QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$36 000 000 USD
FEBRUARY 2022
UNITED STATES
IRA FINANCIAL
DESCRIPTION OF EVENTS
"IRA Financial Trust offers self-directed retirement accounts in South Dakota."
"IRA Financial is simplifying how you invest your retirement funds in alternative assets. Open an account on our app and start investing for a simple, flat fee."
"IRA Financial Group & IRA Financial Trust Company, a leading financial technology self-directed IRA and 401(k) plan provider & custodian, is excited to announce its new digital solution for Bitcoin and other cryptocurrency investments."
“IRA Financial has integrated with Gemini to be the first self-directed retirement provider to allow for Bitcoin and other cryptocurrency investments directly from our digital app,” said Adam Bergman, President of IRA Financial. “We wanted to offer a solution that allows our clients to buy cryptocurrencies directly through an exchange without the need for using an LLC or a third-party broker firm.”
"This new digital solution will allow our self-directed IRA and 401(k) plan clients the ability to buy and sell cryptocurrencies at any-time without the need of a broker, control transaction costs by sidestepping the need for an LLC or costly broker, and best of all, trust Gemini as the licensed and qualified custodian of their cryptocurrency private key. We strongly believe that the best way to buy bitcoin and other cryptocurrencies with IRA funds is with this solution– which provides the IRA client with total control over their cryptos and the ability to do away with the need for an LLC or excessive broker commissions."
"IRA Financial Group & IRA Financial Trust Company’s self-directed IRA and solo 401(k) plan platform allows investors to invest in IRS approved alternative asset investments digitally and with no account valuation or minimum balance fees. The primary advantage of using a self-directed IRA to make private IRS approved alternative asset investments, such as real estate, is that one can diversify their retirement assets and invest in what one knows and trusts."
"IRA Financial, a South Dakota Trust company, has told clients since 2019 that their retirement savings would be safe with its institutional accounts on Gemini, a crypto giant which operates under the New York BitLicense, the toughest digital asset regulatory regime in the U.S."
"Tricky U.S. tax laws make setting up these institutional accounts far more complex than retail customer fare, especially in the retirement space. For starters, you can’t wholly control a self-directed IRA yourself. It has to be run through a third party like IRA Financial Trust that can attest your account is following IRS rules."
“You have total control over your cryptos,” IRA Financial CEO Adam Bergman said in a May 3, 2021, video walk-through of “Gemini IRA account” onboarding, which included linking the IRA Financial and Gemini accounts together. In a later video on crypto insurance, his company assured viewers that “Gemini is regulated and insured against theft, so your cryptos are protected.”
"In a statement, IRA Financial Trust said on Feb. 8 it discovered “suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange. Upon discovery, we immediately launched an investigation and contacted state and federal law enforcement.”"
"Around 5 p.m. ET last Tuesday an account labeled “Benjamin Choe'' began withdrawing bitcoin, ether and U.S. dollars from user accounts. One user said he lost 13 ETH, 1 BTC and thousands of dollars in a matter of minutes despite multiple account security layers, like two-factor authentication."
"Dozens of users began seeing unauthorized withdrawals on their Gemini accounts, victims told CoinDesk. One user, Jacob, who declined to give his last name, said he lost $20,000 in fiat to an account he did not control. Others described losing bitcoin and ether in full coin increments."
IRA Finance tweeted that it found “suspicious activity affecting our limited customer base with accounts on the Gemini cryptocurrency exchange. Upon discovery, we immediately launched an investigation and contacted state and federal law enforcement. Department.”
"That same day, unidentified hackers withdrew $21 million in bitcoin and $15 million in ether from IRA Financial Trust’s accounts." "Crypto tracing company Chainalysis confirmed the hack involved $36 million in cryptocurrencies."
“Although our investigation remains ongoing, the facts discovered to date indicate that transfer requests were made by utilizing properly authenticated accounts controlled by IRA Financial Group, which were used to execute asset transfers to another account,” the firm wrote late Sunday night. “At the time, these requests complied with IRA’s approval processes and appeared to Gemini to be legitimate, authorized transactions. To date, our investigation has found no indication of any unauthorized access to your account resulting from any security failure or breach of Gemini systems.”
"Apparent IRA Financial users posting in forums on Reddit Inc. said they experienced their crypto accounts being emptied, with thieves directing stolen funds to a Roth IRA account with the name “Benjamin Choe.” The funds from the Choe account were subsequently sent to services that are often used to launder cryptocurrency. Some users said that cash stored in their accounts was also taken."
