Gemini Security Failures to Blame for Crypto Hack, IRA Suit Says
Evan Weinberger | June 6, 2022
Crypto exchange Gemini Trust Co. lacked proper safeguards that resulted in retirement-account holders losing around $36 million in Bitcoin and Ether when the master key got hacked, IRA Financial Trust said in a new lawsuit.
Gemini, a crypto exchange founded by Cameron and Tyler Winkelvoss, made false representations about two-factor authentication and other protections that were supposed to safeguard customer accounts, according to a complaint IRA filed Monday in the U.S. District Court for the Southern District of New York.
IRA allows customers to actively trade crypto in their retirement accounts. It entered an agreement with Gemini in September 2019 that allowed IRA customers to trade Bitcoin and Ether, the two largest cryptocurrencies, directly.
Gemini provided IRA a master key which gave IRA power to manage and oversee its customer accounts. An individual holding a crypto master key can bypass security features like multi-factor authentication.
When hackers got access to IRA’s master key in February, they were able to pull $36 million in cryptocurrencies into their own IRA account and ultimately cash out because they were able to bypass all security protocols, South Dakota-based IRA said in the complaint.
“Gemini never informed IRA about the power of this master key,” the complaint said.
IRA said that Gemini employees shared the company’s master key via unsecured, unencrypted emails. New York-based Gemini also didn’t provide a phone number to call if accounts were compromised, and didn’t lock those accounts for nearly two hours, and after six emails, the suit said.
Gemini sent an email to IRA customers on April 12 blaming IRA solely for the hack and subsequent theft, according to the complaint.
“We encourage you to reach out to IRA Financial for more information concerning any unauthorized use of your IRA Financial account, as well as what compensation may be available to you for any losses,” the April 12 email said.
IRA said the claims in the Gemini email were false.
Gemini said in a Monday email to Bloomberg Law that it rejected IRA’s claims.
“Our security standards are among the highest in the industry and we are constantly updating them to ensure our customers are always protected,” Nathalie Rix, a Gemini representative, told Bloomberg Law.
Both Gemini and IRA are facing a class action lawsuit from affected customers over the Feb. 8 theft in federal district court in San Francisco.
Separately, the U.S. Commodity Futures Trading Commission sued Gemini on June 2 over alleged false statements related to the launch of the first U.S.-regulated Bitcoin futures contract.
Causes of Action: Fraud, negligence, gross negligence, violations of New York General Business Law, contribution, defamation, tortious interference.
Relief: Punitive damages, plus interest, costs and other damages to be determined at trial.
Attorneys: Morgan Lewis & Bockius LLP and Meland Budwick PA are representing IRA Financial.
The case is IRA Financial Trust v. Gemini Trust Co. LLC, S.D.N.Y., No. 1-22-cv-04672, complaint filed 6/6/22