A detective at the Sioux Falls police department recounted the chain of events to a victim of the hack in a Feb. 15 voicemail reviewed by CoinDesk. Officers responded to reports of an alleged “robbery” in progress at IRA Financial Trust’s offices in the South Dakota city on the afternoon of Feb. 8, the detective said.
Police officers quickly determined the robbery call was bogus, the detective said. He described the incident as “swatting”: the practice of tricking police into responding to a nonexistent crisis.
There was a robbery, however – but it was happening in cyberspace, not the Midwest.
“What we were then informed of was that once the employees returned to their desks, after, like, while this ‘robbery’ was taking place or whatever, once they got back to their desks, they all found that customers’ accounts had been hacked into and that money was actively being taken at that time,” the officer said in the voicemail. He did not immediately respond to a request for comment from CoinDesk.
He said in the voicemail that IRA Financial soon managed to stop the money drain. “But by that point roughly a number of minutes had passed and a lot of damage had been done. They reported hundreds of victims as a result of this.”
The officer said he was sharing this information with the victim because "it doesn’t appear that [IRA Financial is] telling their customers very much."
In a statement, IRA Financial Trust said it was “aware” of the law enforcement’s recounting of events.
“Coordinated efforts like these emphasize the growing sophistication of cybercrime that make cyber threats both difficult to prevent and challenging to recover from,” the company said. “We are currently dedicating our attention and efforts to our active investigation and the potential recovery of funds through civil and law enforcement resources. To preserve the integrity of our investigation, we cannot provide further comment or details at this time.”
A baffling break-in
The detail adds another layer of intrigue to the seemingly inexplicable hack of IRA Financial Trust, an institutional partner of the Gemini exchange servicing retirement-minded crypto investors. Gemini, a $7 billion company that touts its security chops, has denied responsibility, instead blaming IRA Financial for the loss of millions of dollars in crypto.
Victims who spoke with CoinDesk said the hack should have been impossible. They described imposing strict controls on their Gemini accounts, including withdrawal address whitelisting, two-factor authentication, email notifications and other steps that they thought would stymie hackers.
A source close to Gemini previously said the company makes those safeguards available to institutional customers in order to prevent such incidents. It is unclear how those protocols were compromised on Feb. 8.
“From the end user perspective it's like, ‘Hey Gemini, if you're going to show us that we have whitelisted withdrawals and that’s not true, you are misleading us,’” said one victim who asked not to be named.
Gemini declined to comment.
The Sioux Falls detective said in the voicemail that the case was being handled by the FBI cybercrimes division. The FBI did not immediately respond to a request for comment.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.