Hackers stole $21 million in Bitcoin and $15 million in Ethereum from retirement accounts held with IRA Financial Trust on February 8, according to a report from Bloomberg based on an anonymous source.
The FinTech startup, which manages individual retirement accounts in non-traditional assets, has been dealing with allegations of a major hack for nearly a week.
Late Friday, it tweeted that it had "discovered suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange." The same notice now appears on its website.
But according to an email purportedly sent to affected users and shared via screenshot with Decrypt, this is more than "suspicious activity."
It states: "Our investigation is ongoing, but a preliminary assessment indicates an attempted theft of cryptocurrency funds within the impacted accounts occurred. We are proactively utilizing all available resources to recover the funds."
Meanwhile, impacted users are complaining that they have been locked out of their accounts as they await answers. IRA Financial Trust has not yet responded to a Decrypt request for comment.
IRAs, or individual retirement accounts, are tax-advantaged savings instruments for U.S. workers, who can deduct their contributions from their income. For instance, if you make $60,000 but contribute $5,000 to an IRA, you're only taxed on $55,000; you only pay taxes once you withdraw funds. IRAs allow for investments in stocks, bonds and mutual funds, but not cryptocurrencies.
Self-directed IRAs, like the kind IRA Financial Trust offers, do. But there are risks. Companies that administer self-directed IRAs can't give financial advice—that's why they're called "self-directed"—and the rules and fees aren't as straightforward as what you might find on Vanguard.
IRA Financial's value proposition is making the process a bit easier. Its customers can make retirement investments via its app, which it has linked to Gemini. If you can buy it on Gemini, you can hold it in your IRA. According to IRA Financial, "Our new cryptocurrency solution is the first to allow retirement holders to hold cryptocurrencies in an IRA directly on an exchange."
Gemini Head of Communications Carolyn Vadino told Decrypt: "Gemini’s systems have not been hacked or compromised in any way. We are aware that IRA Financial experienced a security incident last week and have offered assistance to IRA Financial in their investigation. While IRA Financial’s accounts are serviced on the Gemini platform, Gemini does not manage the security of IRA Financial’s systems."