CredibilityThere have been significant rumblings among pundits on social media, in mainstream media, and in courtrooms that the ‘investigation’ is being dominated by ‘chat rooms’ and ‘conspiracy theories’.
Readers of this report should rest assured that this report would not qualify as ‘chat room research’. ‘
The author of this research report has been tracking any and all relevant information pertaining to the functionality and solvency of QuadrigaCX for well over a year at this point.
In addition, the author of this report owns a cryptocurrency research-based website with over 500+ published reports in the crypto space dating back well over a year.
The author has successfully performed an analysis of blockchain data in the past and has written informational reports designed to educate the general community about the technical specifics of blockchain.
In addition, the author has published significant bodies of work that involve tremendous fundamental analysis of various projects, exchanges, leadership structures, acquisitions, whitepapers (prospectus), political in-fighting, conflicts, collusion, and collaboration in the cryptocurrency space.
The author has also had conversations with and interviewed numerous notable individuals in the community such as: Pierre Rochard (Bitcoin Core developer), Vitalik Buterin (founder of Ethereum), Charlie Lee (founder of Litecoin), Jed McCaleb (founder of Stellar Lumens), Charles Hoskinson (founder of Cardano), along with countless others. The combined market valuation of the aforementioned projects is well in excess of $40 billion.
The research will begin by analyzing each wallet in no particular order. For convenience, these wallets will be labeled with the numbers 1 through 5 as they are introduced into the report.
Cold Wallet #1–1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9RTo view this wallet’s transaction history, please visit:
A quick observation shows that several hundred bitcoins have exited the wallet over the past year:
For that, we are going to consult the ‘QLUE’ software.
QLUE Analysis of Wallet #1When we plug in the address into the QLUE software, this is the first result that we get:
In specific, we’re going to look at the 174+ BTC outgoing transaction from February 7th, 2018:
Here is the visual from QLUE below:
But let’s go ahead and track where the funds have went:
The destination address is ‘1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP’, which is shown in the picture above.
This is another wallet within the same cluster (MtGoxandOthers):
We can see significant sums of money traveling back and forth between the wallet — more than likely in an attempt to obfuscate the origin and the flow of funds.
Fortunately, it should not be too difficult for us to investigate where these coins have gone.
Here are some screenshots below:
The address for that wallet = 18mk2R2WTzeyLR69yugSM8J5LBQBtQRaRy
The wallet address for this wallet = 367ADepMPHndxXNCevbQeJT8KWq3vLte7R
It appears the reason that this was labeled as ‘Bitfinex hack’ is because, in 2016, this address was listed as one of the addresses that were compromised when Bitfinex was hacked in 2016.
Money going to or from this address is indicative of involvement. In theory, a compromised address at an exchange (one that has been successfully hacked) would be a hotbed for other illicit funds and funds that must be laundered/tumbled/mixed in order to obscure their origin.
The Address is Listed in This PasteBin Dump of Affected Addresses During the Bitfinex ‘Hack’ in 2016:
It must be noted that this is a direct transaction to this wallet, without intermediary.
0083abb19ca6ce1ff1dd55ffa6531fe4d88d3ec884d93ee3c3f9a03efb4cb1b1 3F14ooo4Z4BchZrFNSxF5jgssMjJcKPfay 1PsMd9HzNxfyFNRQRxsjjvvzX48EmZVn9n 13.20420957
Cryptsy Hack Involvement
The value (in USD) of the transferred bitcoins at the time was $1.2 million.
The transaction occurred on July 30th, 2016 — yet Cryptsy’s website was officially ‘down’ on January 15th, 2016:
What’s most interesting is that in the months before Cryptsy went down, the exchange collectively sent over 16,000 bitcoins to Bitfinex from late 2015 through most of 2016. Most of the transactions occurred even after Cryptsy had declared themselves insolvent.
The TX IDs for these sends are located below:
Just about every transaction went to this wallet : 3BW7c6gDF2QA63JUAtnFuXiv66q5D9tGbF (Bitfinex)
The vast majority of those funds (thousands of bitcoins; millions of dollars) are then transferred to this wallet address ‘3AgxodEvv9FZtm6LMgPxCSmBwhNSBdFsSk’.
