In an interview with Bloomberg TV, Crypto.com's Chief Executive Kris Marszalek has admitted that 400 customer accounts were compromised by hackers. He said his team detected unauthorized transactions made from the accounts, but that they'd fixed the issue immediately and fully reimbursed the affected users. Now, the company has published a report revealing details from its post mortem. Apparently, 483 accounts were affected and the unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC and approximately $66,200 in other currencies. Based on current exchange rates, that's $15.3 million of ETH and $18.7 million of BTC for a total of $34 million in losses.
— Bloomberg Live (@BloombergLive) January 19, 2022
Before the company revealed the scope of the hack in terms of lost funds, blockchain security analytics company PeckShield Inc. said Crypto.com may have lost cryptocurrency worth $15 million. At least 4,600 of the coins lost were Ethereum, and half of them are reportedly being washed — a process that obfuscates a coin's transaction trail. Meanwhile, Bitcoin research firm OXT Research said the company's loss might be worth up to $33 million.
The report explained that the company's risk monitoring systems detected unauthorized activity a few days ago, wherein transactions were being approved without two-factor authentication for a small number of accounts. As a result, the cryptocurrency exchange paused withdrawals on the evening of January 16th. Indeed, people in the comments on its Twitter announcement revealed that they had funds stolen even if they had 2FA enabled.
In another tweet posted on January 17th, Marszalek said that "no customer funds were lost," the company's infrastructure was down 14 hours and that his team strengthened its security in response to what happened. The report expounded on that last part, revealing that Crypto.com revoked all customer 2FA tokens and implemented additional security measures that required all account users to re-log-in. The company said the move is necessary, because it migrated to a completely new 2FA infrastructure. However, it intends to eventually move away from 2FA and to true Multi-Factor Authentication (MFA).
Crypto.com has also introduced an additional security measure that requires users to wait 24 hours before they can withdraw to a newly registered whitelisted address. Finally, the company is launching the Worldwide Account Protection Program (WAPP) on February 1st for users who want additional protection for their funds.
WAPP can restore up to $250,000 of a participating user's money in case a third-party gains access to their account. That said, to qualify for the program, users must enable multi-faction authentication on all transaction types and not be using a jailbroken device. To be able to recoup their funds under the program, they must've set up an anti-phishing code at least 21 days before an unauthorized transaction, file a police report and provide Crypto.com a copy, as well as complete a questionnaire to support forensic investigation.