Crypto Exchange Security Checker
Check Exchange Security
Answer these 5 key questions to determine if an exchange meets minimum security standards. Based on lessons from QuadrigaCX.
When QuadrigaCX shut down in February 2019, over 76,000 users woke up to find their money gone. Not because of a hack. Not because of a market crash. But because the people running the exchange had been stealing from them for years. At its peak, QuadrigaCX was Canada’s biggest cryptocurrency exchange - handling over $1.2 billion in trades in 2017 alone. By the time it collapsed, users were owed more than $215 million. What happened? And what can you learn from it today?
How QuadrigaCX Grew So Fast
In 2013, buying Bitcoin in Canada wasn’t easy. Most people had to wire money to exchanges in Japan or the U.S. QuadrigaCX changed that. Founded by Gerald Cotten and Michael Patryn in Vancouver, it let Canadians trade crypto using Canadian dollars. No more international transfers. No more waiting days for bank wires. It was fast, simple, and local - exactly what the market needed. By 2014, they’d installed Vancouver’s second Bitcoin ATM. By 2017, they were processing over $1.2 billion in trades. The platform grew from a one-person operation to a team of four. They didn’t have fancy marketing. They didn’t need it. Word spread. People trusted them because they looked legitimate: registered with FinTRAC, had offices in Vancouver and Toronto, and even talked about going public. But behind the scenes, things were crumbling.The Hidden Flaws in QuadrigaCX’s Model
QuadrigaCX had no real bank account. Not one. Instead, they relied on third-party payment processors to move Canadian dollars in and out. That meant every withdrawal got stuck in limbo when those processors hit limits or froze transactions. Users started reporting delays in 2018. Withdrawals that should’ve taken hours dragged on for weeks. They also had zero proper accounting system. With $1.2 billion in trading volume and only four employees, they were running on duct tape and hope. There was no audit trail. No reconciliation. No oversight. When trades happened, the system didn’t track who owned what. It just assumed balances matched up. And then there was the cold storage myth. After Cotten died in India in January 2019, the official story was that he was the only one who had the passwords to the cold wallets holding user funds. The media ran with it. Headlines screamed: “Crypto King Dies, Keys Lost Forever.” But that wasn’t true. The Ontario Securities Commission later found that most of the $169 million shortfall didn’t come from lost keys - it came from fraud.The Fraud That Destroyed QuadrigaCX
Gerald Cotten didn’t just lose the keys. He stole the money. The OSC investigation revealed three major fraud schemes:- Fictitious trading: Cotten created fake accounts under aliases like “John Smith” and “CryptoTrader123.” He traded against real users, pretending to be a buyer or seller. When prices moved, he made profits - and users lost money. He did this for years.
- Unauthorized trading: He moved $28 million in client funds to other exchanges like Binance and Kraken without permission. He used those funds to gamble on price swings. He lost it all.
- Ponzi-style payouts: When users wanted to withdraw cash, he didn’t pull from bank accounts. He used new deposits to pay old users. In the final months, the exchange had almost no real money left - yet it kept paying out. That’s how Ponzi schemes work.
Why Users Didn’t Notice Until It Was Too Late
Many users didn’t realize something was wrong because QuadrigaCX looked professional. The website was clean. The support team responded (sometimes). They even held events and promoted themselves as a trusted Canadian brand. But red flags were there if you looked:- In June 2017, they lost $14 million in Ethereum due to a smart contract error. Users were told it was a “technical glitch.” No one ever saw that money again.
- By late 2018, withdrawal delays became routine. Some users waited over 90 days just to get their Canadian dollars back.
- They never published financial statements. No audits. No transparency.
- They refused to let users verify their own wallet balances independently.
What Happened After the Collapse
When Cotten died, the platform froze. Users couldn’t log in. Emails went unanswered. The website went dark. The Canadian government launched an investigation. The FBI, IRS, and U.S. Department of Justice joined in. Over $200 million in missing assets became one of the largest crypto fraud cases in history. In 2021, the courts confirmed what investigators suspected: Cotten had been running a fraud since at least 2015. His wife, Jennifer Robertson, was named executor of his estate. She claimed she never knew about the crypto wallets - and still doesn’t know where the keys are. To date, less than 10% of user funds have been recovered. Some got back small amounts through asset sales. Others got nothing.
