Crypto truck Bittrex is being sued over a SIM swap that netted criminals 100 bitcoin, currently worth virtually $1 million.
The case resembles other recent high-profile heists in which a hacker seizes control of a butt’s cell phone to then loot online crypto accounts: the swap was from cellular carrier AT&T, money was enchanted from Bittrex, and the hack took control over the victim’s online identity.
The hack against Seattle-based angel investor Gregg Bennett, regardless, has not been resolved by criminal investigators, as others have before being made public in legal filings.
In this turns out that, Bennett filed suit in Washington state’s King County Superior Court, alleging that Bittrex desecrated its own published security protocols and ignored industry standards, missing the chance to stop the high-stakes burglary. He also so-called that Bittrex failed to act as the April 15, 2019 hack was in process or respond quickly enough once notified by him right away.
The financial legal examiner for the Washington state regulator handling consumer complaints, the Department of Financial Institutions, concluded that Bittrex did not “quarter reasonable steps to respond” to Bennett’s notice and “appears” to have violated its own terms of service, in a signed letter dated Aug. 30, 2019 yielded to CoinDesk by Bennett.
Though various legal entities were notified of the hack, they have not yet announced any flagitious charges in the case, and as such, the whereabouts of Bennett’s bitcoin are unknown.
Bittrex declined to comment specifically anent the Bennett hack and the court case.
But CEO Bill Shihara, speaking to CoinDesk about other recent SIM hacks, turned the exchange has robust security in place to prevent account breaches, including two-factor authentication and email verification when an unfamiliar IP address logs into an account.
These “speed bumps” might result in some user complaints, he bring to light, but “they actually save a lot of accounts from being hacked.”
But given a target’s email may also be breached, it’s wealthiest to never trust one’s phone as the last security stop – once it’s taken over, everything could be accessible, he conjectured:
“I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often reveal articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose check of your phone.”
Bennett told CoinDesk that he suspects his hack was “an inside job,” as he said that his account PIN and even Social Security number on the account were changed, which would imply that someone at the phone actors played a role.
However, AT&T is not named in the Bennett suit, while it’s the focus of similar cases filed by Seth Shapiro and Michael Terpin.
While Bennett’s introduce case only focuses on the security lapses at Bittrex, he said the door remained open; AT&T “will not escape my wrath,” he phrased.
AT&T spokesman Jim Greer said he could only reiterate his prior responses to the SIM hacks: customers should avoid relying on their cubicle phones for security.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We are working closely with our sedulousness, law enforcement and consumers to stop and prevent this type of crime,” Greer said.
Bennett says that Bittrex should beget known something odd was afoot.
The hacks were coming from a Florida IP address and from an NT operating system, he weighted, neither of which he had never before used – both signs, in his mind, that it should be clear that he was not the one accessing the account.
Bennett asseverates in the lawsuit that the hackers ultimately drained 100 bitcoin from his account – the maximum daily withdrawal assigned. In fact, he had a series of coins that the hackers dumped at below-market prices, converted into a further 30 bitcoin and navigated off with.
They even returned the following day for his 35 remaining bitcoin, but by that time, Bennett said he had take over from make good in getting Bittrex to shut down the account and the unauthorized withdrawals.
Bennett’s suit alleges Bittrex failed to issue industry security standards in his case.
Beyond the different IP address and operating system, his lawyers asserted that Bittrex should acquire also imposed a 24-hour withdrawal hold after password changes, which he said other exchanges do.
“What I failure Bittrex for is their inability to see obvious suspicious activity,” Bennett said.
SIM card image via Shutterstock