IRA Financial Sues Gemini for $36 Million Crypto Hack

A leading platform for self-directed retirement accounts pledges to reimburse clients with proceeds from the lawsuit.

The preliminary stages of evidentiary discovery are underway in a $36 million lawsuit between IRA Financial Trust, a leading platform for self-directed retirement and pension accounts, and cryptocurrency exchange and custodial wallet provider, Gemini Trust Company.

According to the complaint, IRA alleges that Gemini failed to provide proper safeguards to protect the crypto assets of IRA Financial clients stored on Gemini's trading exchange. Additionally, the lawsuit asserts that Gemini failed to freeze accounts within a sufficient time frame immediately following the incident. It's alleged that Gemini's failure to respond quickly allowed cyber-hackers to continue siphoning funds for hours out of customers' accounts on the Gemini exchange after IRA notified Gemini.

"IRA Financial filed this lawsuit because, contrary to Gemini's many public statements about how it prioritizes security, Gemini's platform inexplicably had a single point of failure that allowed criminals to steal tens of millions of dollars of crypto assets from customer retirement accounts. This lawsuit seeks to remedy the massive damage that IRA suffered. IRA looks forward to proving its claims in court," Eric Ostroff, legal counsel for IRA, is quoted as saying in the official announcement of the suit.

Alleged single point of failure

A key element of the lawsuit is IRA Financial's assertion that despite Gemini's highly publicized, multi-layered approach to security, it created a "master key" for the IRA Financial account. It then purportedly tucked all IRA client accounts beneath that single key as sub-accounts, creating a solitary entry point that hackers needed to compromise -- which they did.

"Critically, Gemini never informed IRA about the power of this master key. To the contrary, Gemini itself handled IRA's master key as if it was a mundane piece of information, repeatedly exchanging unsecured, unencrypted emails with IRA containing the master key. Not only did Gemini's system harbor a single-point-of-failure, but it also contained a sweeping vulnerability that allowed for a breach of a single customer account to metastasize across all accounts," the complaint reads.

In a recent media report, a spokesperson for Gemini refuted the allegations and said the lawsuit is baseless, stating, "Our security standards are among the highest in the industry and we are constantly updating them to ensure our customers are always protected. In this matter as soon as IRA Financial notified us of their security incident we acted quickly to mitigate the loss of funds from their accounts," as quoted in the media article.

The complaint goes on to state that hackers made off with tens of millions of dollars worth of Bitcoin and Ethereum respectively. IRA Financial pledges to reimburse clients with proceeds recovered from the Gemini litigation.