Tuesday, June 25, 2024

2FA compromise led to $34M Crypto Frim hack

Crypto.com shared new details about a recent hack on its platform last weekend in a statement on its website today, saying 483 of its users were affected and that unauthorized withdrawals of over $15 million worth of ETH, $19 million worth of BTC, and $66,200 in “other currencies” occurred. The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement.

The company’s post-mortem comes just one day after CEO Kris Marszalek acknowledged the breach in an interview with Bloomberg TV. His confirmation of the breach came after multiple Crypto.com users alleged their funds had been stolen — complaints that had until then been met with vague responses from the company, referring only to an “incident.” Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts.

Today’s statement said Crypto.com detected the suspicious activity on Monday where “transactions were being approved without the 2FA authentication control being inputted by the user.” The site suspended all withdrawals for 14 hours to investigate the issue. 

Crypto.com did not say how the attacker was able to approve transactions without triggering 2FA, which is mandatory for all users. 

The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized.

Recommended:  Cyberattacks on Ukrainian websites come into clearer focus as Russia tensions escalate

The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change.

Crypto.com also announced in its statement today that it will be introducing the Worldwide Account Protection Program (WAPP) in select markets” starting on Feb 1, a program that will restore funds up to $250,000 for “qualified users” in cases where an unauthorized withdrawal occurs. To qualify for the program, users must enable multi-factor authentication on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a questionnaire to support a forensic investigation, and not be using a jailbroken device, according to the company.

While Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months, with stunts including viral advertisements featuring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena. It calls itself the “fastest-growing” crypto exchange and expanded its venture capital arm to $500 million to back early-stage startups in the space earlier this week. The fallout regarding this week’s breach and the company’s delayed response could threaten to stall some of its stateside growth.


Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, Red Cross hit by a Sophisticated Cyber Attack leading to Databreach

Recommended:  Americold Operations Downed by Cyber-Attack

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates