Smoke and mirrors: Unpacking the sagas of Prime Trust and Fortress Trust
While the universe of digital assets is vast, it’s a small world for crypto custodians. A long bear market and a series of compromises has resulted in two major custodial catastrophes in the summer of 2023: Prime Trust and Fortress Trust.
These cases shocked the industry in different ways and have been notable for their twists and turns. But these compromises were preventable and contain teachable moments for the rest of us.
Casa specializes in helping investors take self-custody of their assets to sidestep the risks of third-party custodians. To help you avoid similar disasters, we thought we would summarize these events with a few points to remember. Let us begin.
What happened with Prime Trust?
Prime Trust was a custodian that acted as the backend for several exchanges and apps. The company was a “qualified custodian” regulated by the State of Nevada.
According to a court filing, Prime Trust migrated its custody onto another platform in 2019. In 2021, the company started unintentionally providing customers with deposit addresses to a 3-of-6 multisig wallet for which it no longer had access to enough keys to sign transactions. Any funds sent to those addresses were lost.
To complete requested withdrawals, the company used customer funds to purchase assets from December 2021 to March 2022. Making matters worse, a crypto bear market set in which placed further strain upon the company’s finances. The company also invested customer funds in TerraUSD, a doomed algorithmic stablecoin that collapsed in May 2022.
By June 2023, rumors began to circulate about the financial hole at Prime Trust. Crypto custodian BitGo agreed to acquire Prime Trust but backed away from the deal. Shortly thereafter, Prime Trust was placed into receivership and eventually filed for bankruptcy.
What happened with Fortress Trust?
Fortress Blockchain Technologies was another company started by Scott Purcell, the same founder as Prime Trust. Purcell departed Prime Trust in 2021 and founded Fortress later that year.
Fortress Trust was a subsidiary of Fortress and was also licensed in the state of Nevada. While there are some similarities between Fortress Trust and Prime Trust, the two were separate companies and were compromised in different ways. The two cases became public within months of each other, though some Prime Trust customers had already switched to become Fortress Trust customers.
On September 7, 2023, Fortress posted on X that a third-party vendor had cloud tools compromised. The post stated that Fortress Technology was not breached, and there was no loss of funds.
The next day, Ripple, the fintech company affiliated with the cryptocurrency XRP, announced it had agreed to acquire Fortress Trust.
On September 11, The Block reported that with the deal, Ripple had bailed out losses sustained by Fortress Trust customers in a security incident as a part of the acquisition.
Later that day, Mike Belshe, the CEO of BitGo posted on X that Fortress Trust had omitted facts about what happened. Though BitGo was not affected in the breach, the company did custody assets for Fortress and the ambiguity around the situation compelled them to issue a statement.
“After the breach, Fortress reached out to BitGo,” Belshe wrote. “BitGo strongly advised Fortress to disclose what happened immediately. Fortress did not do that. Eventually, Fortress decided to sell to Ripple.”
Later in September, Ripple CEO Brad Garlinghouse announced that Ripple had decided not to move forward with an outright acquisition but would remain an investor in Fortress.
What have we learned?
Prime Trust and Fortress Trust were hardly the first third-party institutions to fall prey to a key compromise, and as much as it pains us to say it, they are unlikely to be the last. These companies existed because there is a dearth of options for “qualified custodians” for regulated investments, such as trust accounts.
The best way to avoid being caught up in a calamity like this is to hold your own keys. Self-custody helps you sidestep custodial risk and maintain control of your assets. Our Casa vaults protect your assets with multiple keys so one disastrous event doesn’t mean lost funds, and you can get help from security experts whenever you need it. Learn more here.
Custodial risk is an inconvenient threat
Most people choose custodians for convenience, but leaving assets with a custodian isn’t a magic solution for securing your wealth. Custodians are subject to more sophisticated security risks than individuals, from both inside and outside the organization. Because they hold a lot of assets, they’re considered “honeypots” and more likely to be targeted.
If a custodian is compromised, the level of assets at stake also tends to cause any possible recovery or remediation process to be complex and prolonged. In the case of bankruptcy, account holders are considered creditors, and they are at the mercy of the judicial system.
You can’t always trust a Trust
Just because a company is a custodian and has “trust” in their name doesn’t mean you should trust them. Helping oneself to customer funds and failing to disclose a breach constitute shameful behavior. But these events tend to occur when custodians engage in damage control and try to buy themselves time.
When you give your assets to a custodian, you never really know what is happening behind closed doors and if they are fully reserved. And all too often, custodians breach trust to save face as seen with Fortress Trust. We’ve seen other failed custodians misrepresent the truth in recent years, such as Celsius and FTX.
Bitcoin and other digital assets were built on public blockchains. This allows you to audit your self-custody yourself. Don’t trust — verify.
A custodian might not have its act together
Court filings show Prime Trust was using a 6-key multisig, which would require them to lose four keys before assets would be inaccessible. This is nearly impossible to do with proper key distribution and periodic checkpoints.
At Casa, we recommend our members perform health checks on each of their keys every six months. Additionally, we equip our members with Sovereign Recovery instructions, which allow you to replicate your vault without Casa. This feature is a failsafe in case Casa is ever unreachable, and it also helps you verify we know what we’re doing.
Regulators won’t save the day
Generally, when exchanges and custodians are hacked, the events are accompanied by a public outcry for governments to act. Victims, the media, and politicians discuss who is to blame and how similar actions can be prevented in the future.
In truth, government enforcement actions are a lagging indicator, and regulations act as a deterrent. When situations like those at Prime Trust and Fortress Trust occur, the powers at be are not aware until it’s too late to reverse the outcome. Thankfully, in the case of Fortress Trust, customers were made whole. But in other cases that progress through bankruptcy, it can take years for assets to be found, let alone returned to creditors, and that’s with some luck.
Even if your case proceeds smoothly through the court system, you might only be partially reimbursed when all is said and done. Bankruptcy proceedings can also exact a major toll on the value in question. As of June 2023, FTX has tallied more than $200 million in professional fees over the course of its bankruptcy case. When you factor in that time is money, waiting for legal action can be costly in a multitude of ways.
Final thoughts
When custodians fail, they’re often inclined to take the path of least resistance and avoid dealing with the situation.
The best custodian for your assets is you. Casa will continue to build tools to help you make the most of your self-custody. No trust required.
See how easy self-custody can be
Casa helps investors take self-custody of their assets with multiple keys for greater protection against hacks, theft, and custodial risk. With a Casa vault, you can own your bitcoin and ethereum fair and square and have full peace of mind.
Schedule a call or send us a message with a Casa advisor to learn more.
Stay in the know
Security is the art of staying ahead. Our Casa Security Briefing provides weekly updates about privacy, security, and other news. Sign up below to receive future editions.