QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$507 000 USD
APRIL 2019
UNITED STATES
BITTREX
DESCRIPTION OF EVENTS
"Gregg Bennett" was a "Bellevue-based venture capitalist". "Gregg Bennett is an entrepreneur in Bellevue, Wash., and he knows a bit about tech." "Bennett initially decided to trade cryptocurrencies on Bittrex because he “wanted to support local entrepreneurs.” He said he was also swayed by Bittrex’s claims to be more secure than competitors like Coinbase and Binance."
"[O]n April 15th, 2019, tech investor Gregg Bennett was having a little afternoon business chat with his son when his mobile phone dropped signal." "[W]hen his smart phone started acting funny, he got a bad feeling."
"It absolutely goes dead. There's no cell signal, no nothing. I can't get into my email accounts either."
"I was having trouble getting into my email account. And all of a sudden my phone went dead," he says. "I look at my phone and there's no signal. And I go, 'Oh no, something's happened here.'"
"He was the target of a Sim Swap attack." "Like other high profile cases brought to light, a scammer manages to impersonate someone using information gained by other methods and requests that a SIM is reissued to the hacker. Afterward, the hacker is capable of using phone-based verification systems to gain access to various accounts their victims had connected to their mobile number."
"I immediately called up AT&T and they say 'Sorry sir, that's not your account'. All my crypto accounts had been hacked. And think about how easy this is. If somebody takes over your phone, all these folks have to do is use your email address to try to logon to these accounts and then say forgot password. So then the password reset is sent to your text, which is now controlled by another phone that you don't have."
"And they reset the passwords and now they have complete control over getting into all of your crypto accounts."
"[Graham] Clark was perfecting his scams in grade school."
"Make no mistake, this is not an ordinary 17-year-old," explained Warren.
"He started his criminal career at 12 years old, going on Minecraft, scamming people on Minecraft, selling what’s called capes. It's your badge of honor in the Minecraft world," Rickman says.
"Clark would sell the capes, take the money but never deliver the goods. He got away with it and then moved on to bigger scams."
"The way Graham used to find his targets - He would go on like the Twitter accounts of Coinbase, Bittrex, Binance, and he'd see who looked rich, who didn't. You know, who flexed, who didn't, who looked umm, more wealthy."
"Once Graham and never identified accomplices targeted Gregg, they would have doxxed him to get his phone number and email addresses, and then used that information to execute the Sim Swap."
"Graham then tried his hand at role-playing."
"He would call AT&T in order to get someone’s phone number he would call the provider pretending to be an employee get access through the terms and language that employees use, " Rickman said.
"They got into my Amazon account, my Evernote account, my Starbucks account — they were kind of messing with me," [Gregg] says, with a rueful laugh.
"The big prize was his [Bittrex] account. It's not clear exactly how they used his phone number to log in, but once they did, he says they stole 100 Bitcoin."
"Bennett stated that the exchange had to be aware that foul play was at hand. The IP address and the operating system were both completely different from his own. He claims that the hackers drained 100 bitcoin from his Bittrex account, before selling his altcoins below market value and gaining another 30 bitcoin through that."
"In total, [Graham] got away with what amounted to be 164 bitcoins. 100 of that was worth $865,000, but in today's value it would be worth $6.3 million."
"Graham and friends actually ran into a problem when stealing from Gregg."
"Because I had a 100 bitcoin limit in this specific account with Bittrex, they repeatedly tried to go back in and take whatever else was left out of that account, but the 100 bitcoin limit kind of mitigated my losses if you want to say that." And so, just like the Minecraft days, when one scam isn't working, iterate. In this case, that meant extortion.
"Graham Clark, who was going by Scrim at that time as his pseudonym. So he tried to ransom you from your own email address, to regain access to your information for an additional 50 bitcoin, was that what they tried to do as well?"
"Yeah, so I actually had 4 email accounts. They had actually hacked all four of them, and then gave me access - re-gave me access to one, and used that as a, as a vehicle to try to communicate and extort more from me."
"But as the days go on and Gregg isn't responding to the ransom it becomes apparent that Graham has pulled a fast one on his accomplices."
"Graham decided to keep all the money and he didn't split it with the other people."
"I assume Graham vanished on whatever messaging service they were using, because they get desperate and start trying to reach him through Gregg's email account, threatening that they're going to turn him into the police if he doesn't share 66% of the theft."
"Yeah so I mean, as you know, a lot of people didn't like him because of some of the choices he made. So obviously that's going to come with some backlash. They got his family's personal info. They were just constantly harrassing him. Someone sent people to Graham's house to scare him or even rob him at one point."
"While they were planning his robbery, they wanted to have him like tortured, and like a lot of dark things done to him."
"The thing is, he was no ghost. After this, he was the subject of a criminal investigation which ultimately led to a search warrant being executed at his residence in August 2019, just 4 months after this theft."
"Get this. From that, they seized $15,000 in cash and 400 bitcoin from Graham. That is a crap ton more than what we knew about. I mean, I assume he was involved in many similar SIM swap attacks that were never linked back to him to acquire that. But, at this point, I don't think we're ever going to really know for sure."
