On Monday, IRA Financial Trust, a platform providing self-directed digital asset retirement and pension accounts, filed a lawsuit against cryptocurrency exchange Gemini for alleged negligence in safeguarding customers’ digital assets during a critical exploit. The firm’s client accounts were held in Gemini’s custody. On February 8, a breach led to the siphoning of $36 million in crypto assets from customers’ accounts via unauthorized withdrawals. 

Since then, both companies have blamed each other for being responsible for the loss of funds. To complicate matters, an allegedly fake 911 call coincided with the time of the hack that distracted many of IRA Financial Trust’s employees from their desks. To avoid single points of failure in its security systems, Gemini possesses multiple security features such as two-factor authentication, whitelisting withdrawal addresses and fraud detection algorithms.

However, IRA Financial Trust alleged that there was instead a single point of failure within Gemini’s API systems. The firm claimed a mastery key existed for clients’ accounts with the ability to bypass all built-in security measures. “Hackers were able to gain control of IRA’s master key by committing crimes,” the release simply claimed.

One scenario is that a series of alleged unencrypted, unsecured e-mail exchanges between Gemini and IRA Financial Trust served as the backdrop for the breach. IRA Financial Trust denies that it was informed by Gemini about the power of the “master key” in the first place. The lawsuit comes less than a month after the two parties attempted to settle the issue out of court.

Cointelegraph reached out to representatives at Gemini for comment, but did not hear back in time for publication.