Crypto.com Confirms $34M Hack Without Explaining Cause
The exchange says it will implement a new account protection program going forward.
- Crypto.com has confirmed that it lost $34.4 million to hackers Monday.
- However, the exchange has not explained how attackers were able to access its users' accounts and bypass two-factor authentication.
- In response, Crypto.com has introduced additional security for withdrawals, and launched a new Worldwide Account Protection Program.
Share this article
Crypto.com has confirmed it was hacked for $34 million Monday but is yet to explain how an attacker was able to bypass accounts’ two-factor authentication to steal the funds.
Crypto.com Confirms Hack
Crypto.com was hacked but hasn’t revealed how it happened.
The leading crypto exchange has addressed reports that it was hacked in a Thursday blog post, confirming that an attacker drained 4,836.26 ETH,443.93 BTC, and approximately $66,200 of other currencies from its users’ accounts. The stolen funds total approximately $34.4 million at press time.
The blog post explained that on Monday, Jan. 17, at approximately 00:46 UTC, the exchange’s risk monitoring systems detected unauthorized activity on a small number of user accounts.
According to the announcement, an attacker found a way to approve transactions without the two-factor authentication control being inputted by account holders. This resulted in 483 Crypto.com users losing funds from their accounts. The exchange reaffirmed comments made by the firm’s CEO, Kris Marszalek, that any accounts found to be impacted were fully restored, resulting in no loss of funds for users.
While Crypto.com has confirmed the reports of a hack from several analysts and blockchain security firms, the exchange did not explain how the hacker gained access to users’ accounts and bypassed their two-factor authentication.
In response to the incident, Crypto.com has added an additional layer of security to withdrawals. Users will now need to wait 24 hours after registering a new withdrawal address before transferring funds to it. “Users will receive notifications that withdrawal addresses have been added to give them adequate time to react and respond,” the blog post reads. The exchange also says it has engaged with third-party security firms to perform additional security checks.
In the same post, Crypto.com also announced the introduction of its new Worldwide Account Protection Program. The program promises to restore funds up to $250,000 for qualified users in the event of fraud or theft. To qualify, users must meet a series of criteria, such as having two-factor authentication enabled on all transactions and filing a report with local police.
The undisclosed security breach that led to the Crypto.com hack comes less than three months after the exchange completed a Service Organization Control 2 Audit. The audit was conducted by consulting firm Deloitte and affirmed that Crypto.com’s information security practices, policies, procedures, and operations meet sufficient SOC2 standards.
Disclosure: At the time of writing this feature, the author owned ETH and several other cryptocurrencies.