Some of the funds are transacted there directly, while other portions of the funds are re-routed through several different wallets before eventually reaching the ‘3Agxod’ address.
In total, the aforementioned address (3AgxodEvv9FZtm6LMgPxCSmBwhNSBdFsSk) has received nearly half a billion dollars worth of Bitcoin in its history. However, at this point, it only holds approximately $10k.
What is notable is that there is also a send here from the parent wallet (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) (Transaction ID: 8eb827c19712eb388076bfd226321667d7b0251aa9138d638caa80c533039903).
More Deposits to BitfinexSpecifically, below, a $12+ million to Bitfinex’s hot wallet can be observed (TX ID:0baac7b192def11e085f96509da7e5129e01ad837cef67fc41e21fe3dcf17e02)
The recipient wallet was Bitfinex’s hot wallet: 1Kr6QSydW9bFQG1mXiPNNu6WpJGmUa9i1g
- There appears to be 153 bitcoins parked here (October 2018): 1FksuzLTaYDV5GiqsGAnF62mywCatXyuuW
- Tens of millions of dollars from the overarching wallet (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) have been liquidated. These funds were not used to satisfy customer withdrawal requests.
According to blockchain.info , $180M has been through this wallet in total:
Back to QuadrigaCX “Cold Wallet” #1 ( 1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R)If we revisit QuadrigaCX’s cold wallet #1, we can see the vast majority of this wallet’s funds came from ‘EvolutionMarket’ (dark web wallet).
In addition, the money appears to be sourced to and from various Bitcoin mixers as well:
Below is a picture of the total amount of funds that have entered and exited from this wallet address:
Cold Wallet #2 — (1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa)This is another wallet that was listed in the Reddit post cited by CoinDesk.
The transaction ID for one of QuadrigaCX’s deposits to this wallet (on February 6th, 2019) is posted below for convenience:
Again, Blockchain.info can help us ascertain how many bitcoins have been in and out of this wallet:
Graphical Visualization of Wallet In-Flows For Wallet #2
As with wallet #1, we will look at the graphical in- and out-flows for Bitcoin for this wallet:
Also, to be clear, this is a Silk Road controlled address, not a customer address.
In the picture above, we can see a significant number of Bitzino wallets sending funds over to this QuadrigaCX cold wallet. Some of these transfers are direct.
More QuadrigaCX Deposits Found in Cold Wallet #2
The wallet address for the QuadrigaCX wallet labeled above = 1AUaxsdfA7mZTajSwKX2QZVMBU7Wgi6ZQR.
In total, it received $1.7 million. None of that money is in this address currently:
It seems that the vast majority of this money was sent to this alleged cold wallet address in one fell swoop:
In the picture above, we more funds flowing from QuadrigaCX to Bitfinex. In total, 196 bitcoins were involved in this transaction from Quadriga cold wallet #3 into a Bitfinex ‘old’ wallet (labeled old because it is no longer in use). The address of the receiving wallet is (1Jw5nc5TM4xp8KmRrdXfcCiWYoDaC2BVAK)
Bitzino Casino Transactions
As shown above, there were several bitcoins stemming from Bitzino (An Online Bitcoin Casino). It should be noted that, overall, the vast majority of money going in and out of Quadriga Cold Wallet #2 was to Bitzino.
Overall, there was $20 million+ in transaction volume between this Quadriga Cold Wallet #2 and Bitzino, which represents over half of the total funds that were received at the Quadriga Cold Wallet #2 address.
What is interesting about Bitzino is that it shutdown spontaneously and mysteriously without any warning around 2016. Whether the funds have been laundered or not remain in question.
The transactions between Silk Road, other illegal darkweb entities (i.e., AlphaBay, AlphaMarket, etc.) as well as the size of the transactions received and sent from these wallets (i.e., in excess of $1M+ at times), show that those wallets were definitely not customer wallets.
At this point in the analysis, there is no direct evidence that any customer ever made a deposit to either cold wallet address.
