Crypto.com, one of the largest cryptocurrency exchanges in the world, confirmed that its users got hacked and that the hackers withdrew more than $30 million in cryptocurrency from the wallets of 483 users. The admission comes after the company initially downplayed the hack, calling it “an incident.”
The exchange announced on Thursday that hackers stole 4,836.26 ETH (around $15 million), 443.93 BTC (around $18 million) and approximately $66,200 in other currencies. But that “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” so in the end, according to the company, “No customers experienced a loss of funds.”
The Thursday admission is a far cry from Crypto.com's communications earlier in the week. Initially, the exchange's CEO would only refer to the hacking campaign as an "incident" and that "no customer funds were lost." Crypto.com's official twitter account claimed that "all funds are safe." Initial estimates also pegged the heist at $15 million, making the final amount double what was feared.
The company detected the hack on Monday, when hackers started transactions without inputting the two-factor authentication (2FA) of the users targeted. That’s when Crypto.com suspended withdrawals, revoked the 2FA tokens, forced all customers to log in again and set up their 2FA tokens, according to the press release.
“2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw,” the press release read.
Crypto.com also said that a “Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture,” without specifying the details of these improvements. The company also said it has engaged with “third-party security firms” to audit its systems, and has also hired “additional threat intelligence services.”
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
Finally, the company also announced a new program called “Worldwide Account Protection Program (WAPP),” which is designed to protect user funds in case a hacker gets access to users’ accounts. In practice, “for qualified users,” Crypto.com will refund up to $250,000, a far cry from the multi-million dollar hacks that are happening almost every week in the world of cryptocurrency.
To qualify for the program, users have to enable multi-factor authentication on all transaction types, set up an “anti-phishing code,” not use jailbroken devices, file a police report, and complete a questionnaire to help the company with the forensic investigation.
A Crypto.com spokesperson referred to the press release when Motherboard reached out for comment.