On my last evening at the World Economic Forum in Switzerland a week ago, I encountered a man who picks locks for a living—digital locks, that is. I had overheard the Swedish safe-cracker discussing his work and its relation to cryptocurrency while dining in the barroom of the Hotel Chesa Grischuna in Klosters. (You don’t need FaceTime to eavesdrop!) I invited him to share a beer later that evening.
Robert Rhodin, CEO and founder of the blockchain security startup KeychainX, helps people reclaim lost cryptocurrency wealth. The longhaired man regaled me with stories about how he has helped people recover Bitcoins. (Perhaps you might recall that roughly 4 million Bitcoins have been lost forever.) He got into the business when a friend’s Ledger wallet, a device that stores people’s private keys, started malfunctioning. Rhodin fiddled with the hardware—the circuitry behind a bum button—until he regained access, he said. On another occasion, Rhodin’s brute-forcing programs helped an early investor unravel a forgotten password that had secured his digitial vault: “rebeccaissexy.” (“Rebecca,” whose name I changed, was the investor’s girlfriend.)
I was reminded of my conversation with Rhodin when I learned of a substantial mislaid bounty this week. The proprietor of QuadrigaCX, a Canadian cryptocurrency exchange, died suddenly, taking knowledge of his business’ recovery keys to the netherworld with him. Apparently, nobody—including the owner’s widow—has access to the $190 million in virtual currencies his business secured. The late entrepreneur, Gerry Cotten, who succumbed to complications from Crohn’s disease, “ran the business through his laptop, mostly at our home” in Fall River, Nova Scotia, the widow wrote in an affidavit. But his laptop is encrypted and, she claims, she doesn’t know the password. “Despite repeated and diligent searches, I have not been able to find them written down anywhere,” she said.
This is a major problem for traders who stashed their holdings with the exchange. Already, desperate customers and other rabble-rousers are drawing knives and peddling conspiracy theories on Reddit: “The DEAD MAN IS STILL ALIVE SOMEWHERE NOW and he ran away with our money,” wrote one pessimist. With her affidavit, the widow is seeking a stay of action from the courts, requesting they halt the proceedings of any potential lawsuits while she attempts to recover business records with the help of associates and security consultants. A glimmer of hope: One forensic investigator she hired “has had some limited success in recovering a few coins and some information from Gerry’s cell phones and other computer, but not yet from the main computer he used to conduct business.”
Such wealth-obliterating mishaps are bound to become more prevalent as cryptocurrency adoption grows, despite the recent market downturn. Plenty of cryptocurrency exchanges, such as San Francisco-based Coinbase, have processes in place to transfer the departed’s treasures to families and next of kin—but not all do, as this tragedy demonstrates. No doubt many individual investors, enamored with the potential to be one’s own bank, manage their keys and passwords themselves, giving little thought to a backup plan. It’s a disaster in the making.
Upon learning of the QuadrigaCX news, I messaged Rhodin to ask whether he believes there’s any hope for a hired hand to dig up the exchange’s elusive riches. “It’s worth a shot,” he said, noting that breaking a computer’s encryption “is usually much easier than a crypto wallet.” But he added a caveat: “of course depending on password length…”
Mortality, despite its inevitability, is often, regrettably, unexpected. What happens to your cryptocurrency, post-mortem, doesn’t have to be.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
This is an A and B conversation. A glitch in Apple's FaceTime video chatting app allowed people to spy on others, via audio and video, as they were called into a group chat. The bug was discovered by a 14-year-old named Grant Thompson, whose mother attempted to get Apple's attention for more than a week before the finding blew up on social media. Apple disabled the feature, apologized, thanked the Thompsons, and said it is releasing an update to correct the issue next week.
One-stop shop. A gargantuan cache of stolen passwords and usernames is making the rounds online. The hoard, which contains more than 2.2 billion records, collates credentials from many known data breaches, such as ones affecting LinkedIn and Dropbox, as well as breaches unknown to the public. Such datasets are useful for hackers looking to beef up their password cracking tools. You can check to see whether any of your login credentials were affected by entering your email address here.
