Gregg Bennett, a serial angel investor who became the victim of a SIM-swap hack that occurred on April 15, 2019, filed a lawsuit in the State of Washington’s King County Superior Court against Washington-based cryptocurrency exchange Bittrex. In his filing, Bennett alleged that the exchange committed "unfair and deceptive acts that misrepresented its level of security" and violated or ignored its own security standards and industry-standard practices. Bennett asserts that as soon as he realized he was under attack, he immediately notified Bittrex, but the exchange failed to take appropriate and timely measures to secure his account. As a result of their failure to act, they missed the window of opportunity to stop the theft of Bennett’s more than $1.2 million in digital assets.
According to Bennett's press release, the cybercriminals hijacked Bennett’s mobile phone number which served to provide access to his Bittrex and other online accounts. Having gotten their hands on Bennet's bitcoins, the hackers then reportedly sold them cheaply and deposited the proceeds to their own accounts.
Bennett claims Bittrex did not respond to his emails alerting it of the attack for nearly two hours. This delay, according to Bennett's press release, gave the hackers plenty of time to pocket his money. Apparently, the hackers tried to steal even more funds, but the exchange eventually acted on Bennett’s messages, which, as per the lawsuit, is the only way to reach the exchange's support team.
Bennet's attorney Dan Kittle, of law firm Lane Powell, had this to say, "As alleged in our complaint, Bittrex ignored a number of red flags warning Bittrex that the person initiating the withdrawal was not Gregg Bennett. [...] We plan to show in court that Bittrex either ignored or was unaware of standard industry safeguards to prevent hacks just like this."
The lawsuit alleges that Bittrex failed to detect or ignored a succession of highly suspicious actions on the part of the attackers, including their use of an unrecognized operating system and a suspicious IP address. It also failed to take an important industry-standard step of freezing account withdrawals for 24 hours after a change of password or 2-factor authentication.
Bittrex did not issue any direct comments regarding the impending lawsuit. Instead, they continue to assert that their security procedures are as tight as could be: they use industry-standard tools like email verification and 2-factor authentication that serve to detect log-in attempts from unrecognized IP addresses. Bill Shihara, the owner of Bittrex, went on to shift the blame onto the victim, claiming in essence that mobile phones are too vulnerable and should never be one's last line of defense.