If readers remember the previous Bitcoin chain analysis of QuadrigaCX’s wallet activity, they will note that identifying customer withdrawals was relatively easy. Therefore, in the absence of evidence that any customer directly deposited to this address, it is fair to assert that any and all funds that were deposited to either Quadriga Cold Wallet #1 or Quadriga Cold Wallet #2 were either done by Quadriga directly or by other entities (like Bitzino) that were directly given the wallet address (for some reason).
It is worth noting that all money that entered into this wallet was re-directed toward known liquidation outlets, such as:
- Other Exchanges
Wallet #3 — (1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M)
Let’s go ahead and take a look at the graphical representation for this wallet:
This is the wallet that was mentioned under the subheading of the first wallet analysis. It was noted, in specific, that this wallet was involved in significant illegal activity, such as funds laundered from the Cryptsy wallet following their insolvency (Cryptsy at the time alleged they had absolutely no money and their exchange website was down) as well as the Bitfinex wallet (after it had been announced and listed as ‘compromised’). Deposits to the ‘1JZJaD’ wallet from this cold wallet address may explain why there was a grand total of $180 million that passed through that wallet.
Given the enormous sum ($180 million) that has been moved in and out of the aforementioned wallet, it is almost implausible to insist that the individual owner of that wallet could be a customer of the exchange:
This transaction among others makes it obvious that the cold wallet addresses are interconnected with one another in some way. Perhaps the connection is nothing more than money being passed back and forth from one entity to another.
Purpose of Wallet #3
The top address (1JZJaDD) is the wallet that we tracked as receiving over $180 million (and subsequently delivering it).
The second address, ‘1CRN5’ is not an address that was included within the 5 that are allegedly Quadriga cold wallets, so we’ll leave that alone for the time being (although there is probably plenty of insightful information to glean from that address).
The #3 and #4 addresses are two of the addresses that were definitively listed as QuadrigaCX ‘cold wallet’ addresses per the Reddit post and CoinDesk’s report.
It appears that money is being shuffled through this wallet with the primary goal of ending up at one of the four wallets listed above.
This was determined by the needlessly complex and lengthy route of travel for many of the coins in the wallet before they arrived at their final destination (i.e., one of the top 4 wallet addresses listed above).
It is worth noting that, again, none of the funds that entered into this wallet were specifically customer funds. It appears that money was re-routed from disparate dark market sources (such as AlphaBay/AlphaMarket/etc.) and coin mixers/tumblers.
In general, the wallet appears to be an intermediary destination for funds before reaching their final liquidation point.
Wallet #4 — (1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB)The address posted above is the 4th QuadrigaCX cold wallet that we will cover in this report.
Again, this wallet address is connected to the ‘MtGoxandOthers’ cluster wallet:
So, let’s go ahead and take a look at the actual wallet itself:
This, along with the transactions that have been re-routed between the wallets through mixers and intermediate wallets, makes it very likely that the wallets are connected with one another and operated by the same entity.
If we head over to the QLUE software, we are presented with this picture from the outset:
But before casting any judgment on the nature of this wallet, it is best to take a look at the transactions going to and from the wallet.
Below, is a graphical representation of the web of wallets and transactions that are connected to this cold wallet:
Let’s look at the next connection:
There was yet another connection to this wallet found immediately afterward as well:
Even beyond this transaction, there is yet another one that routes to this illicit wallet from Quadriga Cold Wallet #4:
The transaction ID for this 94 Bitcoin transfer = (8784ea22504498d5e26d3bf2687effdc78638264bb7875ca53b7ef617b45e233).
All of the other sizable transactions coming from QuadrigaCX ‘Cold Wallet’ #4 lead directly to that illicit address:
There are no intermediaries between these two wallets. The boxes that are shown in the middle represent the TX ID’s, not separate wallets.
Further analysis (conducted by lowering the ‘filter’ for transaction amounts shown), reveal that even more transactions were going directly to this illicit wallet than what can be captured visibly on screen in one photo:
Wallet Address: 14AtH4G1dELMznREtC8EtyXL5FpMFuQezy
It appears that the remainder of bitcoins in this send went to Binance (exchange):
Continued Analysis of Wallet #4 ($50M Liquidation Trail)
- The trail begins with QuadrigaCX ‘Cold Wallet’ #4. (1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB)
- From there, we see a 152 bitcoin transaction worth $900k going to 1HFtPCQoYeW4xqihW59wagJf1rLvVotYWK (tx ID = d51b0cf9c6da4a9f6bfbbf8987ff42d307c1aa4deee8515bf796f071820f6fc0).
