MY BTC WAS STOLEN ON THE GEMINI EXCHA
My BTC Was Stolen On The Gemini Exchange
This site was created to tell my story of how 14.11 Bitcoins were stolen from my Gemini account in the blink of an eye and to hopefully spare anyone else from the agony and devastation my spouse and I experienced.
20 minute read (but it's an easy one :))
July 20, 2022- Transaction Finality
The nightmare started on July 20, 2022 when my spouse and I sat at the computer and logged into my Gemini account with the intention of transferring most of the BTC to a Trezor wallet. At this point in time crypto had been crashing. Celsius and Voyager were going bankrupt and there was a lot of uncertainty. We had been moving our crypto from various exchanges to what we believed was the safest exchange, Gemini, and from there we would move most of it to a Trezor. This probably sounds silly, but we were nervous about putting crypto on a Trezor and then protecting that little device. Despite Gemini being sued by IRA Financial Trust for a $36 million hack, we (stupidly) still thought Gemini was the best choice for holding our crypto safely. Afterall, they're US based in NYC and trust is their product. What could possibly go wrong?
The Fateful Login- The Day My Bitcoin Died
After entering the password into the main page of the exchange, there was a notification on the login screen that Gemini wanted to verify and sync the email address to provide security for the account. This wasn’t the usual protocol, but with everything mentioned above, we believed that Gemini was being proactive to provide an added safety measure. This likely caused the breach because we would soon realize thieves had access to my Gmail account. This made the theft very simple because they were able to confirm anything they did on the exchange through my email then immediately delete the email thus making it difficult for us to realize the theft. We learned that with Gemini, confirming a new login and withdrawal of the entire BTC holding only required a one-click confirmation through email.
Yes, I had 2FA SMS set up but it didn't help anything as it seems the hacker(s) were logged in WITH us. Seemingly AHEAD of us. I do not believe the crooks had access to my phone, but I'll never know for sure. We also both have McAfee and Malwarebytes installed on our computers and my Gmail password and Gemini password were not the same.
Going, Going, Gone- The Heist
Everything from this point happened so fast and we had no idea we were under attack. According to Gemini, a new sign-in from Miami, FL occurred at 11:48 am, which is not our location. Gemini disabled the account from making withdrawals and sent an email to re-enable the ability to withdraw. The login location should have been the first red flag to Gemini. And it was. For 48 seconds.
I saw that email for an instant, but then it disappeared from my inbox. I checked the trash folder and there was nothing. I/we were confused, still unaware that we are being attacked. We thought maybe there was a glitch, or even imagined something! We've never been hacked but we have experienced glitches or received unintentionally sent emails by companies. We were having trouble getting logged into the exchange. It was slow. We just figured it was our internet connection so I jumped on my Gemini phone app. Ok, everything looked fine. The numbers were where they should be and we accessed the account on our computer while casually chatting- oblivious to what was taking place under our noses. Less than a minute after their initial sign-in, the attackers were back in the account.
At 11:53 am the thieves made the withdrawal (transfer) of all of our Bitcoins and the email from Gemini was sent to confirm the withdrawal. This withdrawal should have been the second red flag to Gemini to take a timeout and pause, but that never happened. Unfortunately, it was too late. Unaware of what was happening, we missed the email. The hackers had clicked the link in the email and confirmed the withdrawal then, immediately deleted the email and emptied the trash folder. We were clueless.
At 11:56 am I received an email that I was able to intercept before the thieves deleted it. 14.11 BTC were transferred and if I believed my account had been compromised to click on the link to freeze the account. Which I immediately did. This email was also deleted (trash emptied) but I was able to screenshot it first.
OMG!!! It all clicked in my brain. I didn't imagine the first deleted email I saw for that split second. After this one, I knew without a doubt I had been hacked and my entire BTC holding had just been stolen from me- worth over $324,000 at the time of theft.
I refreshed the phone app and, indeed, all BTC's were gone. But we can stop this, right? I mean it just happened 3 minutes ago and I froze the account.
They Were Going to Take Everything
We were now logged into the Gemini exchange on our computer, clicked on the transfer page and saw that the transfer was unconfirmed, This gave us hope the transfer could be stopped from going through and everything would be ok.
