Back in February, hackers managed to squirrel away approximately $36 million in crypto assets from users’ retirement accounts. In the aftermath of that scam, it’s become less of a “who-dun-it” and more of a “who’s-gonna-take-the-blame?”
In a lawsuit filed Monday against Gemini Trust Company, retirement investment company IRA Financial said it was let down by Gemini’s promise of security for its crypto assets.
Gemini is the crypto exchange fronted by the Cameron and Tyler Winklevoss, AKA the Winklevoss twins. IRA Financial was using Gemini’s architecture to secure users’ accounts, when on Feb. 8 an unknown actor began withdrawing bitcoin, ether and U.S. dollars from dozens of users, pilfering millions before the hack was spotted, according to CoinDesk. Gemini has previously blamed IRA for the hack, saying the transfers were made “by utilizing properly authenticated accounts” controlled by IRA that “complied with IRA’s approval processes and appeared to Gemini to be legitimate.”
The lawsuit says that IRA switched from Gemini’s online client to its Application Programming Interface to streamline customer onboarding. That system had a “fatal flaw,” namely a master key that could access all sub-accounts to IRA’s master Gemini account. The suit states that whomever had access to the master key could withdraw crypto assets without second-factor authentication. IRA further claims Gemini never told the company about this master key.
IRA’s attorney Eric Ostroff of the Miami-based Meland Budwick said in a release that “Gemini’s platform inexplicably had a single point of failure that allowed criminals to steal tens of millions of dollars of crypto assets from customer retirement accounts.”
In an emailed statement, Natalie Rix, the communications lead at Gemini, said they reject the lawsuit’s allegations, calling their security standards “the highest in the industry.” She added that “as soon as IRA Financial notified us of their security incident we acted quickly to mitigate the loss of funds from their accounts.”
There’s been a lot of finger pointing between Gemini and IRA Financial, but the blame game has left users hanging for months. Users have yet to see any recompense. IRA Financial further said in its release it would use funds won in its Gemini lawsuit to reimburse those impacted by the Feb. 8 hack.
A class action lawsuit filed against both companies in California federal court back in March argues that Gemini and IRA are on the hook for the data breach, and that neither have moved to compensate victims. Both companies would prefer it if that pesky suit would just go away.
It’s unclear what has changed in either Gemini’s or IRA’s operations. IRA Financial CEO Adam Bergman is still on the crypto hype train, telling Barron’s in April that “Having some basic belief that blockchain will revamp the way global financial markets will operate should be enough to get investors excited about the reward-risk proposition.” Meanwhile, Gemini is being sued in civil court by the Commodity Futures Trading Commission for allegedly lying to regulators that their trading platform wasn’t susceptible to manipulation by risky crypto traders.
Despite this latest hack of users’ IRAs, some companies are still considering notoriously volatile crypto investments a solid idea for retirement savings. Fidelity Investments recently announced they were allowing investors to save some of their 401(k) in bitcoin.
The IRA Financial scandal was not in any way the biggest hack of the year, by far. The pay-to-play, NFT-based game Axie Infinity was hacked for $625 million by North Korea-affiliated group Lazarus in March, according to the FBI. A recent report by the Federal Trade Commission shows U.S. residents have lost over $1 billion in crypto so far this year, mostly from scams. The rate of losses was over 60 times higher than was previously reported just four years ago.