- The 1HFtPCQ wallet then receives +850 more bitcoin, to total 1,005 bitcoins that it has received. This is for a total $8.1 million. The transaction ID for this = d6e83af553b81b0b22d22d4c8376e311c27b17347d793a329c61255e7a412841.
- All the bitcoins ($8 million) are then sent to 1C5hceoqJpX826BcxYtdRSJXUkZs6fkwGn. (same transaction ID)
- This wallet (1C5hceoqJpX826BcxYtdRSJXUkZs6fkwGn) has received a total of 7,214.97 bitcoins worth a total USD value of $53 million. Currently, its value stands at 0.
- All transactions occurred between November 19th, 2017 — January 4th, 2018 in the 1C5hceo wallet.
- All of the funds were then aggregated and sent to 16UMAqsX26ACD9oZddekW4u5T4S1o9tQyz ($53 million) (3499 bitcoins). (Transaction ID = 341a76ab927935230ebc39acc48c8282a710fdfe431e6bbcc342300e70bfcc26).
- From the 16UMA wallet, the funds were split to two addresses with the two addresses receiving 200 bitcoins and 3299 bitcoins, respectively. 200 bitcoins ($3M) went to 38cbxEcWc9d6w2w4XWsqhE6e9nKx33D5qA. 3299 bitcoins went to 1LeWddfZ4PXEbi2sJMMdYUX2FgY97KEj9H. The transaction ID for this = 73478664d0ee694b0e4d58ef67bd64900703afc63ebe239bd84b4317c166deb8.
- From there on, the wallet that received 3299 bitcoins, also split the money into two tranches once again (299 bitcoins and 3,000 bitcoins; worth $49.9 million). 299 bitcoins ($4.9 million) went to 18gcZTBrhhAoqu7xee7ga9GL59KcKJwbLR. 3,000 bitcoins ($45.6 million) went to 1HmccKNxcFm3xMmjgHn5kPhR7jczZrn7TW. (Transaction ID: 8119643bef4d27ac73a6e33cabb4654d5f9030509db7eb3de5c834aff62edb52).
- The wallet that received 3,000 bitcoins (1HmccKNxcFm3xMmjgHn5kPhR7jczZrn7TW), then received 999 additional bitcoins from outside sources before forwarding all of that money to ($42.9 million) to 1L9WRCCa14DM5v1jinDy1LUV9mjXHSmmGF. (TX ID = f8e1d19515d665f9ce63f7e3c9e0779a55ce42f70262fbe29cf60d261ead4f9c).
- At this point, the bitcoins from 1L9WR are split up into two transactions of 499 bitcoins ($5.3 million) and 3,500 ($40.14 million), respectively. The 499 bitcoins went to the QuadrigaCX exchange (3CdyFXH2bSznSw9rJ5uZoe85SjReKSCeFF), while the 3500 went to an unknown wallet address (1HSs2rKpWAT2mJwhByHQoo7jg87oUfTsVb). (TX ID: 5a5a37289403d2a32936411561bd5185d20c2089a7ebccf2a69a77d1c853c51b).
- From there, the 3500 bitcoins ($40 million) is then split into two transactions of 3200 ($36.68 million) and 300 bitcoins ($3.4 million), respectively. The 300 bitcoin send ends up at 3P1sSi54Qz6yYSNfD5iwZoR7kvf8PqjPMp, while the 3200 bitcoin ends up at 1Kr9Mk4ijz4zw7oU4F1Cr8nj1s14T4TE2x. (TX ID = a9858f9768a33463ccd5540d54e452d50179c71b2a96ed3a55318339ec4a4ad6)
- The money is then re-routed through a few wallets, with the final destination wallet being 32qYHqxHNLJq83yJriopxPRTPb6bjkXzHe.