"So, what the heck does he do with it? He balls out."
"They say Clark flaunted his wealth at Gaither High school sporting designer watches and clothes and no one questioned it." "According to the Times, Graham was attracting attention at school because he seemed to have an unusual amount of wealth for his age. He was buying designer clothes, apparently flashing large amounts of cash, and of course he had that BMW 3 series."
"But where he was really showing off was on his instagram account @error. Now, unfortunately, this account has since been terminated and most of the content lost to time, but to give you an idea of the type of purchases he was boasting about, one of the things that did survive is this shoutout from a jeweler to the hiphop elite showing that Graham had purchased themself a gem-encrusted Rolex."
"Dude was spending some mad coin."
In October 2019, Bennett entered "arbitration with AT&T, which wouldn't talk about his case to NPR. He says the company is stonewalling on details of how he got SIM-swapped, but he suspects he was victimized by somebody on the East Coast."
"When I finally recovered my phone," he says, "I got a text message asking how my service was at the AT&T store in Boston."
"In a November email to Bittrex CEO Bill Shihara included in court filings, with the subject “Bennett hack — I’m just getting started,” Bennett threatens to unleash a multi-phase campaign of “disruption” to “encourage Bittrex to rectify my account.”"
“I am in it for the long haul,” he wrote.
"[I]n recent weeks, [Bennett has]’s stepped up his campaign against the company."
“I felt pretty secure about putting my money into a local institution that claims to be secure, then it was stolen out from under me,” Bennett said in an interview. “It seems silly that these exchanges claim they have no responsibility to protect customer assets. Normal people would think that’s kind of ridiculous.”
"He’s purchased Twitter ads attacking Bittrex as an “Unsafe Exchange.” He’s hired stand-ins to join him in waving signs with the slogan “Bittrex is Unsafe” in downtown Bellevue, where he believes Bittrex has an office. He retained a mobile billboard to circle outside a Las Vegas bitcoin convention. He even has a website, bittrexunsafe.com, that lays out his case against the company."
"Bennett filed a lawsuit against Bittrex through Washington’s King County Superior Court. In the suit, Bennett claims that Bittrex has ignored the industry’s security standards and violated its own security protocols." Bennett "stat[ed] that Bittrex meddled its privacy and security laws by ignoring industry standards and refraining the prospect to stop the widespread crime." "Through doing this, they missed the chance to prevent Bennett’s more than $1.2 million loss in the form of crypto assets. Bennett claims that he personally notified Bittrex, but the exchange did not correctly take steps towards securing his account on the 15th of April, 2019."
"Bennet[t]’s lawsuit claims that the crypto exchange failed to adhere to industry standards. His lawyers stated that other exchanges impose a 24-hour hold on all withdrawals after a password change and that Bittrex should have enacted something similar."
"Bennett said he realized he’d been hacked almost immediately, but he alleges Bittrex moved so slowly to restore his access that over two days, hackers were able to steal 100 Bitcoin, worth close to $1 million at the time. The company asked Bennett to re-verify his identity by meeting a Bittrex representative in the lobby of the downtown Bellevue Westin, according to emails between Bittrex and Bennett."
"Bittrex has argued that Bennett has no authority to sue. The terms of service Bennett signed when he established an account specify the only way to resolve a claim against the company is through arbitration — not a lawsuit."
"Bittrex yet abstains from commenting about Bennett’s case, but Bill Shihara, the CEO, in a conversation with CoinDesk, stated about the exchange’s resolute security to prevent account transgressions. He stressed upon the employed two-factor-authentication and e-mail verification services."
"Bill Shihara, the Chief Executive Officer of Bittrex, told the press that the exchange platform had a sturdy security system in place. This system was used to prevent account breaches through things like two-step verification and email verification systems that activate should an unknown IP try to access an account."
"Even so, he states that it should never be left to your phone as a last line of security. He reminded people that if a criminal then takes over your phone, they take over everything that you relied on it for verification." "Shihara further argued that trusting one’s phone for high security is also not very appropriate as once it is taken over, every price of information is accessible. He stated, “unfortunately, one of the mantras that we use and often publish articles about is that ultimately you can’t trust your phone. You have to be aware that you could lose control of your phone.”"
"The Department of Financial Institutions’ Legal Examiner for their Washington Branch concluded that Bittrex failed to take reasonable steps in order to respond appropriately. The Examiner also stated that it seemed that Bittrex had violated its own terms of service through doing so."
"A large number of legal bodies ha[b] been notified about the hack [as of November 9th, 2019]. However, none of these groups ha[d] announced any criminal charge laid against someone in terms of this case. At [that time], Bennett’s bitcoins [we]re nowhere to be found."
"State regulators previously faulted Bittrex in the dispute, but now say they’re going back over their investigation."
