Kris Marszalek CEO of Crypto.com confirmed on Bloomberg TV on Wednesday that 400 accounts were hacked earlier this week after several layers of the firm’s security were breached.
Crypto.com announced on Thursday that “4,836.26 ETH, 443.93 BTC, and about US$66,200 in other currencies” had been taken without permission from clients’ accounts. According to the current market value, the total loss is estimated to be roughly $33.8 million.
Several Crypto.com users have complained that their money has been taken as a result of a security vulnerability. The company’s past comments, however, have failed to allay fears.
According to the official statement, Crypto.com’s risk monitoring systems discovered “unauthorized activity on a small number of user accounts” on Jan. 17, 2022, around 12:46 AM UTC, where transactions were authorized without the user entering the 2FA authentication control.
As mentioned in the announcement, the exchange halted withdrawals and revoked all client 2FA tokens, as well as installing even more security hardening measures that required everyone to re-login and reactivate their 2FA token before enabling only approved action. For a total of 14 hours, the withdrawal infrastructure was unavailable.
To prevent such an occurrence in the future, Crypto.com claims to have added an extra layer of safety, requiring a new whitelisted withdrawal address to be registered within 24 hours of the first withdrawal.
Users will be notified when withdrawal addresses have been added, giving them enough time to react and respond, according to the statement.
According to Bloomberg, Crypto.com CEO Kris Marszalek stated on Wednesday that the exchange has not received any communication from regulators regarding the incident. In addition to that, he said,
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
Over $15 million in ETH has been stolen, according to PeckShield. Half of the cash had been delivered to Tornado Cash “to be washed,” according to the blockchain security firm’s tweet on Monday.
The heist could have cost the exchange $33 million in stolen funds, according to another researcher from blockchain data firm OXT Research.