Crypto.com Hack: $34M Lost Due to 2FA Compromise

Recent Hack Impacts Crypto.com Users

Crypto.com disclosed further specifics concerning a security breach that transpired on its platform last weekend. A statement released on the company’s website today indicates that 483 users were affected by the incident.

Unauthorized withdrawals totaling over $15 million in ETH, $19 million in BTC, and $66,200 in other cryptocurrencies were executed. The overall financial impact, exceeding $34 million based on current cryptocurrency valuations, surpasses initial analyst predictions.

Confirmation and Initial Response

This post-mortem analysis follows a day after CEO Kris Marszalek publicly acknowledged the breach during an interview with Bloomberg TV. His confirmation arrived following reports from numerous Crypto.com users claiming stolen funds.

Prior to Marszalek’s statement, the company responded to these complaints with ambiguous references to an “incident.” Details regarding the breach’s origin were not shared during the interview, although Marszalek confirmed full reimbursement for all affected accounts.

Details of the Security Incident

According to today’s statement, Crypto.com identified the suspicious activity on Monday. Transactions were being authorized without requiring user input of the 2FA authentication control.

As a precautionary measure, all withdrawals were suspended for a period of 14 hours to facilitate a thorough investigation.

Security Measures and Investigation

Crypto.com has not yet explained how transactions were approved bypassing the mandatory 2FA protocol. When contacted by TechCrunch for further clarification, the company declined to provide additional commentary beyond the published statement.

The company took steps to enhance security by revoking all existing customer 2FA tokens and implementing additional security hardening measures. Customers were then prompted to re-login and re-establish their 2FA tokens.

A new security feature includes a mandatory 24-hour delay between the registration of a new withdrawal address and the initiation of the first withdrawal. This provides users with sufficient time to review and report any unauthorized activity to the Crypto.com team.

Future Security Enhancements

Following the breach, an internal audit was conducted, and third-party security firms were engaged to assess the platform’s security. Crypto.com announced plans to move away from standard 2FA towards a “true multi-factor authentication” system.

However, a specific timeline for this transition has not yet been provided.

Worldwide Account Protection Program (WAPP)

Crypto.com also announced the launch of the Worldwide Account Protection Program (WAPP) in select markets, beginning February 1st. This program will reimburse funds up to $250,000 for “qualified users” in the event of unauthorized withdrawals.

To be eligible for WAPP, users must enable multi-factor authentication for all available transaction types, establish an anti-phishing code at least 21 days before reporting an unauthorized transaction, submit a police report to Crypto.com, complete a forensic investigation questionnaire, and refrain from using jailbroken devices.

Growth and Potential Repercussions

Crypto.com currently ranks as the world’s fourth-largest cryptocurrency exchange. The company has been actively expanding its presence in the U.S. market through high-profile marketing campaigns.

These initiatives include viral advertisements featuring actor Matt Damon and a $700 million investment in the naming rights for the Los Angeles Lakers and Clippers Arena. The company positions itself as the “fastest-growing” crypto exchange and recently increased its venture capital arm to $500 million to support early-stage startups.

The repercussions of this week’s breach and the company’s initial delayed response may potentially hinder its growth trajectory within the U.S. market.