We were frantic and fumbling to open up a support ticket with Gemini because, of course, there is no phone number to call. We opened the ticket and within a few minutes Gemini responded- basically asking for everything we'd already provided. They assured us our account was frozen. After the fact.
About 15-20 minutes later, a refresh showed that the withdrawal had now been confirmed, which killed any hope we had of us not losing our Bitcoins forever. This can't be real. I felt sick.
Using the GUSD coins in the account, we learned the thieves had also made a sizeable unauthorized purchase of ETH- only 34 seconds after the BTC withdrawal. Obviously, that would have been the next withdrawal had the account not been frozen but, at this point, it was of little avail. There was also some USD fiat that would have then likely been the following theft. They were going to take it all.
Meanwhile, I changed my Gmail password, and then changed it again.
Biggest Sucker-Punch-to-the-Gut Feeling. Ever
We could not believe this happened. Why was it so easy to withdraw all the BTC from an account when:
1. There was a sign-in from a new location minutes prior to the withdrawal? I don't use a VPN so my sign-in location doesn't change.
2. There has never been a single BTC sell or any withdrawal of any kind on the account's 1.5 year existence?
These were two Red Flag events worthy of a hold. These two events were out of the norm of anything ever done in the account. How was there no hold on such a large amount? Every transfer made to Gemini from other exchanges required several days of holding before the transfer was allowed. I didn't know a withdrawal this instant was even possible in crypto. A five minute hold would have saved us from this catastrophic loss but, with Gemini, simply click a link in an email and then nothing can be reversed. This is known as "transaction finality."
In shock, feeling violated and duped, my worst crypto nightmare came true. Over $324,000 in Bitcoins were stolen from my Gemini account despite a freeze to the account within three minutes of the withdrawal. 180 seconds.
Gemini's "Security"
Gemini's security page is titled Safest Crypto Exchange - Security and they boast "Trust is our product" and they employ a "...leading security program focused on developing innovative security solutions to help protect and secure our customers and their assets." Innovative security solutions? I beg to differ. I would not have had the same outcome had I stayed with another exchange. I am quite confident of that.
Gemini "Support"
I went through the motions of giving Gemini a new email and submitted my picture holding my passport and the paper containing the written series of numbers they provided to restore the account to me. This is normal protocol for exchanges to confirm identity and we have had to do this in the past for other exchanges. Exchanges that actually made safety and double checking their priority to avoid irreparable issues.
A week passed. Then two. Then three. Then four. My account with the unauthorized ETH purchases and USD fiat remained frozen and I was unable to reclaim what money I had left. My spouse and I were in disbelief that thieves can have access to our funds with absolutely no hold while we evidently had to hold weeks, if not months, if not years.
Onward and Upward- Gemini Support Sucks
To say Gemini support has been nothing but infuriating is an understatement. Contacting their customer support for further assistance after July 20 was a complete joke and only resulted in a canned response that they're "working on the account". In fact, the only way to even get the "canned response" was to open a new support case. If I followed up on the original support case, they just ignored me.
After nearly five weeks of hearing nothing from Gemini support, they finally emailed me on August 22, 2022 asking me if I could assure them that I alone have full control of my account and that I am able to sell and withdraw fiat funds back to my linked bank account. I found it odd they wanted my assurance but gave the access anyways.
Gemini Charges Me Fees and Continues to Suck
Once I got back into my account, I initiated the withdrawal to the only bank in my account as instructed. It was returned and I was notified to contact Gemini Support as to why. Which I did. And no one responded. What a surprise.
I contacted my bank (OMG they have a phone number AND an online chat feature to have a conversation with a real live human being instantly- as instantaneous as my Bitcoin was transferred out of my Gemini account) and they said it was not possible to receive an incoming wire the same as it was sent because it was wired from a master account. I needed to either use the checking account or add wiring instructions. Ugh.
So, I go back to Gemini Support and told them I need to add another bank account or wiring instructions as per my bank. Since the original support message said I can withdraw only and said nothing about making a deposit (which is required first in order to add a new bank account), I wanted to clarify. No response. In their defense, there was an option to add another bank account but I wasn't sure if ultimately, they would allow it. I really didn't want to go through the aggravation and expense of wiring MORE MONEY into an exchange I don't like or trust. Decent support would have covered this in the original support message, or at least responded to my inquiry when I opened a support case.
