Bellevue-based venture capitalist Gregg Bennett is suing local cryptocurrency exchange Bittrex after, he alleges, the exchange allowed hackers to access his account and make off with nearly $1 million in Bitcoin.
And in recent weeks, he’s stepped up his campaign against the company.
He’s purchased Twitter ads attacking Bittrex as an “Unsafe Exchange.” He’s hired stand-ins to join him in waving signs with the slogan “Bittrex is Unsafe” in downtown Bellevue, where he believes Bittrex has an office. He retained a mobile billboard to circle outside a Las Vegas bitcoin convention. He even has a website, bittrexunsafe.com, that lays out his case against the company.
“I felt pretty secure about putting my money into a local institution that claims to be secure, then it was stolen out from under me,” Bennett said in an interview. “It seems silly that these exchanges claim they have no responsibility to protect customer assets. Normal people would think that’s kind of ridiculous.”
Bittrex, which says it’s not at fault, has asked the judge to dismiss the case, filed in October in King County Superior Court.
Bennett was the victim of a common scam called a “SIM swap,” in which hackers convince a cell carrier to transfer a victim’s phone number to a SIM card they own. If the victim has two-factor authentication enabled on their phone, hackers can use that SIM card in a new phone to gain access to the victim’s accounts.
Bennett said he realized he’d been hacked almost immediately, but he alleges Bittrex moved so slowly to restore his access that over two days, hackers were able to steal 100 Bitcoin, worth close to $1 million at the time. The company asked Bennett to re-verify his identity by meeting a Bittrex representative in the lobby of the downtown Bellevue Westin, according to emails between Bittrex and Bennett.
State regulators previously faulted Bittrex in the dispute, but now say they’re going back over their investigation.
In August, the Department of Financial Institutions (DFI) found the company “did not take reasonable steps” to protect Bennett’s account from fraud. “It appears Bittrex violated the Uniform Money Services Act for engaging in an unfair or deceptive act by failing to adhere to its Terms of Service,” according to a letter sent to Bennett summarizing the outcome of the investigation.
The regulator’s findings relied on timestamps appearing to show Bennett emailed Bittrex to request the company freeze his account two hours before the hackers drained the last of his Bitcoin. However, DFI’s letter did not specify in which time zones the timestamps were generated. Many cryptocurrency transactions are stamped in Universal Time, seven or eight hours ahead of Pacific Time. That could throw into question the state’s timeline of the case, a Bittrex spokesperson said.
In an email, DFI enforcement chief Steve Sherman said the agency has now determined that the time zone “issue requires further investigation and that confidentiality must be maintained at this time.”
Bittrex has argued that Bennett has no authority to sue. The terms of service Bennett signed when he established an account specify the only way to resolve a claim against the company is through arbitration — not a lawsuit.
“Bittrex is committed to ensuring our customer’s data and assets are safe and secure on our exchange,” a company spokesperson said in a statement. “Bittrex utilizes two-factor, app-based authentication, the industry standard. Unfortunately, Mr. Bennett lost control over his phone and his account was compromised as a result. No system can protect against a user’s loss of login credentials to a hacker.”
Other owners of cryptocurrency bamboozled by SIM swaps have gone another route: Suing cell carriers like AT&T.
“I do hold AT&T partially responsible,” Bennett said. “But I hold Bittrex more at fault. Even though there was suspicious activity happening, they didn’t shut down my account.”
Bennett’s antagonistic PR sweep is an abrupt change of tone for the self-described angel investor. Bennett initially decided to trade cryptocurrencies on Bittrex, his complaint alleges, because he “wanted to support local entrepreneurs.” He said he was also swayed by Bittrex’s claims to be more secure than competitors like Coinbase and Binance.
In a November email to Bittrex CEO Bill Shihara included in court filings, with the subject “Bennett hack — I’m just getting started,” Bennett threatens to unleash a multi-phase campaign of “disruption” to “encourage Bittrex to rectify my account.”
“I am in it for the long haul,” he wrote.
In the past year, Bittrex has come under fire elsewhere for a perceived lack of accountability. In April, the New York State Department of Financial Services denied the company’s cryptocurrency exchange license on the grounds that it has a “grossly inadequate transaction monitoring system.”