QuadrigaCX Bitcoin Cold Wallet Analysis: Money Laundering, Comingling with Darkweb Markets, and Fund Re-direction

QuadrigaCX Dec 08, 2020
Foreword: This bombshell piece of journalism was published several months prior (early 2019) during the immediate aftermathi of the world discovering Gerry Cotten, the owner of QuadrigaCX, had passed away in what many felt were mysterious circumstances. While we may never know exactly what transpired in Gerry's final hours, we can be almost certain about the activities that QuadrigaCX was engaged in.

If you're wondering why this was not publicized more by others - I have no clue either and its probably best not to speculate since this analysis is chock full of what will eventually be understood as empirical proof.  Any claims or assertions made within this text can be cross referenced with ease, as I went to great lengths to ensure this would be so.

Specifically, this work provides times and dates as well as wallet addresses and transaction IDs (which are formed on the backbone of cryptography itself before being validated by a globally distributed network of peers in a trustless, public and auditable process that reaches conclusions in a highly predictable fashion).
The best part, however, is that this information is essentially evergreen - so whether this analysis helps individuals today or tomorrow or 10 years from now, its worth documenting meticulously and publishing in the interest of genuine transparency

Last word - please forgive the verb tense in this write-up. Again, this is a republishing of the same analysis that was syndicated on a Medium account that is no longer in use (after being inexplicably banned for publishing very neutral, fact-driven analysis pieces like this one)

Recently, CoinDesk posted an article on their site that referenced a Reddit user’s analysis into the 103 bitcoins that QuadrigaCX (Canadian Exchange) claims that it sent to a cold wallet by accident.

Blockchain Analysis Ties 5 Bitcoin Addresses to QuadrigaCX Exchange - CoinDesk
Researchers have identified a group of bitcoin addresses that likely belonged to the cold wallets of failed exchange QuadrigaCX.

Specifically, CoinDesk cites this Reddit post:

Despite the fact that it is visibly clear that the funds were removed out of the cluster address that it was sent to, the Reddit user argues that this, in fact, is okay because the true cold wallet addresses for QuadrigaCX are a list of five addresses, which they self-identified.

The author states:

1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa Balance of 36.37786282 BTC
1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB Balance of 33.19556316 BTC
1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M Balance of 19.54328527 BTC
1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe Balance of 10.34268585 BTC
1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R Balance of 4.87560516 BTC
For a total of 104.33500226 BTC. Notably, every address was inactive since April 2018 and the majority of their received BTC was either directly from the QCX hot wallet or a wallet 1 transfer removed from the hot wallet.
With all this information this we can confirm:
These 5 addresses are a portion of the QCX cold wallet addresses.”

This information was covered and re-blogged/retweeted/shared by numerous credible news outlets since it was originally shared and published by CoinDesk (approximately 48 hours ago [from the time of writing]).

Given the opaque nature of these funds, the author has taken it upon themselves to perform due diligence and research into the nature of these ‘cold wallets’.

This report makes no claims as to whether these are legitimately cold wallet funds or not, but rather examines the nature of these wallets to ascertain their activity in order to get a better idea of what these wallets may have been used for.

Findings From the Report

In total, QuadrigaCX sent and liquidated down $400M+ in each of the associated addresses plus the wallet address (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP). The latter wallet address was included because research from blockchain firm ‘Trinide’ concluded a significant correlation between the above address and the cold wallet addresses (more on this in the conclusion plus a linked to the 200+ pulled transactions).

These ‘cold wallets’ are associated with a significant amount of criminal activity. This criminal activity includes but is not limited to; dark markets, child pornography, fraud, identity theft, hacking, blackhat services, drug trafficking, and human trafficking. There were no potential ‘middle men’ between the operator of the cold wallets and the recipient/sender of the funds from these sources. To be clear, there were hardly any ‘legitimate’ (i.e., legal) transactions in some of these wallets.

Significant amounts of customer funds were siphoned into some of these wallets as well. Those customer funds were usually pooled, aggregated, then liquidated down. The research was careful to ensure and demonstrate that the funds were not aggregated, then sent to another ‘cold wallet’ location. Final destinations were verified with advanced blockchain software and multiple other identity verification sources.

The exchange, Bitfinex, in specific, received tens of millions of dollars from these cold wallets. Some of the funds that were sent to Bitfinex were of questionable legal nature.

Some of the transactions that occurred within the cold wallets significantly implicated involvement with Payza/Obozo/Egopay controlled entities.

Methodology Behind the Research

This report makes zero leaps in logic. The assertions stated above are supported entirely by the transactions in the wallets themselves. This information is corroborated by software, graphic visualization, consultation with a few outside blockchain experts and each finding is associated with specific wallet addresses, transaction IDs, transaction times and amounts (in both USD and BTC).

