Cryptocurrency

Crypto.com confirms $34m hack caused by 2FA bypass exploit

The cryptocurrency exchange previously denied that any customers lost funds despite numerous reports from customers and analysts
Life
Image: Rodnae Productions via Pexels

21 January 2022

Singapore-based cryptocurrency exchange Crypto.com has confirmed its two-factor authentication (2FA) was exploited by unauthorised individuals to drain $34 million from user accounts this week.

The exchange said 483 of its customers were involved in the hack that saw attackers bypass 2FA controls and make unauthorised withdrawals of 4,836.26 Ethereum tokens, worth around $14 million.

Bitcoin tokens worth around $17.3 million, and approximately $66,200 in other cryptocurrencies, were also stolen in the attack (prices are correct at the time of writing).

The details around the 2FA exploitation are currently unclear but Crypto.com has since “migrated to a completely new 2FA infrastructure” and revoked the 2FA tokens for all global users in order for this to be applied.

Crypto.com also implemented an additional layer of security involving a 24-hour delay between registering whitelisted withdrawal addresses and the first withdrawal to that address. It will allow users to screen these addresses as they’re registered via notifications sent to them by the exchange and “give them adequate time to react and respond,” the exchange said.

In addition to the 2FA overhaul, Crypto.com has also engaged with third party security outfits to examine the security of its new system and also plans to eventually transition to a multi-factor authentication (MFA) model.

The exchange has now introduced a worldwide Account Protection Program (APP), which will reimburse qualified users up to $250,000 in cases where unauthorised actors drain their accounts. To qualify, users must enable MFA on all transaction types, set up an anti-phishing code, not use jailbroken devices, file a police report, and complete a questionnaire to support a forensic investigation.

Crypto.com users first started reporting unauthorised withdrawals from their accounts on Monday, according to a Tweet from the exchange which assured “all funds are safe”. The sentiment was echoed by the exchange’s CEO in a follow-up Tweet posted Tuesday confirming no customer funds were lost, that the infrastructure downtime was around 14 hours, and said infrastructure “hardened” following the incident.

Meanwhile, blockchain security and data analytics company PeckShield tweeted the Exchange had lost $15 million and stolen Ethereum was being “washed” using Tornado Cash, a cryptocurrency tumbling and mixer service – the equivalent of cryptocurrency money laundering.

After the official update was published on Thursday, affected customers were still reporting that they had not been reimbursed and others said they were still unable to access their account.

What is Crypto.com?

The Singapore-based cryptocurrency exchange was founded in 2016, then known as ‘Monaco’ before being rebranded to Crypto.com in 2018. The company has sponsorship ties with a number of high-profile sports teams including Paris St-Germain, the Philadelphia 76ers, the Italian Serie A football league, Formula 1, and the Ultimate Fighting Championship (UFC).

It also bought the naming rights to the Staples Center arena in 2021, located in Los Angeles, for a reported $700 million with the rights lasting 20 years.

The company is a big proponent of Web3 and has been quick to capitalise on the recent popularity of non-fungible tokens (NFTs), adding a dedicated marketplace for the asset to its offering.

The company has 10 million users across 90 countries and employs 3,000 staff to run the business.

Future Publishing

Read More:


Back to Top ↑

TechCentral.ie