Cryptocurrency exchange Bittrex is reportedly being sued by Gregg Bennett, a SIM-swap hack victim and angel investor, over a SIM swap-related security incident that permitted hackers to successfully steal 100 Bitcoin (BTC), which are currently worth approximately $1 million at current market prices.
The case is similar to other recent high-profile cyber heists wherein a malicious hacker acquires control of a victim’s cell phone in order to steal cryptocurrency from their online wallets.
The swap was reportedly from cellular carrier AT&T, the funds were withdrawn from Bittrex, and the hacker acquired control over the victim’s online identity.
The security incident that affected Bennett has not been resolved by officials, as other security incidents have prior to being disclosed publicly in court filings.
Hence, Bennett has filed a suit in Washington state’s King County Superior Court, alleging that Bittrex failed to adhere to its own security measures and disregarded industry standards, missing the opportunity to halt the crypto robbery.
Moreover, he further stated that Bittrex’s management failed to take action as the April 15, 2019 incident was occurring.
The Department of Financial Institutions, the financial legal examiner for the Washington state regulator that handles complaints from consumers, indicated that Bittrex did not “take reasonable steps to respond” to Bennett’s message and “appears” to have breached its own terms of service, as stated in an August 30, 2019 letter.
Despite the fact that numerous legal entities were informed of the hack, they have not yet disclosed criminal charges in the case. Significantly, the location of Bennett’s stolen Bitcoin is currently unknown.
Bittrex CEO Bill Shihara mentioned that the exchange operator has applied appropriate safeguards, which may efficiently hinder compromised accounts. Such safeguards include two-factor authentication (2FA) and email verification once an unknown IP address tries to sign in to a target’s account.
Shihara pointed out that such “speed bumps” could result in a couple of user complaints, though “they actually save a lot of accounts from being hacked.”
Furthermore, Bennett noted that a target’s email could also be compromised. Hence, an individual’s phone should never be trusted as the last security stop.
After a target’s phone has been taken over, hackers may typically acquire access to all of their accounts, Shihara clarified.
“I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”
Notably, Bennett suspects that his hack was probably “an inside job,” as he believes that the PIN related to his account and the social security number on the account were altered, which implies that an individual at AT&T could have potentially played a part in the incident.
Nevertheless, AT&T has not specifically been explicitly in Bennett’s case, despite the fact that it remains the focus of similar lawsuits filed by Seth Shapiro and Michael Terpin.
Bennett’s legal case merely concentrates on the security problems on Bittrex’s trading platform, but he stated that the door remained wide open.
“[AT&T] will not escape my wrath.”
AT&T representative Jim Greer indicated that he could merely repeat his previous responses to the SIM-swapping security incidents. This being the case, customers shall not hinge on their mobile devices for the security of their accounts.
“Fraudulent SIM swaps are a form of theft committed by sophisticated criminals. We are working closely with our industry, law enforcement and consumers to stop and prevent this type of crime.”
Bennett said that Bittrex’s management should have been able to realize that something was not okay.
The IP address linked to the security breach was located in Florida and came from an NT operating system, Bennett noted.
Additionally, he stated that he had not utilized either of them, which should render it clear that he was not the individual attempting to obtain access to the account.
Bennett asserts in the lawsuit that the cybercriminals successfully stole 100 Bitcoin from his account, which is the maximum daily withdrawal authorized.
Also, he stated that the hackers sold off a substantial amount of his cryptocurrency at below-market prices, while also converting the stolen funds into a further 30 Bitcoin and running off with it.
The hackers returned the subsequent day for 35 Bitcoins that were remaining, though, Bennett stated that he was able to ultimately manage to get Bittrex to shut down his account and the unauthorized transactions.
Bennett’s lawsuit alleges Bittrex did not comply with industry security protocols in his case. Bennett’s lawyers affirmed that Bittrex should have enforced a 24-hour withdrawal hold following password changes, which other cryptocurrency exchanges do.
“What I fault Bittrex for is their inability to see obvious suspicious activity.”