(Bloomberg) -- A hack at IRA Financial Trust, which offers self-directed retirement accounts, resulted in the theft of $36 million in cryptocurrency, according to a person familiar with the investigation.
In a statement, IRA Financial Trust said on Feb. 8 it discovered “suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange. Upon discovery, we immediately launched an investigation and contacted state and federal law enforcement.”
That same day, unidentified hackers drained $21 million in Bitcoin and $15 million in Ethereum from the accounts of IRA Financial Trust customers, the person said. IRA allows its customers to purchase cryptocurrency through a partnership with the cryptocurrency exchange Gemini Trust Co.
Blockchain analysis firm Chainalysis Inc. said it was tracking the $36 million in cryptocurrency stolen from IRA customers, and said that it is being laundered through a “mixer” service known as Tornado. A representative for Tornado didn’t immediately respond to a request for comment.
It’s not clear who may end up being responsible for the lost funds. IRA Financial spokesperson Maria Stagliano said the company’s investigation is primarily focused on security controls that IRA Financial claims weren’t offered or available from Gemini. She declined to say which controls IRA Financial had in place.
Stagliano also declined to answer questions about who may be behind the hack and hasn’t provided details on any plan to repay users whose cryptocurrency was stolen.
In a statement, Gemini pushed back, saying that its offers a number of security controls for institutional clients such as IRA Financial, including two-factor authentication which is mandatory on all accounts and approved addresses, a Gemini spokesperson said.
Gemini said it wasn’t breached, and that it was offering to assist IRA Financial Trust in its investigation.
“We are aware that IRA Financial experienced a security incident last week,” the company said, in a statement. “While IRA Financial’s accounts are serviced on the Gemini platform, Gemini does not manage the security of IRA Financial’s systems.”
Apparent IRA Financial users posting in forums on Reddit Inc. said they experienced their crypto accounts being emptied, with thieves directing stolen funds to a Roth IRA account with the name “Benjamin Choe.” The funds from the Choe account were subsequently sent to services that are often used to launder cryptocurrency. Some users said that cash stored in their accounts was also taken.
“I only had cash in my Gemini account, no coin, and it was all taken in multiple transfers to Choe at $10k per transfer,” one Reddit user wrote. “So in only 15 seconds they moved all my cash.”
Another user wrote, “All of my BTC and Ether have also been transferred out. I can confirm that they only transferred out whole units and left a small fraction of BTC and my cash.” The user added, “Transfers were made out to the Choe Roth in multiple 1 whole unit coin transactions.”