person holding phone with gemini brand on display

Gemini lied about its security, IRA Financial says in lawsuit over $36M hack

Gemini lied about the security of its platform and is to blame for the loss of $36 million in a February hack, a new lawsuit by a U.S. IRA provider alleges. The lawsuit says that Gemini designed its system with a single point of failure, lied about it, and failed to stop the hack despite being informed several times about it.

The lawsuit was filed by IRA Financial Trust, a South Dakota-based company that provides self-directed individual retirement accounts (IRAs). While U.S. regulations bar IRA firms from dabbling in digital assets, IRA Financial can offer such products as it’s a self-directed IRA. It has been allowing digital asset investments through a partnership with Gemini.

It all went wrong in February. As the company revealed on Twitter, it had discovered “suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange.”

However, as sources revealed to Bloomberg back then, the company was downplaying a major breach in which $36 million in customer funds had been stolen-$15 million in ETH and $21 million in BTC. The hackers managed to infiltrate the IRA Financial account and, after stealing the funds, laundered them through the Ethereum-based mixer Tornado Cash.

In a press release, IRA Financial revealed that it had filed a lawsuit against Gemini, claiming that it didn’t have proper safeguards in place to protect customer assets. 

The exchange boasts of having “industry leading security protections, such as two-factor authentication, ‘whitelisting’ withdrawal addresses, and fraud detection algorithms.” These, it says, eliminate a single point of failure. However, this was a misrepresentation and one that proved a little too dear for the company.

“Contrary to Gemini’s many representations about security, Gemini designed its API with a single point of failure. If breached, this single point of failure allowed a bad actor to steal all crypto assets held by the customers of an institutional customer, like IRA,” it said.

The lawsuit further reveals that Gemini designated the IRA account as the master account, with the customers being sub-account holders. It then gave IRA a master key, the holder of which could bypass all security protections, but it failed to mention this as well. Gemini handled the master key “as if it was a mundane piece of information, repeatedly exchanging unsecured, unencrypted emails with IRA containing the master key,” IRA alleges.

“[N]ot only did Gemini’s system harbor a single-point-of-failure, but it also contained a sweeping vulnerability that allowed for a breach of a single customer account to metastasize across all accounts,” it added.

All these vulnerabilities were exploited on February 8, the hackers made off with $36 million, and IRA says Gemini is to blame. Had its representations about extra protection such as two-factor authentication been true, the hackers wouldn’t have made off with the money.

In addition, Gemini even failed to detect that hackers had gained access to the IRA’s account. It was the IRA that alerted the exchange, and since the company couldn’t freeze its accounts, it had to wait for Gemini to intervene, which took over two hours.

“…once IRA discovered the hack, it was left to frantically email Gemini—again and again—to get all accounts frozen. Remarkably, it took six emails from IRA and nearly two hours for Gemini to freeze all customer accounts. In the interim, millions of dollars in crypto assets were stolen,” the lawsuit stated.

IRA wants a financial reprieve from the New York exchange, and it pledged to use these proceeds to reimburse all the accounts that were affected by the hack. Eric Ostroff, who is representing the company in court, says the lawsuit seeks to remedy the massive damage that IRA suffered, both in the loss of its funds and the damage to its reputation.

Gemini has previously dismissed any claims that it was to blame for the hack. A statement claimed that while IRA’s accounts are serviced on its platform, “Gemini does not manage the security of IRA Financial’s systems.” 

The new lawsuit comes just days since the Commodity Futures Trading Commission sued Gemini for making misrepresentations and flat-out lying about its BTC futures back in 2017. 

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups from BitMEX to BinanceBitcoin.comBlockstreamShapeShiftCoinbaseRipple
EthereumFTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.