Gemini Sued by IRA Financial Over $36M Hack

Gemini allegedly never notified IRA of the security threat posed by the master key of their API.

Gemini Sued by IRA Financial Over $36M Hack
Photo: Callaghan O’Hare/Bloomberg

Key Takeaways

  • IRA Financial, a company that provides services for self-directed retirement and pension funds, is suing crypto exchange Gemini over its failure to prevent the hack of $36 million of IRA customer money in February.
  • The lawsuit claims Gemini insisted for IRA to use a system that contained a single point of failure which cyber criminals were easily able to exploit.
  • Proceeds from the lawsuit will be used to reimburse IRA customers.

Share this article

Gemini is being sued for allegedly providing IRA Financial an onboarding system with a single point of failure, which allowed the theft of $36 million in IRA customer money. The exchange is also accused on failing to freeze accounts with sufficient rapidity.

Hack Was Possible Due To Single Point Of Failure

IRA Financial Trust (IRA) is suing Gemini over the February 2022 hack that saw $36 million of IRA customers’ money siphoned from the cryptocurrency exchange.

As stated in their press release, IRA, a U.S. platform for self-directed retirement and pension accounts, alleges in the lawsuit that Gemini “did not have proper safeguards in place to protect customer crypto assets” and “failed to freeze accounts within a sufficient [time-frame]” after IRA had alerted Gemini of the theft.

Gemini is a cryptocurrency exchange based in New York. It was co-founded by Tyler and Cameron Winklevoss and is one of the United States’ top exchanges.

According to IRA, Gemini insisted for the company to use Gemini’s application programming interface (API) to streamline customer onboarding while failing to disclose to IRA that the API contained a single point of failure, namely a master account under which “all of Gemini’s IRA customers were sub-account holders” that was controlled by a master-key.

The criminals, the lawsuit states, were presumably able to obtain the master key from unencrypted emails between Gemini and IRA. On Feb. 8 the hackers may have falsely reported a kidnapping in IRA’s South Dakota offices to the police department (which then sent a SWAT team to respond to the situation) in a maneuver to distract IRA employees from the theft. They then used the master key to consolidate the funds from all sub-accounts into one before withdrawing the entire amount. Gemini’s anti-fraud systems were not alerted of the transfers.

IRA states that proceeds from the lawsuit against Gemini will be used to reimburse IRA customers.

This is the second time in less than a week that a lawsuit has been brought against Gemini. The U.S. Commodity Futures Trading Commission (CFTC) is also suing Gemini for making false or misleading statements concerning its plans for a Bitcoin futures product during an evaluation in 2017.

Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.

Share this article