The financial legal examiner for the Washington state regulator handling consumer complaints, the Department of Financial Institutions, concluded that Bittrex did not “take reasonable steps to respond” to Bennett’s notice and “appears” to have violated its own terms of service, in a signed letter dated Aug. 30, 2019 provided to CoinDesk by Bennett.
Crypto exchange Bittrex is being sued over a SIM swap that netted criminals 100 bitcoin, currently worth nearly $1 million.
The case resembles other recent high-profile heists in which a hacker seizes control of a victim’s cell phone to then loot online crypto accounts: the swap was from cellular carrier AT&T, money was taken from Bittrex, and the hack took control over the victim’s online identity.
The hack against Seattle-based angel investor Gregg Bennett, however, has not been resolved by criminal investigators, as others have before being made public in legal filings.
In this case, Bennett filed suit in Washington state’s King County Superior Court, alleging that Bittrex violated its own published security protocols and ignored industry standards, missing the chance to stop the high-stakes burglary. He also alleged that Bittrex failed to act as the April 15, 2019 hack was in process or respond quickly enough once notified by him directly.
Though various legal entities were notified of the hack, they have not yet announced any criminal charges in the case, and as such, the whereabouts of Bennett’s bitcoin are unknown.
Bittrex declined to comment specifically about the Bennett hack and the court case.
But CEO Bill Shihara, speaking to CoinDesk about other recent SIM hacks, said the exchange has robust security in place to prevent account breaches, including two-factor authentication and email verification when an unknown IP address logs into an account.
These “speed bumps” might result in some user complaints, he said, but “they actually save a lot of accounts from being hacked.”
But given a target’s email may also be breached, it’s best to never trust one’s phone as the last security stop – once it’s taken over, everything could be accessible, he said:
“I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”
Bennett told CoinDesk that he suspects his hack was “an inside job”, as he said that his account PIN and even Social Security number on the account were changed, which would imply that someone at the phone company played a role.
However, AT&T is not named in the Bennett suit, while it’s the focus of similar cases filed by Seth Shapiro and Michael Terpin.
While Bennett’s present case only focuses on the security lapses at Bittrex, he said the door remained open; AT&T “will not escape my wrath”, he said.
AT&T spokesman Jim Greer said he could only reiterate his prior responses to the SIM hacks: customers should avoid relying on their cell phones for security.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime”, Greer said.
Bennett says that Bittrex should have known something odd was afoot.
The hacks were coming from a Florida IP address and from an NT operating system, he said, neither of which he had never before used – both signs, in his mind, that it should be clear that he was not the one accessing the account.
Bennett alleges in the lawsuit that the hackers ultimately drained 100 bitcoin from his account – the maximum daily withdrawal allowed. In fact, he had a series of coins that the hackers dumped at below-market prices, converted into a further 30 bitcoin and made off with.
They even returned the following day for his 35 remaining bitcoin, but by that time, Bennett said he had succeeded in getting Bittrex to shut down the account and the unauthorized withdrawals.
Bennett’s suit alleges Bittrex failed to follow industry security standards in his case.
Beyond the different IP address and operating system, his lawyers asserted that Bittrex should have also imposed a 24-hour withdrawal hold after password changes, which he said other exchanges do.
“What I fault Bittrex for is their inability to see obvious suspicious activity”, Bennett said.