The IRA Financial Trust has admitted a hack suffered by some of its clients that would have led to a total theft of $36 million in cryptocurrencies.
That’s reported by Bloomberg, which cites a statement from the company in which it reveals that it discovered suspicious activity that affected a limited group of their clients with accounts on the Gemini cryptocurrency exchange.
IRA Financial Trust offers self-directed retirement accounts and allows its customers to purchase cryptocurrencies precisely because of a partnership with Gemini.
However, the dynamics of the theft are unclear, as Gemini denies having been hacked.
In fact, Gemini has rejected the allegations stating that it was not hacked. They stated:
“We are aware that IRA Financial experienced a security incident last week. While IRA Financial’s accounts are serviced on the Gemini platform, Gemini does not manage the security of IRA Financial’s systems.”
According to these statements, Gemini, in fact, indicates that IRA Financial Trust suffered the hack.
A spokeswoman for IRA Financial, Maria Stagliano, said the company is investigating its own security controls but did not say what those controls were. She also declined to respond to Bloomberg regarding speculation about who might be behind this hack. It’s also not yet clear if and how customers who were robbed will be reimbursed.
Hack at IRA Financial Trust, what happened
A total of $21 million in Bitcoin (BTC) and $15 million in Ethereum (ETH) were stolen, and according to Chainalysis analysis, were then “mixed” with Tornado.
On Reddit, some users claimed to have found their cryptocurrency accounts literally emptied due to transactions made to Roth IRA accounts in the name of one Benjamin Choe. The funds sent to this account were then sent to Tornado in turn.
It is, therefore, possible that the hack occurred entirely within the IRA Financial Trust platform, with funds first being transferred from some accounts to Benjamin Choe’s account, then taken from there to be mixed. It may now be quite difficult to track any further movements.
It’s possible that Benjamin Choe’s account was perfectly legitimate, which is why his transactions were not blocked.