IRA Financial Trust Brings Lawsuit Against Gemini Trust Company Alleging Crypto Exchange Security Failures
06 Jun, 2022, 11:22 ET
Complaint details Gemini's flawed cybersecurity practices and faulty API - which included a single point of failure— that ultimately led to customer cryptocurrencies being accessed and stolen off the Gemini exchange
NEW YORK, June 6, 2022 /PRNewswire/ -- IRA Financial Trust (IRA), a leading platform for self-directed retirement and pension accounts, has filed a lawsuit against Gemini Trust Company (Gemini), a cryptocurrency exchange and custodian, following a February 2022 theft of $36 million of crypto assets in Gemini's custody belonging to customers' retirement accounts.
Gemini Trust Company was founded and is owned by Cameron and Tyler Winklevoss.
IRA Financial Trust has been working to find resolution for its impacted customers since this incident occurred and is pledging to use the proceeds from the lawsuit to reimburse IRA Financial customers impacted by the February 8, 2022, incident.
As stated in the complaint, the lawsuit, IRA Financial Trust v. Gemini Trust Company, LLC, alleges that the Gemini cryptocurrency exchange platform did not have proper safeguards in place to protect customer crypto assets. The lawsuit also claims that Gemini failed to freeze accounts within a sufficient timeframe immediately following the incident, allowing the criminals to continue moving funds out of customers' accounts on the Gemini exchange after IRA notified Gemini.
The lawsuit further outlines Gemini's alleged lack of transparency with its cybersecurity protocols—noting the Gemini Cryptocurrency Exchange platform's API was designed with only a single point of failure, as stated in the complaint.
The lawsuit alleges the following:
- "Gemini boasts of supposedly industry leading security protections, such as two-factor authentication, 'whitelisting' withdrawal addresses, and fraud detection algorithms. Gemini says that these protections, among others, 'eliminate single points of failure.'" (p. 1)
- "IRA selected Gemini as the exchange to secure customers' crypto assets largely because of Gemini's detailed statements about its industry-leading focus on security." (p. 2)
- "Under IRA's arrangement with Gemini, Gemini directly onboarded all customers through Gemini's systems." (p. 2)
- "Gemini established and maintained the security protocols used to safeguard crypto assets on its exchange, from conducting the Know Your Customer diligence during Gemini's onboarding process, to developing, deploying, monitoring, and updating the various security measures listed on its website." (p. 2-3)
- "Gemini strongly pressured IRA to switch from using Gemini's web-based platform to the Gemini API—Application Programming Interface—which Gemini said would streamline the process of onboarding customers." (p. 3)
- "Contrary to Gemini's many representations about security, Gemini designed its API with a single point of failure. If breached, this single point of failure allowed a bad actor to steal all crypto assets held by the customers of an institutional customer, like IRA." (p. 3)
- "Gemini set up the customer accounts such that IRA was the 'master' account and all of Gemini's IRA customers were sub-account holders under the IRA account. As part of this system, Gemini provided IRA with a 'master key.' …[W]hoever possesses the master key can bypass all the supposed security protections." (p. 3)
- "Critically, Gemini never informed IRA about the power of this master key. To the contrary, Gemini itself handled IRA's master key as if it was a mundane piece of information, repeatedly exchanging unsecured, unencrypted emails with IRA containing the master key." (p. 3)
- "[N]ot only did Gemini's system harbor a single-point-of-failure, but it also contained a sweeping vulnerability that allowed for a breach of a single customer account to metastasize across all accounts." (p. 4)
- "Unbeknownst to IRA, hackers were able to gain control of IRA's master key by committing crimes. Once the hackers had the master key, they were able to exploit the vulnerabilities in Gemini's API to effectuate thousands of transactions within a very short period, transferring tens of millions of dollars' worth of Bitcoin and Ether into a single customer retirement account, and then withdrawing all such assets." (p. 4)
- "Had Gemini's representations about security protections such as two-factor authentication been true, the transfers could not have been made. Nor would the transfers have been possible had there been a prohibition on transferring assets between retirement accounts – there is never a legitimate reason for one retirement account to transfer funds to another person's retirement account." (p. 4)
- "Gemini permitted these transfers to occur and, contrary to its representations, did not detect them with anti-fraud systems. Amazingly, it was IRA that had to alert Gemini—the so-called leader in safeguarding crypto-assets—of the obvious fraud occurring on Gemini's platform." (p. 5)
- "And IRA did not have the ability to freeze crypto accounts. Thus, once IRA discovered the hack, it was left to frantically email Gemini—again and again—to get all accounts frozen. Remarkably, it took six emails from IRA and nearly two hours for Gemini to freeze all customer accounts. In the interim, millions of dollars in crypto assets were stolen." (p. 5)
IRA is represented in the lawsuit by Eric Ostroff and Barry Kamar of Meland Budwick, P.A.
"IRA Financial filed this lawsuit because, contrary to Gemini's many public statements about how it prioritizes security, Gemini's platform inexplicably had a single point of failure that allowed criminals to steal tens of millions of dollars of crypto assets from customer retirement accounts," said Ostroff. "This lawsuit seeks to remedy the massive damage that IRA suffered. IRA looks forward to proving its claims in court."
IRA Financial Trust Company is a regulated South Dakota Trust Company of self-directed retirement accounts.
SOURCE IRA Financial Trust
Share this article