In a statement on its website today, Crypto.com provided additional information about a recent hack on its platform that occurred over the weekend, stating that 483 of its users were affected and that unauthorized withdrawals totaling over $15 million in ETH, $19 million in BTC, and $66,200 in “other currencies” occurred. Crypto.com also stated that 483 of its users were affected and that unauthorized withdrawals totaling over $15 million in ETH, $19 million in BTC, and $66,200 in ” The overall losses, which amount to more than $34 million at current cryptocurrency prices, are far more than what experts had expected before to Crypto.com’s announcement of its financial results.
One day after CEO Kris Marszalek admitted the compromise in an interview with Bloomberg TV, The New York Times published a post-mortem on the company’s security vulnerability. Multiple Crypto.com users had complained that their funds had been stolen, and the company had only given vague responses, referring to the incident as an “incident.” His confirmation of the breach came after multiple users claimed that their funds had been stolen. During the interview, Marszalek declined to provide specifics on how the incident happened however he did state that Crypto.com had compensated all of the accounts that had been affected.
“Transactions were being accepted without the 2FA authentication control being entered by the user,” according to the statement released today. Crypto.com discovered the suspicious behavior on Monday and reported it to the authorities. For 14 hours, the site halted all withdrawals as it investigated the problem.
Crypto.com could not explain how the attacker could accept transactions without activating two-factor authentication, which is required for all users by Crypto.com. When TechCrunch inquired for further information on the incident, the firm refused to provide any other information beyond the statement published today.
According to the company, it “revoked all customer 2FA tokens and implemented additional security hardening measures” before requesting that customers log back into the platform and re-enter their 2FA token credentials. Among the additional measures is a mandatory 24-hour delay between the registration of a new withdrawal address and the first withdrawal so that users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if a retreat appears to have been made without their permission.
Following the incident, the business undertook an internal investigation and enlisted third-party security companies to examine its platform, according to the company. It announced plans to move away from two-factor authentication and toward “true multi-factor authentication” to improve security, though it did not provide an estimated timeline for the transition.
As part of today’s announcement, Crypto.com also announced that it would be launching the Worldwide Account Protection Program (WAPP) in “select markets” beginning on February 1, a program that will restore funds up to $250,000 for “qualified users” in the event of an unauthorized withdrawal. A user must enable multi-factor authentication on all transaction types where it is available, create an anti-phishing code at least 21 days before the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a questionnaire to aid in forensic investigation, and not be operating on an unlocked or jailbroken device to qualify for the program, according to the company.
Even though Crypto.com is the fourth-largest cryptocurrency exchange in the world, the company has been aggressively expanding its presence in the United States in recent months, with stunts such as viral advertisements starring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers arenas. It bills itself as the “fastest-growing” cryptocurrency exchange. It recently increased the size of its venture capital arm to $500 million to support early-stage firms in the field. The consequences from this week’s hack, as well as the company’s tardy reaction, might have a chilling effect on the company’s expansion in the United States.