Although I did not receive a reply about adding a new bank account, I did receive a $50 Administrative debit charge (presumably for the failed wire).
Since support never clarified my question about adding a new bank, my only option was to wire money from my checking account to Gemini so that I could turn around and wire all of my money back to my checking account. And incur more fees.
Meanwhile, I sold the unauthorized purchase of ETH and was charged a $161 trading fee. I messaged support and demanded the fee be reversed. Did you guess it? If you guessed no response, you'd be correct. Apparently I have not suffered enough.
One thing Gemini does well is kicking a dog while it's down. And not responding. Ok that's two things they do well.
Alphabet Soup Agencies- Reporting to the Authorities
Not that I actually thought government would or could do anything, my spouse and I decided we needed to make people in authority aware of the situation and state my case that not enough account safety was provided to me. In other words, Gemini was negligent in providing me essential security by lacking the ability to identify suspicious account activity.
FBI- No response.
SEC- No response.
FTC- No response.
NYSDFS- Responded. Referred me to CFPB.
CFPB- Responded. Forwarded me Gemini's response to my complaint and closed the case. Said will forward to the FTC.
I was particularly disappointed and confused that NYSDFS said they only have jurisdiction over New York customers.
According to Gemini's website, NYSDF is the organization that regulates Gemini (which includes cybersecurity). Call me crazy, but if the NYSDF will only involve itself with issues pertaining to New York residents, is that really regulating Gemini? It seems a bit misleading to US citizens.
On August 30, Gemini support emailed to tell me how to best secure my account AND to tell me about their new security features. Then, they signed off with "Onward and Upward". Wow! Thanks! You don't continue to piss me off AT ALL. Where was this email on July 19? Oh wait, Gemini added the new security feature AFTER $324,000 WAS STOLEN FROM ME and they needed to report to the CFPB how wonderfully they were handling my support case. Keep kicking the dog.
Ironically, the August 30 email was received 31 minutes before I received the email from the CFPB with Gemini's response to my complaint. In their response to the CFPB, Gemini stated that they :
1. Did not observe any indication of potentially fraudulent activity on the account
2. Handled my complaint in a manner consistent with their policies and procedures, User Agreement, and obligations to its customers
3. Reinstated my ability to withdraw funds on August 22
4. Provided instructions to further secure my account using Authy 2FA on August 30.
This reply was within the 15 day time frame the CFPB gave me. Based on said time frame, I believe the only reason I was allowed access to sell and withdraw my remaining funds so quickly (um, 5 weeks) was because Gemini had a deadline to report back to the CFPB with how they were responding to me, which, until August 22 they weren't. Otherwise, who knows when I would have gained access.
That's a Wrap
This incident has caused immense stress and a few sleepless nights. Please learn from this experience. If you are hacked on the Gemini exchange the only thing you will get is treated badly. And don't expect the government to help. You're on your own and it doesn't feel good.
"Not your keys, not your coins" is very real. But it's old. Bitcoin has been around for over a decade and this "wild west' mentality that an exchange doesn't owe a tad more than basic security to its customers is not ok- particularly from US exchanges. I thought I was getting more. I trusted that the Winklevoss twins had the safest security combined with the best location. That even if my account was compromised, this couldn't happen. Boy was I wrong. One login. One second too late.
As of the last email received from Gemini support on August 30, my case is "still under review". Whatever they're reviewing, if they are, will be of no benefit to me. Perhaps to someone else.
I'm sure there's many that will read this and think this is all my fault and I got what I deserved. My spouse and I were gullible and stupid. Fair enough. I still stand my belief that Gemini is the worst crypto exchange. They neglected to have a mechanism in place to identify abnormal account activity and a verification period (for such a large withdrawal) to avoid an unscrupulous transaction finality.
My Neanderthal Brain Ideas for Better Security
Instant transfer to the network is a bad idea. Why not pause 5 minutes? Why not 10? Why not an hour? Would that make a big difference to someone legitimately transferring Bitcoin if they had to wait a few additional minutes or hours? I don't think it would. But it would have made a huge difference to me, and I'm probably not the only one.