- If we track back to the QuadrigaCX hot wallet that received 499 bitcoins in this transfer (3CdyFXH2bSznSw9rJ5uZoe85SjReKSCeFF), it appears that all of those bitcoins were then sent to identifiable QuadrigaCX wallets (correlated with the main QuadrigaCX cluster). From there, almost all wallets sent money directly to Bitmex (TX ID: af96cf4e702040229ac15423c358183f52ee113b39f321f2dd57bf6caa339879). These were bulk amounts of several hundred thousand dollars at once.
All funds that were sent to 32qYHqxHNLJq83yJriopxPRTPb6bjkXzHe have been liquidated.
Analyzing Derivative Funding For Quadriga Cold Wallet Address #4To recap, the string of transactions outlined above began with only 152 bitcoins — which were sent from QuadrigaCX’s “cold wallet” #4.
So that begs the question of how the aggregate funds grew to the total size of 4k bitcoins.
Below are the footnotes that were taken during the tracking of these funds:
- It appears that a siginficant number of bitcoins came from the QCX ‘Cold Wallet’ #3 (1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M) (TX ID: 5cbdcec2a61655a7f22c4c7a46aab0739c4a371bfd7d60e6eb8c5fed62dd18ba). In total, at least 188 bitcoins worth $1.5 million.
- More funds from the alleged Bitcoin ‘Cold Wallet’ #2 (1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa) came in as well (TX ID: d06023fa301b32158c93d470a7f803b66c2605460d4503b724f94deaded1842b). In total, there was $790k sent ; 96.77 bitcoins.
- A significant sum of QuadrigaCX hot wallets sent over money as well (what appear to be customer funds) (TX ID: f32e0612927a63080d8c9a295d56a2bef5ec6f202483e932ff424033647cea98). The estimated total is at least 150 bitcoins worth $1.35 million at the time of transfer. It is worth noting that customers did not send these funds directly to this wallet because the wallets they were contained in are controlled by QuadrigaCX. This was established through statements made by Quadriga through the Court Monitor.
- More money is seen coming from QuadrigaCX ‘cold wallet’ #5 (1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe) ($2 million; 120 bitcoins) [TX ID: 877283280c466160cd72bc5ab4d8db472536e28b781d963b452059491e984e70]. Plus another $1 million (64 bitcoins) [TX ID: 7b8bcbea54e4cbec9a893bbae265250b3c11cebe25c7d1863da1eadadd49fc01]
Visual Representation of the QuadrigaCX Cold Wallet #4 AnalysisBelow are some pictures from the QLUE software’s graphic visual representation of QuadrigaCX’s transactions from their alleged ‘cold wallet’ (#4).
These snapshots are provided to attest to the breadth of analysis for these wallets.
Conclusions From Wallet #4
- The illegal activity that was observed in the first three wallets does not exist in this wallet at all.
- All of the money that has entered into this alleged cold wallet has either been liquidated or gone to 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP.
- Millions of dollars went from the alleged ‘cold wallets’ of Quadriga directly into liquidation (this is demonstrated clearly via screenshots, TX IDs, and wallet addresses).
- It appears that a substantial amount of money was sent from QuadrigaCX’s main cluster address (where they received 100 bitcoins a few days ago), and then subsequently liquidated via this wallet as well.
- There is no plausible argument for stating that any of the intermediate wallet addresses covered in this portion of the report belong to individual customers. The pattern of movement of these addresses strongly suggests that they are being controlled by one entity (i.e., numerous addresses re-routing to one location simultaneously, numerous addresses with funds that end up at the same liquidation point, etc.)
- This report states with confidence that $50M+ was liquidated from QuadrigaCX Cold Wallet #4. All destination points out of the wallet are highly identifiable as either — a) belonging to the one wallet identified in the first analysis as essentially a hotbed for criminal behavior (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) or b) A known cryptocurrency exchange wallet address.
- It is more than likely that several million more dollars were either liquidated from the other ‘cold wallets’ (going directly into other wallets, yet not touching cold wallet #4), or via customer funds being directly siphoned into this ‘cold wallet’ or the illicit wallet.
- As mentioned by the author of the Reddit post — one wallet in particular that’s a bit troublesome is ( 1PdBMFkicx1vTHs9P6whPGondSVcmndVha). This wallet received $10 million from QuadrigaCX Cold Wallet #4. None of that $10 million is associated with the $50 million that we can verifiably state has been liquidated down.