No Cluster Address Methodology Was Used

There was absolutely no cluster address methodology used in the compilation of this research. Instead, each wallet is analyzed individually and the transactions to corresponding wallets are analyzed on a transaction by transaction basis as well.

QLUE Analysis Software

One of the major differences between the prior analysis (pt. 1) and this one is that professional blockchain analysis software was conducted in the curation of this report. This software is called, ‘QLUE’.

What is QLUE?

QLUE stands for Qualitative Law Enforcement Unified Edge and it was created by the ‘Blockchain Intelligence Group’. Its purpose is to provide more powerful insight regarding blockchain data by wielding a suite of proprietary tools and analytical techniques that one cannot find on regular online blockchain analysis websites.

This software is generally used by law enforcement to assist them in their investigations in the crypto sphere.

Perhaps the biggest benefit of this software is that it allows for a visual analysis of the flow of bitcoins, rather than forcing us to settle for a letter/number based analysis.

Wallet #1–1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R

The research will begin by analyzing each wallet in no particular order. For convenience, these wallets will be labeled with the numbers 1 through 5 as they are introduced into the report.

To view this wallet’s transaction history, please visit:

https://www.walletexplorer.com/address/1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R

A quick observation shows that several hundred bitcoins have exited the wallet over the past year:

So, in order to get a better idea of what this wallet’s purpose is,we will begin by tracking the transactions going out of the wallet itself.

For that, we are going to consult the ‘QLUE’ software.

QLUE Analysis of Wallet #1

When we plug in the address into the QLUE software, this is the first result that we get:

In specific, we’re going to look at the 174+ BTC outgoing transaction from February 7th, 2018:

Here is the visual from QLUE below:

The big ‘0’ means that it has been detected by the software as being involved in a scam/hack/criminal activity. In other words, this is the type of wallet that you would flag if you ever caught it sending to your exchange. Thus, as an exchange, you certainly would never want to own a wallet like this.

But let’s go ahead and track where the funds have went:

Again, it appears considerable funds exited to this wallet (it clumps other funds that have went here from the alleged QuadrigaCX ‘cold wallet’ as well).

The destination address is ‘1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP’, which is shown in the picture above.

This is another wallet within the same cluster (MtGoxandOthers).

Note: We aren’t following clusters right now, we’re simply following addresses.

Its worth noting that the last transaction in this wallet occurred on December 3rd, 2018.

The graphical representation of this wallet’s transactions paint a hectic picture.

We can see significant sums of money traveling back and forth between the wallet — more than likely in an attempt to obfuscate the origin and the flow of funds.

Fortunately, it should not be too difficult for us to investigate where these coins have gone.

Below is a screenshot exemplifying the ease with which certain connections can be drawn:

We can see 100 bitcoins went to ‘Localbitcoins’ (an OTC/person-to-person seller).

The address for that wallet = 18mk2R2WTzeyLR69yugSM8J5LBQBtQRaRy

The above transfer is a bit more disconcerting as it is labeled as ‘Bitfinex Hack’.

The wallet address for this wallet = 367ADepMPHndxXNCevbQeJT8KWq3vLte7R

It appears the reason that this was labeled as ‘Bitfinex hack’ is due to this Reddit post:

Which takes us to this pastebin:

txid from to amount002740a49e16fc127b0a58a887e5ad77cc4d5114a38aa6df0922cfebb76 - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

It must be noted that this is a direct transaction to this wallet, without intermediary.

Cryptsy Hack Involvement

In the above picture, 340.65 bitcoins is seen being transferred directly to the wallet of the Cryptsy hack (3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw)[TX ID: 47c2882d0d9781415e6c71a5047a2df6d2371062d3bf13c742443f28adedcdca].

At the time, this represented a value of $1.2 million.

The transaction occurred on July 30th, 2016 — yet the hack on Cryptsy website was officially ‘down’ on January 15th, 2016:

Cryptsy Threatens Bankruptcy, Claims Millions Lost in Bitcoin Heist - CoinDesk
Amidst a withdrawal freeze and the filing of a class action lawsuit in federal court, Cryptsy has announced that it is insolvent.

What’s interesting (and somewhat unrelated), is that just days before Cryptsy went down, over 5,000 bitcoins were transferred to Bitfinex:

Transaction ID = d367bed1ba58906f9b6f01e73df74856a88b7662777ccaf428ac385379a52983

What’s most interesting is that in the months before Cryptsy went down, the exchange collectively sent over 16,000 bitcoins to Bitfinex from late 2015 through most of 2016. Most of the transactions occurred even after Cryptsy had declared themselves insolvent.

