Crypto.com admits more than $34M was stolen from customer accounts

Fast-growing cryptocurrency exchange Crypto.com has admitted that over $34 million in cryptocurrency was stolen following unknown attackers successfully accessing user accounts.

In a blog post today, Crypto.com said that the hack affected 483 users. Unauthorized withdrawals totaled 4,836.26 Ethereum, 443.93 bitcoin and approximately $66,200 in other cryptocurrencies.

The attack started on Jan. 17 and involved unauthorized activity on a small number of user accounts where transactions were being approved without two form factor authentication being inputted by users. Crypto.com notes that the activity triggered an immediate response with all withdrawals on the platform suspended for the duration of the investigation.

Any accounts found to have been impacted by the theft of funds have had their holdings immediately restored.

Crypto.com revoked all customer 2FA and added additional security hardening measures as a precaution. Those included requiring all customers to re-login and set up their 2FA token to ensure only authorized activity would occur.

Additional security measures include a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and first withdrawal. Crypto.com users will receive notifications that a withdrawal address has been added, to give them time to react and respond.

The company also undertook a full audit of their entire infrastructure with several improvements being implemented to harden their security posture further. As typical when a hack has occurred, Crypto.com also hired third-party security firms to perform additional security checks.

Crypto.com didn’t stop there. The company has also introduced what they call the “Worldwide Account Protection Program” which offers additional protection and security for user funds held by Crypto.com. WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds up to $250,000 for qualified users.

The response by Crypto.com to the seeming hack is positive. It ticks every conceivable box and then some more, such as with the WAPP program. But that said, what’s still missing is the how. How were the funds stolen, to begin with?

It’s one thing to proactively respond to a hack but without transparency on how it occurred, it could be suggested that Crypto.com is hiding something.

“Infamous bank robber Willie Sutton is frequently quoted as saying, ‘I rob banks because that’s where the money is.’,” Neil Jones, cybersecurity evangelist at enterprise file synchronizing and sharing company Egnyte Inc. told SiliconANGLE. “In 2022, the technical environment has evolved to, ‘I rob cryptocurrency exchanges because that’s where the money is.’”

“I’m actually more surprised by the number of users who had their money pilfered, nearly 500 according to published reports, rather than the $30 million+ that was stolen,” Sutton noted.

Sutton said that the major lessons from this security breach include the importance of 2FA, the need for a current and road-tested incident response plan and the need for end-users to be notified promptly and accurately when cyberattacks take place to help protect brand reputation.

Image: Crypto.com