Lessons Learned - What You Need to Know Today
QuadrigaCX isn’t just a story from the past. It’s a warning. Never trust an exchange that doesn’t prove it holds your funds. If they say “cold storage” but won’t show proof - walk away. Look for exchanges that publish regular proof-of-reserves audits. Some do this monthly. Others use third-party auditors like BDO or Grant Thornton. Don’t keep large amounts on any exchange. If you’re not actively trading, move your crypto to a hardware wallet. Cold storage isn’t a buzzword - it’s your safety net. Check the team’s background. Michael Patryn’s criminal record was public. But no one checked. Today, you can Google founders, look up past companies, and read court records. If someone has a history of fraud or identity theft - that’s not a coincidence. It’s a pattern. Canadian exchanges aren’t regulated like banks. Even though QuadrigaCX was registered with FinTRAC, that only meant they had to report suspicious activity. It didn’t mean they had to safeguard your money. There’s still no legal requirement in Canada for exchanges to insure client funds.Where to Trade Now - Safer Alternatives
Today, there are better options for Canadians:- Bitbuy: Registered with FinTRAC, publishes monthly proof-of-reserves, offers CAD deposits via Interac.
- Coinsquare: Backed by institutional investors, uses cold storage, and has a strong compliance team.
- Newton: Fully licensed in Ontario, transparent about custody, and allows users to withdraw to external wallets instantly.
Final Thoughts: Don’t Let History Repeat
QuadrigaCX wasn’t destroyed by Bitcoin’s crash. It was destroyed by greed, secrecy, and a complete lack of oversight. The people who lost money weren’t reckless. They were trusting. And that’s what made them vulnerable. If you’re using a crypto exchange today, ask yourself: Do I know where my money is? Can I prove it? Would I be okay if the CEO suddenly disappeared? The answer should be: Yes.Was QuadrigaCX hacked?
No, QuadrigaCX was not hacked. The funds were stolen by its own founders through fraudulent trading, unauthorized transfers, and misappropriation of client assets. The claim that passwords to cold wallets were lost after Gerald Cotten’s death was a cover story - investigations proved most of the missing money came from internal fraud, not technical failure.
How much money was lost in the QuadrigaCX collapse?
Approximately $215 million CAD in cryptocurrency and fiat currency was owed to users when QuadrigaCX shut down in February 2019. The Ontario Securities Commission confirmed a $169 million asset shortfall, with $115 million traced to fraudulent trades, $28 million to unauthorized external trading, and the rest to personal spending by the founders.
Was anyone held criminally responsible for the QuadrigaCX fraud?
Gerald Cotten died in December 2018 before any charges could be filed, so no criminal prosecution occurred against him. Michael Patryn has not been charged in connection with QuadrigaCX, though his criminal past was exposed. Investigations continue, and civil lawsuits are ongoing, but as of 2025, no one has faced criminal charges for the fraud.
Are Canadian crypto exchanges regulated now?
Canadian crypto exchanges must register with FinTRAC and follow anti-money laundering rules, but there is still no legal requirement to hold client funds in segregated accounts or to insure them. Some exchanges voluntarily publish proof-of-reserves and undergo audits, but regulation remains light compared to traditional financial institutions. Investors must do their own due diligence.
Can I get my money back from QuadrigaCX?
A small number of users have recovered partial amounts through asset liquidations and court-ordered sales of Cotten’s personal property. As of 2025, less than 10% of the total owed has been returned. The liquidation process is ongoing but extremely slow. Most users will likely never recover their full losses.
What’s the biggest lesson from QuadrigaCX?
The biggest lesson is that you are not protected by the exchange’s size or reputation. Always assume the exchange could disappear tomorrow. Never keep more crypto on an exchange than you’re willing to lose. Use hardware wallets for long-term storage. And always verify that the exchange you’re using has transparent, third-party audits proving they hold your assets.
David Hardy
November 24, 2025 AT 16:09Belle Bormann
November 25, 2025 AT 23:43Jenny Charland
November 27, 2025 AT 11:00Anne Jackson
November 28, 2025 AT 16:24Caren Potgieter
November 28, 2025 AT 16:43Jody Veitch
November 29, 2025 AT 05:53Linda English
November 30, 2025 AT 17:30