The TX IDs for these sends are located below:

  1. f920a5918023624891209dbf684c9c154da27a807ec80d958db7fe0163ed42ad
  2. d367bed1ba58906f9b6f01e73df74856a88b7662777ccaf428ac385379a52983
  3. d6cd65531063a336c1340e5fc640cd022b9b67159f604c5baec0c0752dce2d51
  4. 4508ab2bea26e41462e380f24422d32c53d186f571d3c702cbd93f54bddf999d

Just about every transaction went to this wallet : 3BW7c6gDF2QA63JUAtnFuXiv66q5D9tGbF (Bitfinex)

The vast majority of those funds (thousands of bitcoins; millions of dollars) end up at wallet address ‘3AgxodEvv9FZtm6LMgPxCSmBwhNSBdFsSk’.

In total, the aforementioned address has received nearly half a billion dollars worth of Bitcoin. However, at this point, it only holds approximately $10k.

What is notable is that there is a send from the parent wallet (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) (Transaction ID: 8eb827c19712eb388076bfd226321667d7b0251aa9138d638caa80c533039903).

More Bitfinex Deposits

Specifically, below, a $12+ million to Bitfinex’s hot wallet can be observed (TX ID:0baac7b192def11e085f96509da7e5129e01ad837cef67fc41e21fe3dcf17e02)

The recipient wallet was Bitfinex’s hot wallet: 1Kr6QSydW9bFQG1mXiPNNu6WpJGmUa9i1g

Additional Observations:

  • There appears to be 153 bitcoins parked here (October 2018): 1FksuzLTaYDV5GiqsGAnF62mywCatXyuuW
  • Tens of millions of dollars from the overarching wallet (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) have been liquidated. These funds were not used to satisfy customer withdrawal requests.

According to blockchain.info , $180M has been through this wallet in total:

Back to QuadrigaCX “Cold Wallet” #1 ( 1J9Fqc3TicNoy1Y7tgmhQznWrP5AVLXj9R)

If we revisit QuadrigaCX’s alleged cold wallet (according to CoinDesk), we can see the vast majority of this wallet’s funds came from ‘EvolutionMarket’ (dark web wallet).

In addition, the money appears to be sourced to and from various Bitcoin mixers as well:

It is worth noting that millions of dollars in laundered funds from BTER.com (now known as Gate.io) were laundered through this alleged hot wallet as well.

Below is a picture of the total amount of funds that have entered and exited from this wallet address:

As one can see in the picture above, approximately $43.5 million dollars entered into this wallet. Only $17.6k remains.

Wallet #2 — (1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa)

This is another wallet that was listed in the Reddit post cited by CoinDesk.

The transaction ID for one of QuadrigaCX’s deposits to this wallet (on February 6th, 2019) can be found here:

https://www.walletexplorer.com/txid/63019af632b2eb2b76d9845fd564bff3fe299822505412b002201b8610afb758

Blockchain.info can help us ascertain how many bitcoins have been in and out of this wallet.

From what we can see above, there is $45 million that have been in and out of this address, specifically.

Graphical Visualization of Wallet In-Flows For Wallet #2

As with wallet #1, we will look at the graphical in- and out-flows for Bitcoin for this wallet:

In the picture above, the red circle in the middle represents the alleged cold wallet for QuadrigaCX ( 1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa).

Notably, there is a ‘Silkroad2market’ wallet address that has received funds from this wallet. This is a direct transaction.

Also, to be clear, this is a Silk Road controlled address, not a customer address.

In the picture above, a significant number of Silk Road withdrawals can be observed as well.

More QuadrigaCX Deposits Found

It appears that QuadrigaCX also dropped 400 $BTC into this wallet back in 2015.

The wallet address for the QuadrigaCX wallet in question is 1AUaxsdfA7mZTajSwKX2QZVMBU7Wgi6ZQR.

In total, it received $1.7 million. None of that money is in this address currently:

It seems that the vast majority of this money was sent to this alleged cold wallet address in one fell swoop:

The rest of the money was sent from this wallet to the 3rd alleged cold wallet (which will be covered next) — 1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB.

It appears 196 bitcoins flowed from this alleged cold wallet address of Quadriga into a Bitfinex ‘old’ wallet (1Jw5nc5TM4xp8KmRrdXfcCiWYoDaC2BVAK)

Bitzino Casino Transactions

The vast majority of money going in and out of the wallet was to Bitzino.

Overall, there was $20 million+ in transaction volume between this alleged cold wallet address and Bitzino.

What is interesting about Bitzino is that it shutdown spontaneously and mysteriously without any warning around 2016. Whether the funds have been laundered or not remain in question.

The transactions between Silk Road, other illegal darkweb entities (i.e., AlphaBay, AlphaMarket, etc.) as well as the size of the transactions received and sent from the wallet (i.e., in excess of $1M+ at times), show that this wallet was more than likely not a customer wallet.

