US-based crypto exchange Bittrex Inc. got hit by a lawsuit. The plaintiff is Angel Investor Gregg Bennett, who claims to have lost more than $1.2 million on the 15th of April, 2019, due to a SIM swap hack.
According to Bennett, Bittrex Inc. has failed to follow the industry’s security standards and has violated its own security protocols. The alleged reason for the lawsuit is a so-called SIM swap scam through which criminals stole 130 bitcoins.
Through this method, a scammer gets access to someone’s personal information and requests that a SIM is reissued to the hacker. Afterwards, the hacker is using phone-based verification systems to gain access to accounts that their victims had connected to their mobile number. As a result, the hackers could steal 100 bitcoins from Bennett’s Bittrex Inc. account and sell his altcoins, gaining another 30 bitcoins.
Bennett believes the exchange had to be aware of the hack. He says the IP address and the operating system were both completely different from his own. Bennett also claims that he notified Bittrex Inc. in time, but the exchange did not take the proper steps towards securing his account. His lawyers state that it was an industry best practice to impose a 24-hours hold on all withdrawals after the account holder changed the password, but Bittrex Inc. did not have such a policy in place.
“As alleged in our complaint, Bittrex Inc. ignored a number of red flags warning Bittrex Inc. that the person initiating the withdrawal was not Gregg Bennett,” says Bennett. “We plan to show in court that Bittrex Inc. either ignored or was unaware of standard industry safeguards to prevent hacks just like this.”
Bennett also suspects the hackers relied on help from within telephone operating company AT&T, as his social security number and his account PIN were changed, indicating a phone operator could have been involved. AT&T is not mentioned in Bennett’s lawsuit, but he announced AT&T “will not escape my wrath.”
Case ongoing; Bittrex Inc. warns of mobile phones as point of attack
Bennett filed the lawsuit through Washington’s King County Superior Court. The Department of Financial Institutions’ Legal Examiner for their Washington Branch concluded Bittrex Inc. seems to have violated its own terms of service and had failed to respond appropriately.
Bittrex Inc. has not yet issued an official commentary. CEO Bill Shihara spoke to Coindesk about other recent SIM hacks and said Bittrex Inc. has sound security mechanisms in place, including two-factor authentication and email verification when an unknown IP address logs into an account.
He also reminded users not to rely on their phone, “I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”
Likewise, AT&T spokesman Jim Greer said customers should avoid relying on their cell phones for security, “Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We are working closely with our industry, law enforcement, and consumers to stop and prevent this type of crime.”
The court case remains to be settled. No criminal charges have been laid against any person for the hack yet, and so far, Bennett’s bitcoins are nowhere to be found.