IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Crypto.com confirms $34 million hack caused by 2FA bypass exploit

The cryptocurrency exchange previously denied that any customers lost funds despite numerous reports from customers and analysts

Singapore-based cryptocurrency exchange Crypto.com has confirmed its two-factor authentication (2FA) was exploited by unauthorised individuals to drain $34 million (around £25 million) from user accounts this week.

The exchange said 483 of its customers were involved in the hack that saw attackers bypass 2FA controls and make unauthorised withdrawals of 4,836.26 Ethereum tokens, worth around $14 million or £10.3 million.

Related Resource

Optimising the management of hybrid cloud

Having the right foundations in place can make an organisation’s hybrid cloud infrastructure work much better

Somebody motioning to push a button with a cloud symbol

Bitcoin tokens worth around $17.3 million or £12.75 million, and approximately $66,200 (£48,786) in other cryptocurrencies, were also stolen in the attack. Prices are correct at the time of writing.

The details around the 2FA exploitation are currently unclear but Crypto.com has since "migrated to a completely new 2FA infrastructure" and revoked the 2FA tokens for all global users in order for this to be applied.

Crypto.com also implemented an additional layer of security involving a 24-hour delay between registering whitelisted withdrawal addresses and the first withdrawal to that address. It will allow users to screen these addresses as they're registered via notifications sent to them by the exchange and "give them adequate time to react and respond," the exchange said.

In addition to the 2FA overhaul, Crypto.com has also engaged with third-party security outfits to examine the security of its new system and also plans to eventually transition to a multi-factor authentication (MFA) model.

"We don't have the details on how the Crypto.com hack evolved, but it appears that the policy controlling 2FA was exploited in some way, deactivating it for certain users," said Robert Byrne, field strategist at One Identity, speaking to IT Pro.

"There are various ways hacking may be able to circumvent 2FA services, but the most likely explanation here is that they compromised and exploited a privileged user account - the hackers then use that account to deactivate the 2FA policy for some users and, having compromised those accounts they can then login in and steal the funds.

"The 2FA service here is likely offered by a third-party service, so that supplier's infrastructure may well have been one of the targets of the attack," Byrne added. "Of course, it is possible there was an honest administrative error in security configuration that was detected by the thieves, who then rushed in to exploit it before it was remediated. Sadly, misconfigurations are not uncommon due to the pressure on security staff and the lack of sanity checks and surveillance of configuration settings."

The exchange has now introduced a worldwide Account Protection Program (APP), which will reimburse qualified users up to $250,000 in cases where unauthorised actors drain their accounts. To qualify, users must enable MFA on all transaction types, set up an anti-phishing code, not use jailbroken devices, file a police report, and complete a questionnaire to support a forensic investigation.

The wider story

Crypto.com users first started reporting unauthorised withdrawals from their accounts on Monday, according to a Tweet from the exchange which assured "all funds are safe". The sentiment was echoed by the exchange's CEO in a follow-up Tweet posted Tuesday confirming no customer funds were lost, that the infrastructure downtime was around 14 hours, and said infrastructure "hardened" following the incident.

Meanwhile, blockchain security and data analytics company PeckShield tweeted the Exchange had lost $15 million (£11 million) and stolen Ethereum was being "washed" using Tornado Cash, a cryptocurrency tumbling and mixer service - the equivalent of cryptocurrency money laundering.

After the official update was published on Thursday, affected customers were still reporting that they had not been reimbursed and others said they were still unable to access their account.

What is Crypto.com?

The Singapore-based cryptocurrency exchange was founded in 2016, then known as 'Monaco' before being rebranded to Crypto.com in 2018. The company has sponsorship ties with a number of high-profile sports teams including Paris St-Germain, the Philadelphia 76ers, the Italian Serie A football league, Formula 1, and the Ultimate Fighting Championship (UFC).

It also bought the naming rights to the Staples Center arena in 2021, located in Los Angeles, for a reported $700 million (£516.3 million) with the rights lasting 20 years.

The company is a big proponent of Web3 and has been quick to capitalise on the recent popularity of non-fungible tokens (NFTs), adding a dedicated marketplace for the asset to its offering.

The company has 10 million users across 90 countries and employs 3,000 staff to run the business.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022