In mid-2021, Marshall Griffin, a bank executive in central California, invested his retirement savings with management firm IRA Financial Trust, based in Sioux Falls, South Dakota.
Given the option of different funds, Griffin bought two Bitcoins worth about $85,000 through Gemini Trust, which worked with IRA Financial as a cryptocurrency exchange. A few months later, in central Indiana, Evan Frederick Light, then 19, sat amid his computer equipment and nine cellphones in a two-bedroom home. On Feb. 8, 2022, Light would steal Griffin’s Bitcoins in a cyberattack on IRA Financial.
Within a few hours, Light reaped $36 million in stolen cryptocurrency from more than 600 investors.
Light recognized the vulnerability of cryptocurrency accounts and was aided by an emergency call, possibly placed by Light himself or an accomplice, to Sioux Falls police that initiated a SWAT team action, prompting the evacuation of IRA Financial.
The following news report was compiled with information from documents detailing Light’s indictment for two federal crimes, Griffin’s civil class action lawsuit and court filings pitting IRA Financial and Gemini Trust against each other.
Light, who didn’t finish high school, lived with his mother in Lebanon, Indiana.
She never married Light’s father, who worked for a leaf-filter gutter service less than an hour away. She had suffered an injury, which eventually ended her work at an air conditioning company.
Light’s computers, valued at $10,000, were in his bedroom. From there, the cyberattack on IRA Financial, allegedly, wasn’t his first conquest. Ten months before, he deposited cryptocurrency into accounts in the names of his mother and cousin. The funds were taken in a cyber theft in April 2021, according to testimony by an FBI agent.
Light provided his mother with $140,000 over a two-year period, the agent testified.
Using search engines, Light looked up the process for buying a passport, citizenship requirements in other countries and which nations would not extradite to the United States people wanted on suspicion of crime.
By the time the FBI raided Light’s home in May 2023, he owned more than $70,000 worth of wrist watches, including a $12,000 Frank Muller “Encrypto” that doubled as a Bitcoin wallet.
Bitcoins — virtual currency used in electronic cash systems — were among Light’s objectives in February 2022. Bloomberg, citing an unnamed source, reported that his attack on IRA Financial reaped $21 million in Bitcoin and $15 million in Ether, a cryptocurrency based on Ethereum, another global platform.
By Feb. 8, Light had found a way to hack into IRA Financial’s system by entering one client’s account. That “master key” unlocked encrypted information and opened the way into other accounts, including Griffin’s.
Light’s targets were accounts with cryptocurrencies, such as Bitcoin. They could be moved with the click of a mouse into a new account formed by Light and his as-of-yet unnamed coconspirators.
Evan Frederick Light was smart enough to steal $36 million from the comfort of his Indiana bedroom. But he would be caught.
In May 2023, a federal indictment came out of Sioux Falls. He was charged with conspiracy to commit wire fraud and conspiracy to launder money. Both carry a maximum prison sentence of 20 years. He is to be sentenced Feb. 6.
At a bond hearing in Sioux Falls, Light’s father came to court to say he would monitor his son and get him a job if the court would grant release. Instead, Light was placed under the custody of the U.S. Marshals Service.
In September 2024, Light pleaded guilty to the two federal charges. His total theft worldwide, he acknowledged, was $37,704,560.
In the plea agreement, Light, now 21, admitted, “After acquiring control of the stolen cryptocurrency, these proceeds, in part, were funneled to various locations throughout the world, including multiple mixing services and gambling websites to conceal my identity and the identities of co-conspirator(s) and to hide the virtual currency.
“I knew then and know now that these proceeds were unlawfully obtained and were subsequently unlawfully laundered to conceal their source, control, ownership and location.”
SWAT DIVERSION
On Feb. 8, 2022, an emergency call came in to the police department in Sioux Falls. A robbery and kidnapping, the caller reported, were taking place at a local financial trust company.
The SWAT team responded. Employees were evacuated from the building.
No one remained at their desks, or at their computers.
As employees of IRA Financial Trust stood outside, Light was hacking into client accounts and transferring cryptocurrency from around the country into his own secret account.
No one has been arrested for the bogus call.
On March 3, IRA Financial told clients, “We suspect the hacker placed that call because by the time our employees returned to their desks, they immediately noticed funds being transferred. Unfortunately, based on how our account privileges were constructed, we did not have any ability or recourse to freeze the suspicious activity immediately upon discovery.”
IRA Financial offers what is known as self-directed retirement accounts that consumers access online or through an app. Clients can invest in an IRA, 401(k) plans, Health Savings Accounts, cryptocurrency and other plans.
Customers purchased Bitcoins through Gemini Trust Company, an exchange that provided “wallets” in which to store cryptocurrency.
Gemini, based in New York City, was started by Cameron and Tyler Winklevoss, the well-known twins who once accused Facebook founder Mark Zuckerberg of stealing their social media idea.
Following the breach, IRA Financial and Gemini sued each other. The litigation was resolved in an undisclosed settlement.
Concerning the cyberattack, Gemini would admit that many of the assets were “likely unrecoverable.”
One woman claimed she lost 374 Ether — like Bitcoin, a global cryptocurrency — valued at $1.2 million in the theft. She had to file for arbitration.
Griffin filed a federal class action lawsuit against the two firms. He had invested some of his retirement funds in two Bitcoins, then worth about $85,000.
Griffin’s lawsuit succinctly explained the battle between the two firms: “Both IRA Financial and Gemini are placing the blame on each other. … IRA Financial’s investigation is primarily focused on security controls that IRA Financial claims weren’t offered or available from Gemini. For its part, Gemini claims that its investigation found that the transactions it processed appeared to be ‘legitimate, authorized transactions.’ ” The lawsuit was dismissed by a judge, who said there was room for arbitration and that California was an improper venue. Griffin has not refiled the case.
Another lawsuit involved IRA Financial’s liability insurer; that case was also resolved out of court.
With civil lawsuits settled, the only criminal case so far involves Light.
“These convictions reflect the relentless efforts of the U.S. Attorney’s Office and the FBI in identifying a cybercriminal, holding him accountable, and prioritizing the victims of his crimes,” said U.S. Attorney Allison Ramsdell for the District of South Dakota in a statement.
“Although this defendant tried to hide in the shadows of a cyber underworld, he was not beyond the reach of our team.”