What this wallet was and is used for is unknown. However, the heavy involvement with criminal activity cannot be ignored. Again, that seems to be the only activity worth noting with this wallet.

Wallet #3 — (1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M)

As we can see from the picture above, this third ‘cold’ wallet that QuadrigaCX supposedly owns contained $50 million in it at one point.

Let’s go ahead and take a look at the graphical representation for this wallet.

Again, this wallet has been imbued with the rating of ‘0’, meaning that it is widely considered to be unsafe to transact or deal with.

Interestingly, from the picture above, we can see that 142 bitcoins went to wallet (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP).

This is the wallet that was mentioned under the subheading of the first wallet analysis. It was noted, in specific, that this wallet was involved in significant illegal activity, and had essentially laundered over $180 million.

Given the enormous sum ($180 million) that has been moved in and out of the aforementioned wallet, it is almost implausible to insist that the individual owner of the wallet could be a customer.

In the picture above, we can observe 100 $BTC going directly to the 1HyYMMC wallet, which is the 2nd wallet address that we uncovered.

So at this point, it appears that the wallets are interconnected with one another in some way. Perhaps the connection is nothing more than money being passed back and forth from one entity to another.

Overall, as more connections are expanded and extracted from the wallet, the trail of money from disparate sources leading back to this wallet as well as the others in the list are becoming more readily apparent.

Purpose of Wallet #3

After tracing through a significant number of wallet connections, it appears that most of the money is being re-routed back to four wallets:

  1. 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP
  2. 1CRN5bx3KBqSiZoZnftbhSRvaCdfcAjons
  3. 1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa
  4. 1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB

The top address (1JZJaDD) is the wallet that we tracked as receiving over $180 million (and subsequently delivering it).

The second address, ‘1CRN5’ is not an address that was included within the 5 that are allegedly Quadriga cold wallets, so we’ll leave that alone for the time being (although there is probably plenty of insightful information stemming from that address).

The #3 and #4 addresses are two of the addresses that were definitively listed as QuadrigaCX ‘cold wallet’ addresses per the Reddit post and CoinDesk’s report.

Preliminary Conclusion

It appears that money is being shuffled through this wallet with the primary goal of ending up at one of the four wallets listed above.

This was determined by the needlessly complex and lengthy route of travel for many of the coins in the wallet before they arrived at their final destination (i.e., one of the top 4 wallet addresses listed above).

Wallet #4 — (1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB)

The address posted above is the 4th out of 5 wallets that CoinDesk and the Reddit user assert to be QuadrigaCX’s wallets.

Again, this wallet address is connected to the ‘MtGoxandOthers’ cluster wallet:

https://www.walletexplorer.com/wallet/MtGoxAndOthers?from_address=1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB

As stated in the introduction of this report, we will not be dealing with cluster addresses.

So, let’s go ahead and take a look at the actual wallet itself.

Source: https://www.walletexplorer.com/address/1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB

Like the previous three wallets, it appears that the last time any funds were sent from this wallet was on April 4th, 2018.

This, along with the transactions that have been re-routed between the wallets through mixers and intermediate wallets, makes it very likely that the wallets are connected with one another and operated by the same entity.

Source: https://www.blockchain.com/btc/address/1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB

As seen in the picture above, this wallet has received nearly $45 million in total, and there is now only $120,108 remaining in the wallet.

If we head over to the QLUE software, we are presented with this picture from the outset:

The big ‘0’ here denotes that the wallet has been positively associated with scams in the past, which reduces all of its trust rating.

But before casting any judgment on the nature of this wallet, it is best to take a look at the transactions going to and from the wallet.

In the picture above, we can see the passage of approximately 141.559 bitcoins (transaction ID: 2083c8e649b4a745e55d30e56fc7d98c4510f58808f4578395fb11c0ea1b1ad8) going to the wallet we identified earlier in this report as having laundered $180 million with extremely illicit parties. (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP)

Let’s proceed to the next connection:

The wallet address depicted above (17GhMbLczq85BGz9AJ3yxYfT7heynd5mqd) as sending 128.468 bitcoins to the QuadrigaCX “cold wallet” #4 appears to have benign origins.

Below, is a graphical representation of the web of wallets and transactions that are connected to the wallet address shown above:

As one can see from the graphical representation above, a significant number of wallets were examined, with the firm conclusion being that the vast majority of funds going into (17GhMbLczq85BGz9AJ3yxYfT7heynd5mqd) stem from the crypto exchange, ItBit.com.

Let’s look at the next connection:

In the picture above, we can see $30,000+ (transaction ID: a98ed1aac36c036063c9106dba87876cc7372193a87a2b91e8d716f20003b6d3) coming from QuadrigaCX owned wallets (1Kw39Kgb8SDxhy4VP4MjM1muSy7sfWur5w).

