Skip to main content

Investor sues the Winklevoss twins’ troubled crypto business over security failures

Investor sues the Winklevoss twins’ troubled crypto business over security failures


IRA Financial Trust blames Gemini for the theft of $36 million in crypto

Share this story

Illustration by Alex Castro / The Verge

IRA Financial Trust, a platform that lets users save for retirement in alternative assets like cryptocurrency, is suing the Gemini cryptocurrency exchange over an alleged failure to protect its customers from a heist that resulted in the theft of $36 million in crypto. The financial platform partners with Gemini, owned by the Winklevoss twins, Cameron and Tyler, to allow customers to trade and store cryptocurrency.

In February, IRA was the victim of a major attack that drained the millions in funds customers had stored with Gemini. The company was reportedly swatted, the act of calling the police to report a fake crime at someone’s location, when the cyberattack occurred. Police showed up at IRA’s South Dakota headquarters after false reports of a robbery, while bad actors made off with millions in crypto. At the time, a source close to Gemini told CoinDesk it wasn’t hacked and that it makes various security controls available to its partners.

“But like so much else in the world of crypto, Gemini’s image is just that: an image”

“Gemini knew about the risks attendant to crypto assets,” IRA’s complaint states. “In fact, it built its public image around purportedly mitigating those risks. But like so much else in the world of crypto, Gemini’s image is just that: an image. In reality, Gemini brushes security aside when there is a chance to earn more revenue.”

According to IRA’s complaint, problems started when Gemini “strongly pressured” the company to use the Gemini API (Application Programming Interface) over the web-based platform so its systems could better handle customer onboarding. This, IRA claims, had a “fatal flaw” in the form of the master key that allegedly let holders “bypass” Gemini’s security protections, giving them the ability to “transfer and withdraw crypto assets without getting a client’s second-factor authorization.” Gemini provided IRA with this master key, but IRA claims it was never told about its “power,” alleging Gemini nonchalantly included it in unsecured and unencrypted emails.

IRA’s complaint states that hackers got ahold of its master key and were allegedly able “to exploit the vulnerabilities in Gemini’s API.” The result was bad actors “transferring tens of millions of dollars’ worth of Bitcoin and Ether belonging to hundreds of customers into a single customer retirement account, and then withdrawing all such assets.”

IRA goes on to claim that, when the attack occurred, Gemini failed to freeze customers’ accounts in a timely manner. Since IRA supposedly wasn’t given a phone number it could use to contact Gemini quickly, it instead resorted to sending several emails that were met with a slow response time. (Gemini allegedly didn’t freeze customers’ accounts until almost two hours after IRA sent its first email.) IRA is suing Gemini for damages set to be determined at trial.

“We reject the allegations in the lawsuit,” Gemini spokesperson Natalie Rix said in a statement to The Verge. “This attack targeted IRA Financial systems — not Gemini. No Gemini systems were compromised by the incident and we acted quickly to assist IRA Financial with their breach.”

Gemini is not only facing a lawsuit from IRA but also the Commodity Futures Trading Commission (CFTC), which has filed a lawsuit against the company for allegedly misrepresenting certain details in its exchange and futures contract. Last week, Gemini announced that it’s laying off 10 percent of its staff as the cryptocurrency market deals with an economic downturn.

Update June 8th, 8:47AM ET: Updated to include a statement from a Gemini spokesperson.