The Crypto.com security breach saga gets clarity with an official statement from the Singapore-based crypto exchange following a halt on withdrawals after detecting “suspicious activities” in user accounts.
In a statement on Thursday, Crypto.com revealed that “4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies” had been taken from clients’ accounts without their permission. The overall loss is presently valued at around $33.8 million, per the current market value.
Following a security breach, several Crypto.com users have made complaints that their money had been stolen. However, the company’s previous responses had failed to quell concerns.
Following the 17th of Jan security incident, we are sharing our findings below, together with enhancements we’ve made to our security infrastructure and the introduction of the Worldwide Account Protection Program. https://t.co/6q86r0o59V pic.twitter.com/ER7DkBoX1Z
— Crypto.com (@cryptocom) January 20, 2022
On Monday, at around 12:46 am UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the two-factor authentication (2FA) control being entered by the user, according to the official document.
The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security-hardening measures that required everyone to relog in and reactivate their 2FA token before allowing only authorized action, as detailed in the statement. The withdrawal infrastructure was down for a total of 14 hours.
To safeguard against such an accident happening again, Crypto.com claims to have implemented an additional layer of protection in which a new whitelisted withdrawal address must be registered within 24 hours before the first withdrawal.
“Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond,” the statement reads.
On Wednesday, Kris Marszalek, CEO of Crypto.com, told Bloomberg that the exchange has not received any communication from regulators about the event. He went on to say:
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
According to PeckShield, over $15 million worth of Ether (ETH) has been stolen. On Monday, the blockchain security firm tweeted that roughly half of the funds had been sent to Tornado Cash “to be washed.” Another analyst from blockchain data firm OXT Research stated that the heist may have cost the exchange $33 million in stolen assets.