On June 6, the famous cryptocurrency exchange company Gemini was sued for allegedly giving IRA Financial an onboarding system with a single point of failure, allowing $36 million in IRA client funds to be stolen. The exchange is also accused of failing to freeze accounts quickly enough.
IRA Financial Trust (IRA) is suing Gemini for a February 2022 cyberattack that resulted in the theft of $36 million from the cryptocurrency exchange.
As per the press release, IRA, a U.S. platform for self-directed retirement and pension accounts, claims in the lawsuit that Gemini “did not have proper safeguards in place to protect customer crypto assets” and “failed to freeze accounts within a sufficient [time-frame]” after IRA reported the theft.
Gemini is a New York-based cryptocurrency exchange. Tyler and Cameron Winklevoss co-founded it, and it is now one of the leading exchanges in the United States.
Insisting on the company using Gemini’s application programming interface (API) to streamline customer onboarding while failing to disclose to IRA that the API contained a single point of failure, namely a master account under which “all of Gemini’s IRA customers were sub-account holders” and was controlled by a master-key.
According to the complaint, the hackers obtained the master key via unencrypted communication between Gemini and IRA. On February 8, the hackers may have fraudulently reported an abduction at IRA’s South Dakota headquarters to the police department (who subsequently sent a SWAT squad to the scene) in order to divert attention away from the heist. They then utilised the master key to combine the funds from all sub-accounts into a single account before withdrawing the total amount. The transactions were not detected by Gemini’s anti-fraud systems.
