Digital asset exchange Bittrex is reportedly being sued over a SIM swap-related incident that allowed hackers to steal 100 Bitcoin (BTC), which are valued at around $1 million at current market prices.
The case appears to be quite similar to other recent incidents in which a bad actor gains control of a user’s cell phone in order to steal cryptocurrency from their online wallets. The swap was reportedly from telecom giant AT&T, the funds were withdrawn from Bittrex, and the hacker allegedly managed to gain control over the user’s online identity.
The hack allegedly carried out against Gregg Bennett, an angel investor residing in Seattle, has not yet been resolved by officials, as other incidents have before being disclosed publicly in court filings.
Bennett filed a lawsuit in Washington state’s King County Superior Court, in which he claims that Bittrex did not abide by its own security measures, while also failing to meet industry standards. This led to the high-stakes theft, Bennett alleged.
He further noted that Bittrex’s management failed to take action as the April 15, 2019 hack was taking place. The exchange did not respond in a timely manner, even though Bennett says he informed the company directly.
The Department of Financial Institutions, the financial legal examiner for the Washington state regulator that addresses complaints from consumers, stated that Bittrex failed to “take reasonable steps to respond” to Bennett’s message and “appears” to have not honored its own terms of service, according to an August 30, 2019 letter.
Although several legal entities were informed, they have not yet decided to take up criminal charges in the matter. Moreover, the whereabouts of Bennett’s stolen digital currency are currently unknown.
Bittrex CEO Bill Shihara stated the exchange operator has implemented proper security measures, which can effectively prevent account hacks. These security measures include two-factor authentication (2FA) and email verification when an unfamiliar IP address attempts to sign-in to a user account.
Shihara noted that these “speed bumps” could lead to a few user complaints, however, “they actually save a lot of accounts from being hacked.”
Shihara also warned that a user’s email can also get hacked, so a person’s phone should not be trusted as the last security stop. This, as once a victim’s phone has been taken over, hackers can usually get access to all their accounts, Shihara explained.
“I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”
Bennett also believes that his hack was most likely “an inside job,” as he thinks that the PIN associated with his account and the social security number linked to the account were changed, which suggests that someone at AT&T could have played a role in the incident.
AT&T has not specifically been mentioned in Bennett’s case, although it remains the focus of similar lawsuits initiated by Michael Terpin and Seth Shapiro.
Bennett’s case mainly focuses on the security issues on Bittrex’s trading platform, but he acknowledged that the door stayed wide open. He warned:
“[AT&T] will not escape my wrath.”
AT&T representative Jim Greer stated he was only able to repeat his previous responses to the SIM-swapping incidents. That being, customers must not depend on their mobile phones for the security of their accounts.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime.”
Bennett noted that Bittrex’s management should have been able to figure out that something was not right.
The security breaches had been initiated from an IP address in Florida and from an NT operating system, Bennett pointed out. He also mentioned that he had not used either of them, which should make it clear that he was not the one trying to gain access to the account.
Bennett claims in the lawsuit that the criminals stole 100 BTC from his account, which is the maximum daily withdrawal permitted. He also says that the hackers sold off a significant amount of his crypto at below-market prices, while also converting the stolen funds into a further 30 bitcoins and running off with it.
The hackers also came back the next day for 35 bitcoins that were remaining, however, Bennett said he had finally managed to get Bittrex to close his account and the unauthorized transactions.
Bennett’s lawsuit claims that Bittrex did not adhere to established industry security protocols in his case.
Bennett’s lawyers said Bittrex should have placed a 24-hour withdrawal hold following a password change, which is standard practice.
“What I fault Bittrex for is their inability to see obvious suspicious activity.”