Monday, April 22, 2019

Gerald Cotten, aka Sceptre

Using a variety of OSINT tools and research, we're going to demonstrate the chain of evidence confirming that Gerald Cotten, QuadrigaCX CEO, was also known as "Sceptre" online.

Let's start with the gerryenterprises.com name servers. Gerryenterprises.com was a domain registered by Cotten and used for custom name servers for a variety of domains. Using your own name servers instead of relatively inexpensive and powerful 3rd-party options (such as Cloudflare, which QuadrigaCX used) suggests you have other motives in mind, and perhaps obscuring or obfuscating logs attached to your domain/s were amongst them.

Using Domain Research Suite (paid sub required) we can trace all domains that ever used ns1.gerryenterprises.com as a name server. You can verify this for yourself.

https://i.redd.it/xfsf1fk98xt21.png

This search turns up a number of interesting domains, and one in particular - the "contentbysceptre.com" domain, which we can link to a post on BlackHatWorld, along with other data points from other domain research.

Let's have a closer look at some of those domains:

https://i.redd.it/uavml56y8xt21.png

OK, so they have all clearly been registered to Gerald Cotten.

Let's take a closer look at the BlackHatWorld posts and profile:

https://i.redd.it/8wuhj4s29xt21.png

From this we can deduce the following:

  1. Cotten registered and ran the gerryenterprises.com name servers, both for his own domains and a number of friends and associateds, such as:
    1. Patryn (vfs-securities.com, michaelpatryn.com)
    2. Christine Lako, his ex-girlfriend (schnugglebunny.com)
    3. Nicky Correa, his friend (nickycorrea.com, studioimpression.com)
  2. He also ran a number of his own domains through this server, such as:
    1. Allergictocorn.com
    2. Barbara-corcoran.com
    3. Canadian-airport-guide.com
    4. Cooltripbro.com
    5. Hide-your-ip.org
    6. Howdoihidemyip.com
    7. Etc. and many others
  3. From other research and domain analysis, we know Cotten had a number of “Sceptre” email addresses, including
    1. [sceptre@countermail.com](mailto:sceptre@countermail.com)
    2. [sceptre@cmail.nu](mailto:sceptre@cmail.nu)
    3. [sceptre@doneasy.com](mailto:sceptre@doneasy.com)
    4. [sceptre200@hotmail.com](mailto:sceptre200@hotmail.com)
  4. These email addresses were used on domain registrations, forums, payment processors, and a variety of services linking back to Gerald Cotten (more on this later)
  5. Given the preponderance of inexpensive, cheap and more powerful options for name servers (such as Cloudflare, which was used by QuadrigaCX), and Cotten’s preoccupation with security, using proxy services and hiding his IP we can assume this would have been primarily for security reasons
  6. Cotten used the “contentbysceptre.com” domain in connection with his “Sceptre’s Spectacular Content Services” on BlackHatWorld
  7. Cotten posted an advertisement on Blackhatworld for a programmer for a “Website like Bitstamp”, which was just a few months prior to launching QuadrigaCX in December 2013. It’s a short timeframe but we know it fits because QuadrigaCX uses the generic WLOX exchange script, which dramatically reduces the work required to build a crypto exchange (Note: we didn’t say a great crypto exchange). This is mentioned in a post on coinforum.ca where user @yerofeyev admits that another exchange, Taurs (founded with PATRYN, mentioned earlier) uses Quadriga code based on WLOX. Strangely that thread is no longer accessible (https://coinforum.ca/discussion/2448/taurs-soft-launch) as the whole coinforum.ca website has been mysteriously shut down in the last few days
  8. Cotten posted a number of threads asking for advice on how to monetise his network of sites, includijg the aforementioned proxy sites, and his celebrity news sites, including celebritydaily.net. Here’s the link to that post as well “BHW - Hiring Celebrity Article Writer”
  9. Cotten’s profile on BlackHatWorld was initially Sceptre and later changed to “Murodch1337” , perhaps after QuadrigaCX began to become popular and he realised he might need to conceal links to his past. Link to Cottens BlackHatWorld profile here: https://www.blackhatworld.com/members/murdoch1337.273596/
  10. Patryn was also active on BlackHatWorld, and posted to the following thread “10K budget need suggestions on passive income streams - help”, suggesting “HYIPs are investment scams promising returns of 5-20% weekly, generally.” You can view that thread here: https://www.blackhatworld.com/seo/10k-budget-need-suggestions-on-passive-income-streams-help.548790/page-4
  11. We know form other research and analysis that both Sceptre and Patryn were highly active in the HYIP/Ponzi/exchanger space (more on this later)
  12. In conclusion, we believe that Gerald Cotten, QuadrigaCX CEO, was known as "Sceptre" on BlackHatWorld and other sites.

This has been a QCXINT release. If you have more information regarding QuadrigaCX, Michael Patryn (aka Omar Patryn, Omar Dhanini, Voleur), Gerald Cotten (aka Sceptre), please send to [qcxint@protonmail.com](mailto:qcxint@protonmail.com) . Your submission will be 100% confidential.

Update 23/04: Reddit dropped the entire post whilst editing so it had to be re-uploaded.

  1. Added link to Freelancer post by Cotten: https://www.freelancer.com/projects/bitcoin-related-project/ showing his skype (gerrywc) and "Sceptre" email ([sceptre@countermail.com](mailto:sceptre@countermail.com))
  2. There is also a crosspost for the "Bitstamp clone" BHW post here: https://www.freelancer.com/projects/PHP-Website-Design/Bitstamp-Clone-Bitcoin-Trading-Platform/

https://i.redd.it/f0hyq9o7axt21.jpg



No comments:

Post a Comment