They joined IRA Financial Trust eager to build a nest egg in crypto. Instead, some users told CoinDesk their retirement accounts were drained, frozen and locked – with little explanation of what happens next.
It’s been nearly one week since an apparent security breach threw IRA Financial’s clients into crisis mode. With $36 million of their retirement savings in limbo and no full explanation from either IRA Financial or Gemini – the crypto exchange owned by the Winklevoss twins, Cameron and Tyler, and custodian where their crypto was held – they’ve begun organizing a response to crypto’s latest hack.
Users, appearing to count in the dozens, have begun reaching out to news organizations and regulators, wanting to know how they lost possibly millions of dollars on Feb. 8, when an apparent bad actor began withdrawing funds en masse from Gemini. IRA Financial Trust is one of a handful of firms that run their retirement account services atop Gemini’s institutional trading and custody suite.
The apparent victims tell CoinDesk they are trapped in a knotty morass of incomplete facts that only confound a fraught situation. Even basic details – how many accounts were breached, who (if anyone) will cover their losses – remain unclear. Some receive occasional terse email updates from IRA Financial while others are forced to call every day, users tell CoinDesk.
What’s clear is this: Around 5 p.m. ET last Tuesday an account labeled “Benjamin Choe'' began withdrawing bitcoin, ether and U.S. dollars from user accounts. One user said he lost 13 ETH, 1 BTC and thousands of dollars in a matter of minutes despite multiple account security layers, like two-factor authentication.
Gemini says it was not hacked; IRA Financial Trust has acknowledged an incident occurred and is investigating it, telling CoinDesk in an emailed statement the “suspicious activity” affected “a limited subset of our customers with accounts on the Gemini cryptocurrency exchange.”
“We are working closely with third-party forensic specialists to determine the nature and scope of this incident,” a spokesperson from IRA Financial’s hired crisis communications firm told CoinDesk.
The incident is one of the first high-profile exploits to hit crypto retirement accounts in the U.S. Appealing to tax-savvy bitcoiners, this cottage industry has for the past few years hawked products in partnership with top crypto brands. For example, Directed IRA also works with Gemini; Kingdom Trust serves a number of competing products.
IRA Financial, a South Dakota Trust company, has told clients since 2019 that their retirement savings would be safe with its institutional accounts on Gemini, a crypto giant which operates under the New York BitLicense, the toughest digital asset regulatory regime in the U.S.
Tricky U.S. tax laws make setting up these institutional accounts far more complex than retail customer fare, especially in the retirement space. For starters, you can’t wholly control a self-directed IRA yourself. It has to be run through a third party like IRA Financial Trust that can attest your account is following IRS rules.
That didn’t bother “lucidBTC” a member of a Telegram group where Feb. 8 hack victims have gathered to strategize. A former Silicon Valley tech worker, he told CoinDesk he signed up for IRA Financial’s product specifically because it had partnered with Gemini, a company he’s traded with for years.
Deploying two-factor authentication and setting a list of whitelisted withdrawal addresses, he assumed his retirement crypto would be safe with Gemini. Statements from IRA Financial bolstered that view.
“You have total control over your cryptos,” IRA Financial CEO Adam Bergman said in a May 3, 2021, video walk-through of “Gemini IRA account” onboarding, which included linking the IRA Financial and Gemini accounts together. In a later video on crypto insurance, his company assured viewers that “Gemini is regulated and insured against theft, so your cryptos are protected.”
“We got in a car we presumed was safe,” lucidBTC said in a phone interview. Gemini was the car, with “safety belts, airbags and anti-lock brakes. And IRA Financial was the chauffeur. But the chauffeur fell asleep at the wheel and hit a tree.”
Now he and others in the Telegram group say they’ve lost over $2 million in crypto and cash.
“How can a financially regulated thing like a retirement account just move my money without any authorization?” he said.
Dozens of users began seeing unauthorized withdrawals on their Gemini accounts, victims told CoinDesk. One user, Jacob, who declined to give his last name, said he lost $20,000 in fiat to an account he did not control. Others described losing bitcoin and ether in full coin increments.
In an emailed statement, IRA Financial said it was investigating “the scope of the breach” and was attempting to recover funds. It said it had notified law enforcement. The company gave no details about the incident.
IRA Financial’s post-hack emails to customers have been equally mum.
But a memo distributed to customers on the morning of the breach hints that even hours before the hack, IRA Financial knew something was amiss.
“We have reason to believe that there are some bad actors posing as IRA Financial employees looking for crypto account-related information,” the email read. It warned users to remain wary of phishers.
Nearly 24 hours later IRA Financial gave a terse update:
Those defensive mechanisms appear to have been too little, too late for dozens of customers.
“Almost my entire Roth that I've had for over 20 years” was stolen, said one victim who had invested much of it in bitcoin and ether. Two other victims said they were locked out of their accounts; they can’t even see the damage. The full theft is likely well under $50 million, according to a source familiar with the situation.
Crypto tracing company Chainalysis confirmed the hack involved $36 million in cryptocurrencies.
Gemini’s emails to customers provide a somewhat clearer picture of what went down.
“Although our investigation remains ongoing, the facts discovered to date indicate that transfer requests were made by utilizing properly authenticated accounts controlled by IRA Financial Group, which were used to execute asset transfers to another account,” the firm wrote late Sunday night. “At the time, these requests complied with IRA’s approval processes and appeared to Gemini to be legitimate, authorized transactions. To date, our investigation has found no indication of any unauthorized access to your account resulting from any security failure or breach of Gemini systems.”
This finding would place the blame entirely on IRA Financial. It would also, in Gemini’s telling, absolve it of any responsibility to cover the loss with its own insurance policy. Gemini advised the customer to ask IRA Financial about its insurance policy.
By sheer happenstance, IRA Financial’s Bergman went in deep on the issue of crypto IRA insurance just last month.
“Are crypto IRAs insured?” he asked viewers on Jan. 28. “We’re insured,” Bergman said, referring to cash deposits covered by the Federal Deposit Insurance Corp. (FDIC). He later implied that Gemini was responsible for covering the crypto deposits themselves.
IRA Financial's YouTube account took a harder stance in the video’s comments section:
IRA Financial Trust did not respond to questions about whether it has crypto insurance.
UPDATE (Feb. 14, 23:36 UTC): Adds hack’s estimated value.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.