The CEO of Crypto.com has acknowledged a massive security breach and cryptocurrency heist. The incident occurred last Monday, when hackers gained access to 483 Crypto.com user accounts and performed a series of unauthorized withdrawals to walk away with over $30 million in various cryptocurrencies.
All told, the cybercriminals swiped 4,836.26 Ethereum (worth $13-$15 million), 443.93 Bitcoin ($16-$19 million), and $66,200 in other currencies. Crypto.com CEO Kris Marszalek stated that all of the victims of the attack have been reimbursed, but did not offer many details about how the heist was accomplished. That should only raise more concerns about the platform’s security, especially since the total amount stolen exceeded the estimates of industry analysts.
As for what did happen, Marszalek admitted that the hackers were somehow able to bypass Crypto.com’s two-factor authentication mandate, which requires a second form of authentication for anyone performing a withdrawal. Marszalek did not explain how the hackers were able to clear transactions without inputting that second factor, but did stress that the company had revoked all existing 2FA tokens in response to the incident. Account holders will need to set up a new 2FA token to regain access to their wallets.
Crypto.com halted all withdrawals for 14 hours in the immediate aftermath of the theft. The company is also rolling out a few new security measures to prevent another incident in the future. Most notably, account holders who change their withdrawal address will need to wait 24 hours before making another withdrawal, creating a window in which someone can respond if that change was not authorized.
In the meantime, Crypto.com is introducing a Worldwide Account Protection Program (WAPP) to help restore trust with customers. The WAPP will go live in select markets on February 1, and will allow eligible customers to get reimbursed for up to $250,000 in the case of another theft. Eligible customers will need to enable multi-factor authentication for all transactions, establish an anti-fishing code, and file a police report in the wake of the event. They also need to fill out a forensic questionnaire, and cannot be using a jailbroken device to access their account.
According to Marszalek, Crypto.com will eventually make MFA (rather than 2FA) the default security standard for the platform, though it is unclear when that transition will take place. In the meantime, the company has enlisted third-party security firms to investigate its security posture. Multiple cryptocurrency exchanges have implemented biometric onboarding and authentication in the past few years. Most notably, Emirex and Impily have partnered with iDenfy, while Simplex and Bitex recently partnered with Onfido.