In the picture above, we can see even more funds going directly to the illicit wallet (Wallet Address: 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) (transaction ID:c6e8301d676ad2a7fe3aff8d998ac8cf0a4c61a25305d08e12b9f7cb03d7e02c).

There was yet another connection to this wallet found immediately afterward as well:

The transaction ID for this 68+ $BTC send is (ea98476055935bb80cd1e517b8a344dd8e202dacd28c18facba41dd5f564bc30).

Even beyond this transaction, there is yet another one that routes to this illicit wallet:

The transaction ID for this 94 Bitcoin transfer = (8784ea22504498d5e26d3bf2687effdc78638264bb7875ca53b7ef617b45e233).

All the other transactions coming from QuadrigaCX ‘Cold Wallet’ #4 lead directly to that illicit address:

It is worth noting that all of these transactions from QuadrigaCX “cold wallet” #4 are going directly to the illicit wallet:

There are no intermediaries between these two wallets. The boxes that are shown in the middle represent the TX ID’s, not separate wallets.

Further analysis (conducted by lowering the ‘filter’ for transaction amounts shown), reveal that even more transactions were going directly to this illicit wallet:

Other sends appear to be landing at ‘localbitcoins’:

Transaction ID: bf00767d140831ec3fa51ea7cbe5c5eef30ddf6f9b259b2db90d5276902c198e

Wallet Address: 14AtH4G1dELMznREtC8EtyXL5FpMFuQezy

It appears that the remainder of bitcoins in this send went to Binance (exchange):

The rest of the analysis of this wallet will be done verbally rather than tracking the wallets visually because of the sheer number of interwoven connections laden within.

Continued Analysis of Wallet #4

  1. Let’s start with the QuadrigaCX ‘Cold Wallet’ #4.
    (1JPtxSGoekZfLQeYAWkbhBhkr2VEDADHZB)
  2. From there, we see a 152 bitcoin transaction worth $900k going to 1HFtPCQoYeW4xqihW59wagJf1rLvVotYWK (tx ID = d51b0cf9c6da4a9f6bfbbf8987ff42d307c1aa4deee8515bf796f071820f6fc0).
  3. The 1HFtPCQ wallet then receives +850 more bitcoin, to total 1,005 bitcoins that it has received. This is for a total $8.1 million. The transaction ID for this = d6e83af553b81b0b22d22d4c8376e311c27b17347d793a329c61255e7a412841.
  4. All the bitcoins ($8 million) are then sent to 1C5hceoqJpX826BcxYtdRSJXUkZs6fkwGn. (same transaction ID)
  5. This wallet (1C5hceoqJpX826BcxYtdRSJXUkZs6fkwGn) has received a total of 7,214.97 bitcoins worth a total USD value of $53 million. Currently, its value stands at 0.
  6. All transactions occurred between November 19th, 2017 — January 4th, 2018 in the 1C5hceo wallet.
  7. All of the funds were then aggregated and sent to 16UMAqsX26ACD9oZddekW4u5T4S1o9tQyz ($53 million) (3499 bitcoins). (Transaction ID = 341a76ab927935230ebc39acc48c8282a710fdfe431e6bbcc342300e70bfcc26).
  8. From the 16UMA wallet, the funds were split to two addresses with the two addresses receiving 200 bitcoins and 3299 bitcoins, respectively. 200 bitcoins ($3M) went to 38cbxEcWc9d6w2w4XWsqhE6e9nKx33D5qA. 3299 bitcoins went to 1LeWddfZ4PXEbi2sJMMdYUX2FgY97KEj9H. The transaction ID for this = 73478664d0ee694b0e4d58ef67bd64900703afc63ebe239bd84b4317c166deb8.
  9. From there on, the wallet that received 3299 bitcoins, also split the money into two tranches once again (299 bitcoins and 3,000 bitcoins; worth $49.9 million). 299 bitcoins ($4.9 million) went to 18gcZTBrhhAoqu7xee7ga9GL59KcKJwbLR. 3,000 bitcoins ($45.6 million) went to 1HmccKNxcFm3xMmjgHn5kPhR7jczZrn7TW. (Transaction ID: 8119643bef4d27ac73a6e33cabb4654d5f9030509db7eb3de5c834aff62edb52).
  10. The wallet that received 3,000 bitcoins (1HmccKNxcFm3xMmjgHn5kPhR7jczZrn7TW), then received 999 additional bitcoins from outside sources before forwarding all of that money to ($42.9 million) to 1L9WRCCa14DM5v1jinDy1LUV9mjXHSmmGF. (TX ID = f8e1d19515d665f9ce63f7e3c9e0779a55ce42f70262fbe29cf60d261ead4f9c).
  11. At this point, the bitcoins from 1L9WR are split up into two transactions of 499 bitcoins ($5.3 million) and 3,500 ($40.14 million), respectively. The 499 bitcoins went to the QuadrigaCX exchange (3CdyFXH2bSznSw9rJ5uZoe85SjReKSCeFF), while the 3500 went to an unknown wallet address (1HSs2rKpWAT2mJwhByHQoo7jg87oUfTsVb). (TX ID: 5a5a37289403d2a32936411561bd5185d20c2089a7ebccf2a69a77d1c853c51b).
  12. From there, the 3500 bitcoins ($40 million) is then split into two transactions of 3200 ($36.68 million) and 300 bitcoins ($3.4 million), respectively. The 300 bitcoin send ends up at 3P1sSi54Qz6yYSNfD5iwZoR7kvf8PqjPMp, while the 3200 bitcoin ends up at 1Kr9Mk4ijz4zw7oU4F1Cr8nj1s14T4TE2x. (TX ID = a9858f9768a33463ccd5540d54e452d50179c71b2a96ed3a55318339ec4a4ad6)
  13. The money is then re-routed through a few wallets, with the final destination wallet being 32qYHqxHNLJq83yJriopxPRTPb6bjkXzHe.
  14. If we track back to the QuadrigaCX hot wallet that received 499 bitcoins in this transfer (3CdyFXH2bSznSw9rJ5uZoe85SjReKSCeFF), it appears that all of those bitcoins were then sent to identifiable QuadrigaCX wallets (correlated with the main QuadrigaCX cluster). From there, almost all wallets sent money directly to Bitmex (TX ID: af96cf4e702040229ac15423c358183f52ee113b39f321f2dd57bf6caa339879). These were bulk amounts of several hundred thousand dollars at once.
  15. All funds that were sent to 32qYHqxHNLJq83yJriopxPRTPb6bjkXzHe have been liquidated.

