SEATTLE--(BUSINESS WIRE)--Gregg Bennett, a serial angel investor involved with more than 30 local startups, recently filed a lawsuit against Bellevue, Washington-based Bittrex, claiming the exchange violated or ignored its own security standards and industry-standard practices that allowed hackers to steal nearly $1 million dollars of bitcoin from Bennett’s account in April.
The suit, filed in King County Superior Court, seeks to hold the exchange liable for the loss, based on what the suit describes as “unfair and deceptive acts that misrepresented its level of security."
According to the suit, filed October 28, Bennett was initially the victim of a SIM card hack, an increasingly common scheme where hackers seize control of a victim’s cell phone SIM card and use it to gain access to accounts and passwords by impersonating the owner.
In this case, the hackers used Bennett’s digital identity to assume control of a wide range of his personal accounts, including access to Bittrex, the cryptocurrency exchange he used to house his bitcoin.
The suit contends that on April 15, 2019, hackers accessed Bennett’s account, converted the bitcoin to other currencies at below-market prices, and transferred the funds to an anonymous account under the hacker’s control.
Later that evening when Bennett discovered the hack, he attempted to alert Bittrex, but Bittrex failed to heed his warning for nearly two hours, allowing the hackers to continue to drain his account.
The hackers attempted a second withdrawal the next day, but by then Bittrex responded to Bennett’s email, which is the only way the exchange accepts requests from depositors, even in urgent situations, the suit alleges.
“As alleged in our complaint, Bittrex ignored a number of red flags warning Bittrex that the person initiating the withdrawal was not Gregg Bennett,” said Dan Kittle of Lane Powell, a Seattle-based law firm representing Bennett. “We plan to show in court that Bittrex either ignored or was unaware of standard industry safeguards to prevent hacks just like this.”
The suit claims that Bittrex ignored or failed to observe a series of highly suspicious activity by the hackers, including the hackers’ use of a suspicious IP address, access by a different computer operating system, and failure to follow the industry-standard practice of placing a 24-hour hold on the account after a password and two-factor authentication change.
In August 2019, the Washington Department of Financial Institutions conducted an investigation into the theft and concluded that Bittrex did not take reasonable steps to stop funds from leaving Bennett’s account, which the Department described as an “unfair and deceptive act” in violation of the Uniform Money Services Act.
“Bittrex was bamboozled by hackers who should have been as visible as thieves wearing masks and carrying guns,” Bennett added. “I am asking for Bittrex to do the right thing by plugging what I see as gaping holes in their approach to security, and to return my coin to me.”
Bennett’s troubles with Bittrex didn’t end after the hack, the suit contends.
“Trying to convince Bittrex and Bittrex owner Bill Shihara that I was hacked also took a colossal effort,” Bennett said. “I had to virtually knock down Bill’s door for the company to take my issue seriously and acknowledge that they’d been duped by the hackers.”
“Had Bittrex shown the hackers half of the suspicion they showed me, we wouldn’t be filing this suit,” Bennett added.
Bennett said he is determined to understand why Bittrex failed to protect the safety of its customers and hopes to educate others, protecting consumers from becoming victims of similar wrongful acts.
“I am going to do everything I can to hold those responsible accountable for their actions, so other people aren’t victims of similar negligence,” Bennett said.
Bennett is an entrepreneur who mentors local, Seattle-based technology companies. He has invested in more than 100 Northwest-based startup and early-stage companies. Bennett previously founded HBSI, which become the nation's largest provider of financial and clinical benchmarking information for large hospitals. The company was acquired by the Thomson Corporation.