Investor sues the Winklevoss twins’ Gemini crypto exchange over security failures - The Verge
IRA Financial Trust is suing the cryptocurrency exchange Gemini over a heist that resulted in the theft of $36 million in crypto from its customers. The retirement savings platform blames Gemini’s security protocols for the attack.
IRA Financial Trust, a platform that lets users save for retirement in alternative assets like cryptocurrency, is suing the Gemini cryptocurrency exchange over an alleged failure to protect its customers from a heist that resulted in the theft of $36 million in crypto. The financial platform partners with Gemini, owned by the Winklevoss twins, Cameron and Tyler, to allow customers to trade and store cryptocurrency.
In February, IRA was the victim of a major attack that drained the millions in funds customers had stored with Gemini. The company was reportedly swatted, the act of calling the police to report a fake crime at someone’s location, when the cyberattack occurred. Police showed up at IRA’s South Dakota headquarters after false reports of a robbery, while bad actors made off with millions in crypto. At the time, a source close to Gemini told CoinDesk it wasn’t hacked and that it makes various security controls available to its partners.
“Gemini knew about the risks attendant to crypto assets,” IRA’s complaint states. “In fact, it built its public image around purportedly mitigating those risks. But like so much else in the world of crypto, Gemini’s image is just that: an image. In reality, Gemini brushes security aside when there is a chance to earn more revenue.”
According to IRA’s complaint, problems started when Gemini “strongly pressured” the company to use the Gemini API (Application Programming Interface) over the web-based platform so its systems could better handle customer onboarding. This, IRA claims, had a “fatal flaw” in the form of the master key that allegedly let holders “bypass” Gemini’s security protections, giving them the ability to “transfer and withdraw crypto assets without getting a client’s second-factor authorization.” Gemini provided IRA with this master key, but IRA claims it was never told about its “power,” alleging Gemini nonchalantly included it in unsecured and unencrypted emails.
IRA’s complaint states that hackers got ahold of its master key and were allegedly able “to exploit the vulnerabilities in Gemini’s API.” The result was bad actors “transferring tens of millions of dollars’ worth of Bitcoin and Ether belonging to hundreds of customers into a single customer retirement account, and then withdrawing all such assets.”
Rating: 5