Looking Up Derivative Funding

To recap, the string of transactions outlined above began with only 152 bitcoins — which were sent from QuadrigaCX’s “cold wallet” #4.

So that begs the question of how the aggregate funds grew to the total size of 4k bitcoins.

Below are the footnotes that were taken during the tracking of these funds:

  • It appears that a siginficant number of bitcoins came from the QCX ‘Cold Wallet’ #3 (1MhgmGaHwLAvvKVyFvy6zy9pRQFXaxwE9M) (TX ID: 5cbdcec2a61655a7f22c4c7a46aab0739c4a371bfd7d60e6eb8c5fed62dd18ba). In total, at least 188 bitcoins worth $1.5 million.
  • More funds from the alleged Bitcoin ‘Cold Wallet’ #2 (1HyYMMCdCcHnfjwMW2jE4cv9qVkVDFUzVa) came in as well (TX ID: d06023fa301b32158c93d470a7f803b66c2605460d4503b724f94deaded1842b). In total, there was $790k sent ; 96.77 bitcoins.
  • A significant sum of QuadrigaCX hot wallest sent over money as well (what appear to be customer funds) (TX ID: f32e0612927a63080d8c9a295d56a2bef5ec6f202483e932ff424033647cea98). Total of 150 bitcoins worth $1.35 million.
  • More money is seen coming from QuadrigaCX ‘cold wallet’ #5 (1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe) ($2 million; 120 bitcoins) [TX ID: 877283280c466160cd72bc5ab4d8db472536e28b781d963b452059491e984e70]. Plus another $1 million (64 bitcoins) [TX ID: 7b8bcbea54e4cbec9a893bbae265250b3c11cebe25c7d1863da1eadadd49fc01]

Summary

Below are some pictures from the QLUE software’s graphic visual representation of QuadrigaCX’s transactions from their alleged ‘cold wallet’ (#4).

Conclusions From Wallet #4

The illegal activity that was observed in the first three wallets does not exist in this wallet at all.

All of the money that has entered into this alleged cold wallet has either been liquidated or gone to 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP.

Millions of dollars went from the alleged ‘cold wallets’ of Quadriga directly into liquidation (this is demonstrated clearly via screenshots, TX IDs, and wallet addresses).

It appears that a substantial amount of money was sent from QuadrigaCX’s main cluster address (where they received 100 bitcoins a few days ago), and then subsequently liquidated via this wallet as well.

There is no plausible argument for stating that any of the intermediate wallet addresses covered in this portion of the report belong to individual customers. The pattern of movement of these addresses strongly suggests that they are being controlled by one entity (i.e., numerous addresses re-routing to one location simultaneously, numerous addresses with funds that end up at the same liquidation point, etc.)

While this cannot be said of the other ‘cold wallet’ addresses up to this point, it appears that this wallet may have been controlled by QuadrigaCX. Thus, it can be stated with confidence on behalf of the researcher that $50M+ was liquidated from this wallet. All destination points out of the wallet are highly identifiable as either — a) belonging to the one wallet identified in the first analysis as essentially a hotbed for criminal behavior (1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP) or b) A known cryptocurrency exchange wallet address.

