IRA Financial Trust, a fintech startup that offers crypto investment options, suffered a security breach on Feb. 8 and lost about $36 million in cryptocurrency.

A statement on the IRA Financial Trust website at the time of writing, reads:

“On February 8, 2022, IRA Financial Trust discovered suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange. We have provided individual notifications to all affected customers and have separately notified non-impacted customers.”

The fintech startup, which focuses on establishing and offering individual retirement accounts like self-directed IRA, Roth, SIMPLE Accounts, SEP Accounts, 401(k) plans, Health Savings Accounts, etc., is in affiliation with Gemini exchange.

IRA Financial’s promise is to make it seamless for employees to invest a portion of their paycheck into crypto. For instance, an employee can opt to receive a portion of their salary using their IRA Financial Account, while the rest is paid to them directly. IRAs are tax-friendly and are a popular tool for investing in other asset classes.

Hackers Stole $36 Million in Crypto From IRA Financial Trust

Per a Bloomberg report, unidentified hackers stole an estimated $21 million worth of  Bitcoin and $15 million worth of Ethereum from the accounts of clients using IRA Financial Trust customers, according to an anonymous source.

Although none of the stolen assets have been recovered, Chainalysis Inc, the blockchain security firm, revealed that it tracked the movement of the funds stolen and discovered that it is being laundered through the popular Tornado.Cash “mixer” service.

Meanwhile, some IRA Financial users posted on Reddit that the funds in their crypto accounts had been stolen and transferred to a Roth IRA account with the name “Benjamin Choe,” after which they were moved to crypto mixing services.

Who Takes The Blame for the IRA Financial Hack?

The latest development is worrisome for IRA Financial users, since neither IRA Financial nor Gemini has stood up to take the blame for the lost funds.

Financial spokesperson Maria Stagliano reportedly mentioned that Gemini did not provide security at the same time, refusing to state which security controls IRA Financial had in place. She also refused to reveal information on the hackers and how the victims can recover their stolen crypto funds.

Gemini, on its part, mentioned that while it was willing to help out in the investigation, it was not to blame for the hack. The company stated it is not in charge of the security of IRA Financial Trust’s security systems.

Unless investors are eventually made whole, the IRA Financial Trust hack might become a classic story highlighting the popular crypto adage, “Not your keys, not your coins.” Investors are often better off holding the keys to their assets, instead of trusting them with a third-party custodian.

Your crypto deserves the best security. Get a Ledger hardware wallet for just $79!