According to a Bloomberg article on Monday, the IRA Financial Trust suffered a cybertheft of more than $36 million in cryptocurrency from some of its clients’ accounts. The financial investment firm specializes in offering a variety of self-directed, tax-advantaged retirement offerings.
If you visit the IRA Financial Trust website right now, at the top of the homepage, is this statement acknowledging the cyberattack:
“On February 8, 2022, IRA Financial Trust discovered suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange. We have provided individual notification to all affected customers and have separately notified non-impacted customers. Due to the ongoing investigation, we are unable to comment on individual queries.”
It’s reported that unidentified hackers siphoned more than $15 million worth of Ethereum and another $21 million equivalent in Bitcoin from IRA Financial Trust customer accounts. According to IRA Financial Trust’s charter, it can help clients set-up and administer a variety of self-directed funding vehicles including: IRAs, Roth IRAs, SIMPLE Accounts, SEP Accounts, 401(k) plan accounts, Health Savings Accounts, and Coverdell Education Savings Accounts.
A unique aspect of IRA Financial Trust is that those aforementioned investment vehicles it establishes can accommodate various non-traditional assets such as real estate, precious metals, or cryptocurrencies. In the media report, Blockchain analysis firm Chainalysis, confirmed that it was tracking the $36 million in stolen cryptocurrency from IRA Financial customers, and said that it is being laundered through a “mixer” service known as Tornado.
According to the Bloomberg article, IRA Financial spokesperson Maria Stagliano said the company’s investigation is primarily focused on security controls that IRA Financial claims weren’t offered or available from Gemini. The article did not specify any existing safety controls or security measures that IRA Financial may have had in place.
In a reactive statement, Gemini responded stating that it provides a number of security controls for institutional clients such as IRA Financial. Those security measures include two-factor authentication which is mandatory on all accounts and approved addresses, according to Bloomberg.
Gemini stressed that it was not breached, and that it was offering to assist IRA Financial Trust in its investigation. As of this writing, no individual or group has claimed responsibility for this cyber heist.