It is more than likely that several million more dollars were either liquidated from the other ‘cold wallets’ (going directly into other wallets, yet not touching cold wallet #4), or via customer funds being directly siphoned into this ‘cold wallet’ or the illicit wallet.

As mentioned by the author of the Reddit post — one wallet in particular that’s a bit troublesome is ( 1PdBMFkicx1vTHs9P6whPGondSVcmndVha). This wallet received $10 million. None of that $10 million is associated with the $50 million that we can verifiably state has been liquidated down.

Thus, in conclusion, its reasonable to state that at least $80 million was liquidated down through this wallet by QuadrigaCX.

Wallet #5 ( 1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe)

https://www.walletexplorer.com/address/1ECUQLuioJbFZAQchcZq9pggd4EwcpuANe

Similar to the previous four cold wallets, the fifth and final wallet’s last outgoing transaction was sent in early April 2018.

Let’s take a look at the wallet on QLUE:

Again, this wallet is given the rating of ‘0’, which means that it has been positively identified with scams in the past.

On ‘blockchain.com’, we can see that $41 million in bitcoins have exited this wallet:

Difficulty in Analyzing ‘Cold Wallet’ #5

For whatever reason, the source of all funds coming into the wallet have been heavily mixed to the point where distinguishing the source of the funds is nearly impossible (as is a mixer’s job).

Typically, the source of these funds can usually be de-mystified with a bit of legwork (i.e., clicking through wallets endlessly, taking notes, seeing ‘meet’ points, clusters, etc.) — but in this case, it appears that whoever sent the funds was mindful enough to significantly obfuscate the source of the transaction.

However, this does not stop us from determining that several hundred bitcoins again went to 1JZJaDDC44DCKLnezDsbW43Zf8LspCKBYP.

A number of wallets were also tagged with ‘dark markets’, but without ascertaining the exact source of those wallets, determining the nature of these transactions is nearly impossible.

Conclusion

The research above should not be considered premature or speculative. The results are definitive and the flow of transactions going both in and out of the wallets (apart from the last wallet that was covered), should make the conclusions stated in the beginning of this report readily apparent.

Below is a Brief Q&A

Q: How do we know that these cold wallets have not been receiving customer funds?

  • There are a substantial amount of funds that have entered into these wallets, but they did not derive from the main hot wallet. Many of the transactions derived from outside sources. However, these outside sources were not customer wallets. We can make that assertion because of a) the amounts that were being sent & b) the manner in which they were sent.

Below is a chart of the Bitcoin rich list (at the time of writing):

As the rich list above shows us, 99.36% of all wallets on the Bitcoin protocol contain 1–10 bitcoins or less. Out of all Bitcoin wallets in existence, only 3.13% contain 1–10 bitcoins.

Based on that fact alone, the idea that there are hundreds of customers that are funneling 100+ BTC transactions to QuadrigaCX, a Canadian exchange that was far from the leading exchange in terms of worldwide Bitcoin volume, should be met with extreme skepticism.

In specific, given the exchange’s widely publicized banking problems, it is even more implausible that they were able to garner significant Bitcoin deposits throughout 2018.

Q: So if the cold wallet wasn’t receiving customer deposits, then where was the money coming from?

  • As explained in the report above, there were several sources for these funds. They were as follows:
  1. Aggregated customer deposits at QuadrigaCX.
  2. Darkweb addresses.
  3. Hacked/compromised exchanges.
  4. Bitcoin scams (HYIPs, Ponzis, ‘Mutliply Your Bitcoin!’ Schemes)
  5. Online Bitcoin Casinos (Not Explicitly Illegal According to Canadian Law)
  6. Other Illicit Sources

The list above is actually another reason why we can state in the affirmative that these were not customer withdrawals.

Q: This report claims that QuadrigaCX liquidated down $400M worth of bitcoins. How is this possible?

  • This question is a good one and it requires a multi-faceted answer. In order to answer this question, we should first ask ourselves:

What should we consider liquidation?’

This is an important question to ask because, without an answer, it can always be suggested that, ‘Maybe the money was going to their real cold wallets’.

To start with, a proper definition of liquidation, in this context, is when an exchange/entity/customer redeems their cryptocurrency for some other value.

Generally, when money is seen being sent from an unidentified (personal) wallet to an exchange, that is considered liquidation. This is because exchanges are not storage.

It has been posited in the crypto commuinty and in Jennifer Robertson’s (wife of CEO Gerry Cotten) affidavit that perhaps Gerry Cotten was storing the funds at an exchange.

