Gregg Bennett is suing Bittrex, a Seattle-based cryptocurrency exchange, after his account was hacked for $1 million in Bitcoin. The Bellevue venture capitalist is claiming that Bittrex allowed hackers to access his account and has since launched a public relations campaign against the company. Bennett’s case was formally filed in October in King County Superior Court. At the time, Bittrex asked the case to be dismissed. State regulators eventually stepped in and faulted Bittrex in the dispute. However, a recent reinvestigation has brought forth new evidence that has given the state reason to reconsider their position.
Details Surrounding the Hack
In a world filled with online hacking threats, increased security measures have been developed to thwart ongoing attempts to steal payment information and valuable assets. In many cases, defenses against these hacks include two-factor authentication, in which a user is required to enter their password and then a second password is sent to their phone or email to confirm their identity. Bennett’s account was protected through this type of authentication but still fell victim to a common hacking scam called SIM swapping. SIM swapping gives hackers the ability to bypass two-factor authentication by convincing the owner of the account to transfer their phone number to a SIM card owned by the hacker. This gives hackers access to the two-factor authentication that has been enabled on the user’s phone.
Bennett claimed that he knew immediately that his account had been hacked, taking the proper steps to notify Bittrex in hopes that they would take immediate action. Bennett emailed Bittrex a request to freeze his account two hours before the hackers finished taking all of his assets. In the two days that it took Bittrex to restore Bennet’s access to his account, nearly 100 Bitcoin had already been lost, which at the time was equivalent to $1 million. Bennett was finally able to access his account after he was asked to re-verify his identity by meeting a Bittrex representative in the lobby of a Bellevue Westin hotel. The details of this meeting were verified through email exchanges between Bennet and Bittrex.
Bittrex Initially Determined to be at Fault
In order to give weight to his argument, Bennett purchased Twitter ads accusing Bittrex of being and unsafe exchange for digital currencies. Outside of their office in Bellevue, Bennett and a number of hired stand-ins waved signs with warning messages about Bittrex’s unsafe practices. He even went as far to get a mobile billboard, which circled outside a Las Vegas Bitcoin convention. As if that weren’t enough, Bennet created his own website, bittrexunsafe.com, which clearly states his position against the company.
The Department of Financial Institutions (DFI) originally sided with Bennett, saying that Bittrex did not take the appropriate action to protect the account from fraud, thus violating the Uniform Money Services Act. The DFI believed that this was an instance of unfair or deceptive practices that failed violated the Terms of Service.
Support for Bennett’s Claim is Withdrawn
During reinvestigation, authorities took a closer look at the timestamps on the emails exchanged between Bennett and Bittrex. The initial examination of these timestamps was inconclusive in determining whether or not Bittrex could be placed at fault because many cryptocurrency transactions are stamped in Universal Time, while the emails would be stamped in Pacific Time. The time difference between the transaction and emails was completely overlooked, until Bittrex called for a closer examination. After DFI looked into this issue, it was determined that Bennett actually asked Bittrex to freeze his account five hours after the hackers had finished taking control of his assets.
From the start, Bittrex argued that Bennett had no authority to sue, given the fact that their terms of service explicitly states that any claim against the company must be resolved through arbitration, not a lawsuit. State officials are now siding with Bittrex, overturning their decision to find them at fault, much to the disappointment of Bennett. Bennett’s stance has changed slightly, now stating that his suit was not only about Bittrex’s slow response, but also their inability to detect a pattern of abnormal activity in his account. Despite his continued protests, it appears that the decision is beginning to lean in Bittrex’s favor.
False Alarm or Legitimate Claim?
The legitimacy of Bennett’s claim is becoming increasingly less credible as the investigation continues. That being said, Bennett is not the only party calling into question the exchange’s practices. In the past year, the New York State Department of Financial services blocked Bittrex from claiming a license in the state due to the fact that they believe the company is operating an inadequate transaction monitoring system.
Bennett claims that his initial interest in creating a Bittrex account was to support local entrepreneurs. He believed Bittrex’s claims to be more secure than big-name competitors like Coinbase or Binance. Since his account was hacked, however, he is standing by his belief that Bittrex should be responsible for his losses.