- Because of the aforementioned liquidation in #8 as well as others that were not necessary included in this segment of the analysis, the report concludes that at least $80 million was liquidated down through this wallet by QuadrigaCX. However, only $50M has been calculated into the final spread.
Wallet #5 ( 1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe)
Similar to the previous four cold wallets, the fifth and final wallet’s last outgoing transaction was sent in early April 2018.
Let’s take a look at the wallet on QLUE:
On ‘blockchain.com’, we can see that $41 million have exited this wallet:
Difficulty in AnalyzingFor whatever reason, the source of all funds coming into the wallet have been heavily mixed to the point where distinguishing the source of the funds is nearly impossible (as is a mixer’s job).
Typically, the source of these funds can usually be de-mystified with a bit of legwork (i.e., clicking through wallets endlessly, taking notes, seeing ‘meet’ points, clusters, etc.) — but in this case, it appears that whoever sent the funds was mindful enough to significantly obfuscate the source of the transaction.
However, this does not stop us from determining that several hundred bitcoins again went to 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP.
A number of wallets were also tagged with ‘dark markets’, but without ascertaining the exact source of those wallets, determining the nature of these transactions is nearly impossible.
The research above should not be considered premature or speculative. The results are definitive and the flow of transactions going both in and out of the wallets (apart from the last wallet that was covered), should make the conclusions stated in the beginning of this report readily apparent.
Below is a Brief Q&A
Q: How do we know that these cold wallets have not been receiving customer funds?
- There are a substantial amount of funds that have entered into these wallets, but they did not derive from the main hot wallet. Many of the transactions derived from outside sources. However, these outside sources were not customer wallets. We can make that assertion because of a) the amounts that were being sent & b) the manner in which they were sent.
Below is a chart of the Bitcoin rich list (at the time of writing):
Based on that fact alone, the idea that there were hundreds of customers funneling 100+ BTC transactions directly to QuadrigaCX, a Canadian exchange that was far from the leading exchange in terms of worldwide Bitcoin volume, should be met with extreme skepticism.
While nothing can be ruled out (even gravity is still considered a theory), the burden of proof should be placed firmly upon QuadrigaCX and any other proponents of this theory to prove or provide some sort of definitive evidence that shows that any of these transactions were from customer intermediaries.
In addition, the exchange’s widely publicized banking and withdrawal problems throughout 2018, make it even more implausible that they were able to garner significant Bitcoin deposits in the last year too.
Q: So if the cold wallet wasn’t receiving customer deposits, then where was the money coming from?
- As explained in the report above, there were several sources for these funds. They were as follows:
- Aggregated customer deposits at QuadrigaCX that were sent by the exchange itself.
- Darkweb addresses.
- Hacked/compromised exchanges.
- Bitcoin scams (HYIPs, Ponzis, ‘Mutliply Your Bitcoin!’ Schemes)
- Online Bitcoin Casinos (Not Explicitly Illegal According to Canadian Law)
- Other Illicit Sources
The list above is actually another reason why we can state in the affirmative that these were not customer withdrawals.
Q: This report claims that QuadrigaCX liquidated down $400M worth of bitcoins. How is this possible?
- This question is a good one and it requires a multi-faceted answer. In order to answer this question, we should first ask ourselves:
‘What should we consider liquidation?’
This is an important question to ask because, without an answer, it can always be suggested that, ‘Maybe the money was going to their real cold wallets’.
To start with, a proper definition of liquidation, in this context, is when an exchange/entity/customer redeems their cryptocurrency for some other value.
Generally, when money is seen being sent from an unidentified (personal) wallet to an exchange, that is considered liquidation. This is because exchanges are not storage.
It has been posited in the crypto commuinty and in Jennifer Robertson’s (wife of CEO Gerry Cotten) affidavit that perhaps Gerry Cotten was storing the funds at an exchange.