This explanation for the funds is implausible for a host of reasons, which are as follows:

Crypto assets are fundamentally different from real world assets in that the greatest means of securing one’s assets in this space is personal storage. In the real world, [Canadian] banks have CDIC (Canadian equivalent of FDIC for American readers) and customers have a right to their money in the event that the banks defraud them in some way. Banks in established nations with developed economies are also much less susceptible to ‘losing’ customer funds and robbing/hacking a bank for its money is exponentially more difficult than hacking a crypto exchange. In crypto, however, there is no unified regulation that mandates a certain level of transparency or ethical conduct from the actors in the space (i.e., exchanges). It is not uncommon to read news about an owner absconding with funds given to them for safe keeping by their customers. Hacks, of course, are a somewhat mundane experience and customers usually bear the brunt of such adverse events when they occur. Therefore, retaining ownership of one’s crypto holdings and securing them personally is the best method of securing one’s funds in the crypto space.

There are plenty of other exchanges in the cryptocurrency space with vast holdings of Bitcoin and they simply do not engage in the practice of storing their funds on another exchange. All this would do is add tremendous counterparty risk.

If there were an exchange that QuadrigaCX was storing their funds on, the above research would lead any reasonable observer to conclude that the exchange in question is Bitfinex. Given the fact that the two exchanges have the same payment processor (Crypto Capital Co.), it is more than logical to suggest that Gerry Cotten’s death would not be an impediment to Bitfinex releasing those funds. However, given the number of bitcoins that have been transferred to Bitfinex from QuadrigaCX and the current number of bitcoins in Bitfinex’s possession — the funds have more than likely been liquidated by Bitfinex themselves at this point.

Where funds were observed going to:

Multiple exchange hot wallets (with Bitfinex being the most common deposit location).

Localbitcoins’. For those that do not know, ‘localbitcoins’ is a service for people that are looking to sell their bitcoins via face-to-face transactions. If bitcoins are being sent here, there is a 99.9% chance that those bitcoins have been liquidated.

Illicit entities. These entities include the same illicit sources named above in the report. It goes without saying that these entities probably would not return QuadrigaCX’s funds, even if they had them.

Arriving at the $400M Total

Given the fact that these wallets were all virtually emptied (i.e., all funds in each of the wallets examined where liquidated) — the author added the aggregate total between all 5 wallets. The author also had an independent blockchain research firm examine the transactions between the illicit wallet that was outlined in this report and one of the other hot wallets. The analysis yielded the conclusion that the two owners had to either

A) Be the same entity

or

B) Be working for or with each other in close cooperation.

Thus, the illicit wallet’s liquidation total was factored in as well.

Q: How can the author be so sure about their findings?

  • This is another great question. The answer, simply put, is because of blockchain and QuadrigaCX’s self-identification.

For those that have not been following this story, QuadrigaCX made the following announcement via the court monitor approximately two days ago: [at the time of writing; this was published in live time as increasing amounts of information about QuadrigaCX was being piecemealed to the general public]

This total matches the total amount of funds (off by about a Bitcoin) that were liquidated from the ‘hot wallet cluster’ for QuadrigaCX in the first Bitcoin analysis report:

The cluster wallet depicted above has also been positively identified by matching one of the Bitcoin wallet addresses that Jennifer affirmed as belonging to QuadrigaCX in her affidavit with results on ‘Walletexplorer’.

These two pieces of evidence, in conjunction, serve as strong evidence that the screenshot above is of QuadrigaCX’s ‘hot wallet cluster’.

As noted in the Reddit report that the CoinDesk article referenced, these 104 bitcoins were sent to 5 different wallets. Based on QuadrigaCX’s statements through the Court Monitor, it must be accepted that the aforementioned 5 wallets in the report belong to QuadrigaCX.

If this is not the case, then QuadrigaCX has lied explicitly, which would undoubtedly have an indelible impact on the trajectory of this situation going forward.

Given that the cold wallet addresses were known, the only work required from that point was piecing together how many bitcoins went into the wallets and where these bitcoins were sent to as well as where these bitcoins are from.

Final Remarks

This piece was created with painstaking diligence to ensure that there was “no stone left unturned” for either the readers, potential investigators reading the report or litigators of this matter.

As many have stated, it is important to not turn the QuadrigaCX situation into a ‘witch hunt’. However, in that same vein, it is also important to not look for reasons to exonerate QuadrigaCX.

Since this is merely a blockchain analysis, which is quantitative and finite rather than qualitative, there is no room for ‘bias’ in dissecting the results.

Reflecting on the report from a subjective point of view, it appears that customer funds at QuadrigaCX were liquidated and that a significant amount of money was laundered as well.

Tags

cryptomedication

Happy to serve and help wherever I'm needed in the blockchain space. #Education #EthicalContent #BringingLibretotheForefront

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.