"The regulator’s findings relied on timestamps appearing to show Bennett emailed Bittrex to request the company freeze his account two hours before the hackers drained the last of his Bitcoin. However, DFI’s letter did not specify in which time zones the timestamps were generated. Many cryptocurrency transactions are stamped in Universal Time, seven or eight hours ahead of Pacific Time. That could throw into question the state’s timeline of the case, a Bittrex spokesperson said."
"In an email, DFI enforcement chief Steve Sherman said the agency has now determined that the time zone “issue requires further investigation and that confidentiality must be maintained at this time.”"
“Bittrex is committed to ensuring our customer’s data and assets are safe and secure on our exchange,” a company spokesperson said in a statement. “Bittrex utilizes two-factor, app-based authentication, the industry standard. Unfortunately, Mr. Bennett lost control over his phone and his account was compromised as a result. No system can protect against a user’s loss of login credentials to a hacker.”
"People who are using phones as their only source of two-factor identification are inviting identity theft," Bennett warns.
“I do hold AT&T partially responsible,” Bennett said. “But I hold Bittrex more at fault. Even though there was suspicious activity happening, they didn’t shut down my account.”
Graham's "biggest criminal act caught the world’s attention."
"He would call one person at Twitter and call another person at Twitter and eventually he got up the chain at Twitter and made contact with someone who had the code infiltrating an employee at Twitter," Rickman explained.
"Now Clark had access to the Twitter accounts of the most powerful people in the world."
"Graham Ivan Clark, 17, is accused of using the hijacked Twitter accounts to scam people around the world out of more than $100,000 in Bitcoin."
"With the ability to potentially shut down economies around the world, potentially start world war III what did he do? a simple bitcoin scam at the end of the day he acted like a kid," snickered Rickman.
"He is charged with 17 counts of communications fraud, 11 counts of fraudulent use of personal information, and one count each of organized fraud of more than $5,000 and accessing computers or electronic devices without authority. The brief hearing in Tampa took place via the video conferencing service Zoom."
"After his arrest Clark's digital associates zoom bombed a virtual court hearing, posing as members of the media."
"Although the case was investigated by the FBI and the U.S. Department of Justice, Hillsborough State Attorney Andrew Warren said his office is prosecuting Clark in state court because Florida law allows minors to be charged as adults in financial fraud cases when appropriate. He called Clark the leader of the hacking scam."
"Clark is now locked up at a youthful offender facility for the next three years and is now banned from using a computer. Prosecutors say the one thing in life he really mastered but used it to do bad things."
Bennett said "I got a notice from the Secret Service. When they finally captured Graham, they made it known to me that there was probably some recovery that was available to me."
Gregg Bennett was targetted through his online presence, and ultimately this was used by Graham Clark to perform a SIM swap on his AT&T phone and gain access to his Bittrex trading account. Over 163 bitcoin worth of funds were accessed within his account, and 100 bitcoin were withdrawn from his account, despite his apparently contacting Bittrex to freeze the account ahead of the withdrawal. Gregg further became the subject of email extortion in an attempt to convince him to give up the remaining 63 bitcoin.
Gregg ran a large series of campaigns, arbitration, and lawsuits against Bittrex and AT&T, with no luck in regaining his funds. Eventually, Clark went on to hack Twitter in the widely publicized doubling scam incident. While details are unknown, Gregg was reportedly contacted by the secret service and may have the opportunity to recover some of the lost funds through that process.
HOW COULD THIS HAVE BEEN PREVENTED?
Users of cryptocurrency platforms need to be sure they are truly using a multi-factor authentication scheme. Having a single factor such as a cell phone number or the same computer able to fully recover or access an account leaves the user vulnerable if that factor is ever exploited. In Gregg's case, his phone number was tied to his email accounts, so everything could be recovered by the single SIM swap.
Exchange platforms need to put in place protections against transfering out assets shortly after account credentials have been reset.
From Hacking $4.1 Million to Prison | The IRL Money Doubler - YouTube (Jun 19)
Gregg Bennett Sues Bittrex After Losing More Than $1.2 Million Through SIM Swap – Cryptovibes.com – Daily Cryptocurrency and FX News (Oct 20)
Bittrex being sued for SIM swapping worth $1 million - Bittrex Exchange News - Coinnounce (Oct 21)
https://www.seattletimes.com/business/technology/after-hackers-stole-1m-in-cryptocurrency-bellevue-venture-capitalist-launched-pr-blitz-against-local-company-he-blames/ (Oct 21)
Is Bittrex Unsafe? (Oct 21)
https://web.archive.org/web/20200228175241/https://www.bittrexunsafe.com/ (Oct 21)
Using Cell Phone Numbers As A Secondary ID Can Pose Security Risks, Experts Say : NPR (Oct 21)
Graham Ivan Clark, teen behind Twitter hack, pleads not guilty (Oct 21)
https://www.fox13news.com/news/tampa-bay-true-crime-series-accused-twitter-hacker-graham-clark (Oct 21)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
'SIM-Swap' Scams Expose Risks Of Using Phones For Secondary I.D. | WBUR (Nov 3)