“I only had cash in my Gemini account, no coin, and it was all taken in multiple transfers to Choe at $10k per transfer,” one Reddit user wrote. “So in only 15 seconds they moved all my cash.”
Another user wrote, “All of my BTC and Ether have also been transferred out. I can confirm that they only transferred out whole units and left a small fraction of BTC and my cash.” The user added, “Transfers were made out to the Choe Roth in multiple 1 whole unit coin transactions.”
“Late in the day on Tuesday, February 8, 2022, we believe we were targeted by hackers. To protect your assets and data, we took immediate actions to suspend access to your IRA Financial/Gemini accounts.”
"It’s been nearly one week since an apparent security breach threw IRA Financial’s clients into crisis mode. With $36 million of their retirement savings in limbo and no full explanation from either IRA Financial or Gemini – the crypto exchange owned by the Winklevoss twins, Cameron and Tyler, and custodian where their crypto was held – they’ve begun organizing a response to crypto’s latest hack."
"Users, appearing to count in the dozens, have begun reaching out to news organizations and regulators, wanting to know how they lost possibly millions of dollars on Feb. 8, when an apparent bad actor began withdrawing funds en masse from Gemini. IRA Financial Trust is one of a handful of firms that run their retirement account services atop Gemini’s institutional trading and custody suite."
"It’s not clear who may end up being responsible for the lost funds. IRA Financial spokesperson Maria Stagliano said the company’s investigation is primarily focused on security controls that IRA Financial claims weren’t offered or available from Gemini. She declined to say which controls IRA Financial had in place."
"The apparent victims tell CoinDesk they are trapped in a knotty morass of incomplete facts that only confound a fraught situation. Even basic details – how many accounts were breached, who (if anyone) will cover their losses – remain unclear. Some receive occasional terse email updates from IRA Financial while others are forced to call every day, users tell CoinDesk."
"Gemini says it was not hacked; IRA Financial Trust has acknowledged an incident occurred and is investigating it, telling CoinDesk in an emailed statement the “suspicious activity” affected “a limited subset of our customers with accounts on the Gemini cryptocurrency exchange.”"
“We are working closely with third-party forensic specialists to determine the nature and scope of this incident,” a spokesperson from IRA Financial’s hired crisis communications firm told CoinDesk.
"Blockchain analysis firm Chainalysis Inc. said it was tracking the $36 million in cryptocurrency stolen from IRA customers, and said that it is being laundered through a “mixer” service known as Tornado. A representative for Tornado didn’t immediately respond to a request for comment."
IRA Financial offers the ability for clients to invest in bitcoin and ethereum, which is stored in the third party custodian Gemini. In a single day, $36m worth of client funds were transferred between accounts and removed from the Gemini platform. These funds were then mixed. Unsurprisingly, insurance is not covering anything. At present, it appears that many client accounts are still locked and there is no note of any recovery for those affected.
HOW COULD THIS HAVE BEEN PREVENTED?
It seems most likely that IRA Financial did not utilize any form of multi-sig in their security setup, thereby allowing one staff member's credentials to become compromised. This could have been easily prevented by setting up a multi-signature wallet.
SlowMist Hacked - SlowMist Zone (Jun 26)
Home - IRA Financial (Mar 12)
IRA Financial Launches New Digital Solution for Using IRA Funds to Buy Bitcoin Directly from Cryptocurrency Exchange and Custodian Gemini (Mar 12)
Bloomberg - Are you a robot? (Mar 12)
@TheIRAFinancial Twitter (Mar 12)
A Message from Adam Bergman - Founder, IRA Financial - YouTube (Mar 12)
@TheIRAFinancial Twitter (Mar 12)
An Update from Adam Bergman - Founder, IRA Financial - YouTube (Mar 12)
@TheIRAFinancial Twitter (Mar 12)
Drained Crypto Accounts at IRA Financial Leave Victims Searching for Answers (Mar 12)
@TheIRAFinancial Twitter (Mar 12)
Self-Direct Your Retirement - IRA Financial Group (Mar 12)
https://www.trustpilot.com/review/irafinancialgroup.com (Mar 12)
https://news.bloomberglaw.com/privacy-and-data-security/ira-financial-hacked-36-million-in-cryptocurrency-stolen (Mar 12)
Drained Crypto Accounts at IRA Financial Leave Victims Searching for Answers (Mar 12)
IRA Financial Trust Loses $36 Million in Clients Funds (Mar 12)
Why IRA Financial? - YouTube (Mar 12)
IRA Financial Services Breach Hackers Stole $36 Million In Cryptocurrency | Cybersecurity News - YouTube (Mar 12)
Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack | CSO Online (Dec 11)
Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12)
