Suspicious withdrawals were indeed a ‘security incident,’ $30M stolen, Crypto.com says
Crypto.com has confirmed that more than $30 million in cryptocurrency was stolen from some of its users earlier in the week, ending several days of confusion over what exactly happened during what the company is labeling a “security incident.”
The hack affected the wallets of 483 users, with the thieves aiming for 4,836.26 in ether (about $15 million), 443.93 in bitcoin (roughly $18 million) and approximately “$66,200 in other currencies,” Crypto.com said in a report Thursday. All of those funds have been restored, the company said.
“No customers experienced a loss of funds,” the report said. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.”
Crypto.com did not specify who the crooks might be, or where the attack originated. But in describing the incident, it pointed to a now-remediated soft spot in its user authentication process. Risk monitoring systems had “detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user,” Crypto.com said.
The company says it has completely revamped its two-factor authentication (2FA) technology.
Crypto.com originally had said on Twitter that it had “a small number of users reporting suspicious activity on their accounts” and provided no further detail, stirring up speculation about what actually happened. The company’s profile has risen in recent months, as it secured naming rights to a Los Angeles arena and began airing commercials featuring actor Matt Damon.
The disclosure marks the continuation of a trend of costly cryptocurrency-based crime that netted $14 billion for scammers in 2021, according to a recent Chainalysis estimate.
Thursday’s report says the company “has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services.” Eventually, the current updated 2FA system will be replaced by “true Multi-Factor Authentication (MFA), providing added strength for our global user base.”
Crypto.com also said it would creating a Worldwide Account Protection Program (WAPP).
“WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission,” the company said. “WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.”