This explanation for the funds is implausible for a host of reasons, which are as follows:
- Crypto assets are fundamentally different from real world assets in that the greatest means of securing one’s assets in this space is personal storage. In the real world, [Canadian] banks have CDIC (Canadian equivalent of FDIC for American readers) and customers have a right to their money in the event that the banks defraud them in some way. Banks in established nations with developed economies are also much less susceptible to ‘losing’ customer funds and robbing/hacking a bank for its money is exponentially more difficult than hacking a crypto exchange. In crypto, however, there is no unified regulation that mandates a certain level of transparency or ethical conduct from the actors in the space (i.e., exchanges). It is not uncommon to read news about an owner absconding with funds given to them for safe keeping by their customers. Hacks, of course, are a somewhat mundane experience and customers usually bear the brunt of such adverse events when they occur. Therefore, retaining ownership of one’s crypto holdings and securing them personally is the best method of securing one’s funds in the crypto space.
- There are plenty of other exchanges in the cryptocurrency space with vast holdings of Bitcoin and they simply do not engage in the practice of storing their funds on another exchange. All this would do is add tremendous counterparty risk.
- If there were an exchange that QuadrigaCX was storing their funds on, the above research would lead any reasonable observer to conclude that the exchange in question is Bitfinex. Given the fact that the two exchanges have the same payment processor (Crypto Capital Co.), it is more than logical to suggest that Gerry Cotten’s death would not be an impediment to Bitfinex releasing those funds. However, given the number of bitcoins that have been transferred to Bitfinex from QuadrigaCX and the current number of bitcoins in Bitfinex’s possession — the funds have more than likely been liquidated by Bitfinex themselves at this point.
Where funds were observed going to:
- Multiple exchange hot wallets (with Bitfinex being the most common deposit location).
- ‘Localbitcoins’. For those that do not know, ‘localbitcoins’ is a service for people that are looking to sell their bitcoins via face-to-face transactions. If bitcoins are being sent here, there is a 99.9% chance that those bitcoins have been liquidated.
- Illicit entities. These entities include the same illicit sources named above in the report. It goes without saying that these entities probably would not return QuadrigaCX’s funds, even if they had them.
Arriving at the $400M Total
Given the fact that these wallets were all virtually emptied (i.e., all funds in each of the wallets examined where liquidated) — the author added the aggregate total between all 5 wallets. The author also had an independent blockchain research firm examine the transactions between the illicit wallet that was outlined in this report and one of the other hot wallets. The analysis yielded the conclusion that the two owners had to either A) Be the same entity or B) Be working for or with each other in close cooperation.
Thus, the illicit wallet’s liquidation total was factored in as well.
Q: How can the author be so sure about their findings?
- This is another great question. The answer, simply put, is because of blockchain and QuadrigaCX’s self-identification.
For those that have not been following this story, QuadrigaCX made the following announcement via the court monitor approximately two days ago:
These two pieces of evidence, in conjunction, serve as strong evidence that the screenshot above is of QuadrigaCX’s ‘hot wallet cluster’.
As noted in the Reddit report that the CoinDesk article referenced, these 104 bitcoins were sent to 5 different wallets. Based on QuadrigaCX’s statements through the Court Monitor, it must be accepted that the aforementioned 5 wallets in the report belong to QuadrigaCX.
If this is not the case, then QuadrigaCX has lied explicitly, which would undoubtedly have an indelible impact on the trajectory of this situation going forward.
Given that the cold wallet addresses were known, the only work required from that point was piecing together how many bitcoins went into the wallets and where these bitcoins were sent to as well as where these bitcoins are from.
Final RemarksThis piece was created with painstaking diligence to ensure that there was “no stone left unturned” for either the readers, potential investigators reading the report or litigators of this matter.
As many have stated, it is important to not turn the QuadrigaCX situation into a ‘witch hunt’. However, in that same vein, it is also important to not look for reasons to exonerate QuadrigaCX.
Since this is merely a blockchain analysis, which is quantitative and finite rather than qualitative, there is no room for ‘bias’ in dissecting the results.
Reflecting on the report from a subjective point of view, it appears that customer funds at QuadrigaCX were liquidated and that a significant amount of money was laundered as well. However, it does not seem that the primary purpose of Quadriga’s operation was to liquidate customer funds.
In essence, it appears that QuadrigaCX was involved in significant criminal activity that had no direct relation to the exchange at all and that the presence of the exchange itself gave it a plausible reason for owning so many bitcoins.