Facebook is doing just fine. Despite a rash of bad press for its data breaches and disinformation boondoggles, Facebook is still printing money, as its latest earnings report demonstrated. The media giant is making changes left and right: tweaking its advertising policies to curb election interference, creating an independent advisory board to oversee content moderation efforts, and bringing aboard a bunch of vocal privacy lawyer activists. Oh, and it got caught abusing its Apple App Store privileges, offering to pay Millennials to use an app that hoovered up loads of their data. Apple initially suspended Facebook's access, as well as Google's, for similar reasons, but it later re-admitted the two companies.
Hire missionaries, not mercenaries. The United Arab Emirates hired more than a dozen ex-U.S. intelligence operatives to surveil governments, perceived threats, and critics, as part of a secret operation called Project Raven, Reuters reported, citing interviews with former contractors. The team is said to have used a spying tool called Karma to gain intimate access to the iPhones of "activists, diplomats and rival foreign leaders." Recruits, such as former National Security Agency analyst Lori Stroud, said they were ready to speak out once it became clear they were helping to spy on fellow Americans.
Share today's Cyber Saturday with a friend:
http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
ACCESS GRANTED
Locked and loaded. When Lesley Carhart discovered her apartment building planned to roll out networked smart locks, she became enraged. As a threat hunter at Dragos, a startup that tracks nation state-sponsored hacking campaigns, she feared these digital door-bolts might weaken her personal security, invade her privacy, and leak her data. After tweeting about her displeasure, Carhart penned a thoughtful essay about the things people should consider when their apartments area headed into so-called smart territory.
Here is a smattering of Carhart's advice:
If you’re a tenant in the US, it’s very likely that a management-provided smart home system is headed your way in the near future. Carefully evaluate your family’s personal threat model, and consider the plausible digital ways which these systems could be exploited.
Spend some time reading into the vendor. Respectfully and courteously encourage your property management company and their smart system vendor to adopt industry best practices in securing smart hubs physically and digitally, the networks they are connected to, and and resident data at rest and in transit in their infrastructure. Request your property managers clearly and decisively address privacy concerns such as data ownership and resale in writing. If solid answers in writing don’t assuage legitimate concerns, consider politely seeking an option to opt-out – and make your threat model clear to them, if you’re in a sensitive situation.
FORTUNE RECON
Meet Uber’s First-Ever Chief Privacy Officer by Danielle Abril
Why H&M Just Hired the Cambridge Analytica Whistleblower by Erik Sherman
What Is a Deepfake? Let This Unsettling Video of Jennifer Lawrence With Steve Buscemi’s Face Show You by Kevin Kelleher
How Quitting Facebook Could Change Your Life by Erin Corbett
Researchers Discover Malware That Targets Apple Mac Computers and Cryptocurrency Exchanges by Jonathan Vanian
Apple Engineer Accused of Stealing Autonomous Car Secrets by Lucas Laursen
Robocalls Are Getting Worse and Scammers Are Making Money Off Them: Report by Emily Price
Two Hacker Groups—Both Still Active—May Have Stolen $1 Billion in Cryptocurrency by Chris Morris
Court's Biometrics Ruling Poses Billion Dollar Risk to Facebook, Google by Jeff John Roberts
Data Breaches Declined Last Year. But Here's Why You Should Be More Worried Than Ever by Danielle Abril
ONE MORE THING
Caught red-handed. Spanish police have aprehended an alleged drug trafficker who had eluded capture for 15 years thanks to anatomical hijinks. The suspect, whose identity has not been revealed, was said to have mutilated his digits, effacing their fingerprints; to have received hair implants; and to have adopted the identity of Peruvian and Croatian citizens. Gotta hand it to him...he really tried.
