SIM swap lawsuit finds another target—Bittrex

Another SIM-swapping theft has popped up, at least the third big-money case this year. This time, though, the victim isn’t going after his phone carrier. Instead, Gregg Bennett is targeting the exchange where the money was held. The angel investor is suing cryptocurrency exchange Bittrex for allowing someone to walk off with almost 100 BTC, currently worth around $1 million, this past April.

The Washington State-based investor reportedly lost his crypto and his online identity as a result of the hack. The case is still being investigated and there are reportedly no new leads, but Bennett asserts that the entire incident could have been avoided if the exchange had done its job properly.

Bennett alleges that Bittrex ignored its own security protocols, as well as industry standards, when it didn’t stop the theft as it was taking place. He adds that he notified the exchange as soon as he realized what was happening, yet Bittrex didn’t move on his notice until sometime later.

Those assertions seem to be backed up by Washington’s Department of Financial Institutions. A financial examiner with the department determined that Bittrex had not taken “reasonable steps to respond” to Bennett’s hack claim and that it may have violated its own terms of service.

In an email to CoinDesk, Bittrex CEO Bill Shihara claims the fault lies with Bennett, not the exchange. He asserts that the platform has a number of security protocols in place, but that the company cannot secure peoples’ personal devices, such as tablets or smartphones. He adds, “I think this is a problem that requires a lot of solutions and a lot of layers of security. And unfortunately one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”

For his part, Bennett disagrees. He lives in Washington State; however, the hacks came from an IP address out of Florida—that should have been the first clue. The second clue was from the type of operating system associated with the hack, Windows NT, which is one he has never used.

Just like in other SIM attacks in the past, this one also involves AT&T. The last one found AT&T sued after it was revealed that two of its employees had helped facilitate the thefts, and Bennett believes this may have occurred in his case, as well. He asserts that the account PIN and Social Security number associated with his account were changed, which he says is evidence that someone from within the company had their hands inside.