There needs to be a mandatory verification via two methods for transfers- email / text / phone call / thumb print / answering specific questions / etc. A customer can opt in for three but it should be mandatory there are two. Gemini owes it to its customers because hackers are trying to infiltrate its customers any way they can. If that's a turnoff then there should be a waiver that a customer understands transfers are immediate thus irreversible.
I'm no programmer but isn't there some kind "if this, then that" code or algorithm that could be written to combat hackers? Hackers will likely have a new location and move fast. For example:
IF there is a new location login, THEN disable withdrawals.
IF there is a withdrawal (particularly of everything) THEN place withdrawal on hold (for further verification).
IF there is a withdrawal >% of total account THEN place withdrawal on hold.
IF there is a new login location and a withdrawal <10 minutes apart THEN place withdrawal on hold.
IF there is a first time withdrawal THEN place withdrawal on hold.
I could go on an on with multiple combinations and scenarios. But what do I know? Apparently not enough.
Will I Buy More BTC on Another Exchange?
No. After having it wiped out by a hacker with zero recourse, crypto is not for me. I know there are other exchanges that would never immediately send crypto to the network with just a click and that thousands of people own and store crypto every day. I can also use cold storage or a custodian. That might be, but I will always worry about how easily hundreds of thousands of dollars can vanish in an instant. I feel like I need an armored truck to keep crypto safe and that's pushed me out of my comfort zone. I also can't afford another loss like this- this one just about did me in financially and emotionally. The hackers will always be there and they're smarter than me. I'm a novice in the crypto space who simply believed Bitcoin was a digital asset whose value would increase over time.
My spouse and I bought BTC with the intent to HODL for years. We were more or less Bitcoin Maximalists. We've never sold even a fraction of a Bitcoin. We never farmed or staked our coins. We never leveraged it or took loans against it. We were in it for the long run. Due to our fear of losing a hardware wallet, or that it would break, or that we'd forget the keys, or, or... we foolishly left the BTC sitting in Gemini trusting our assets were safe(r), and paid the price. Too many unknowns that can (and did) go wrong. We cannot go through this again.
And no on steals shares of stocks. Stocks can certainly lose value, but no one steals them.
Thank You Charles Schwab
Charles Schwab, my bank and broker, provided me with professional, real, authentic customer service- not that fake, email 'support'- regarding the bank account issue. Schwab has courteous, competent people ready to provide me with quality service despite me holding far less money with them and them receiving far fewer fees than with Gemini. Thank you for calling me to confirm my outgoing wire transfer of $100 to Gemini so I could recover my funds. Thank you.
Below are the Gemini timestamps of the horrible events described.
A new sign-in using Chrome 10 on Windows 10 from Miami, Florida, United States was detected. As a precaution, we have disabled digital asset withdrawals from this device. To re-enable digital asset withdrawals, please refer to the email sent to the address on file for this account. If you continue having issues please contact Gemini Customer Support.
Jul 20, 2022, 11:48:51 AM
Welcome back! You last signed in 1 minute, and the price of bitcoin has changed 0.069% since then.
Jul 20, 2022, 11:49:39 AM
Your withdrawal of 14.11094386 BTC has been sent to the Bitcoin network. View Transaction
Jul 20, 2022, 11:53:27 AM
Your XXXXX GUSD market order bought XXXXX ETH at an average price of 1,599.49880 GUSD per ETH.
Jul 20, 2022, 11:54:01 AM
July 20, 2022, 11:56 AM
Unfortunately, this account is currently frozen and unable to transfer funds or trade on Gemini. Please contact Gemini Customer Support for further assistance.
Jul 20, 2022, 11:58:24 AM
Unfortunately, this account is currently frozen and unable to transfer funds or trade on Gemini. Please contact Gemini Customer Support for further assistance.
Aug 18, 2022, 1:04:37 PM
Welcome back! You last signed in 4 days, and the price of bitcoin has changed 8.960% since then.
Aug 22, 2022, 11:21:50 AM
>>>>>> I love how the last message tells me how much the price of bitcoin has changed since that's completely relevant to me. <<<<<<<
If you want to reach out that's cool, but please spare trying to scam me.
EMAIL: ithappened @ mybtcwasstolenongemini.com