Cybercriminals broke into Crypto.com’s security system last week and stole over $30 million in bitcoin and Ethereum.
How did the attack happen?
In a statement on its corporate blog posted Thursday, Singapore-based crypto exchange Crypto.com reported that hackers managed to bypass its Multi-Factor Authentication (MFA) system and withdraw funds from 483 customer accounts, which had been compromised since July. The company is known for its viral commercial featuring Matt Damon, which recently renamed the Staples Center as Crypto.com Arena. They also stated that almost US$66,200 in other currencies was also taken in unauthorized withdrawals.
Based on current exchange rates, that is approximately $15 million in Ethereum and $19 million in bitcoin, respectively. Crypto.com has fully reimbursed all customers who lost funds in the hack. There is information about the cyber breach and the company’s response to it, as well as its next steps, but there is no information on who was behind it. It is widely viewed as belated confirmation that Crypto.com released a statement three full days after the hack.
The Ethereum Mixer Tornado Cash is reportedly being used to launder about 4,600 Ethereum that was allegedly stolen from Crypto.com, said an article from CoinDesk on Wednesday. The Crypto.com CEO acknowledged 400 customer accounts were compromised in a Bloomberg interview on Wednesday. The CEO told Bloomberg that despite the size of the business, these numbers are not particularly material and there was no risk to customer funds.
Users reporting suspicious activities on their accounts
In a tweet posted on January 16, the company announced that withdrawals were temporarily suspended following reports of “suspicious activity” on accounts. As part of the investigation, the company has decided to halt withdrawals for the moment. All funds are safe.
Los Angeles jeweler Ben Baller, for instance, was notified hours ago that 4.28ETH had been stolen from his account, and wondered how they got past two-factor authentication, despite the company’s claim that “All funds are safe.”
Cybersecurity issue: accounts takeover vulnerability due to insecure 2fa
Two Factor Authentication (2FA) is a multistep authentication process that requires users to provide two distinct forms of authentication, i.e. a one-time password and a one-time passcode, with each login attempt. Two-factor authentication, or 2FA, provides an extra layer of security against weak passwords, like a surname followed by the numbers 123. Although used by many industries, it is essential for digital currency accounts.
The breach on Monday hinders the effectiveness of 2FA in preventing hackers from gaining access to digital assets. Currently, Crypto.com is still sticking with 2FA, but this may change soon. The company reportedly “revoked all customer 2FA tokens” after discovering the breach and attempted a “revamp” during the 14-hour downtime from withdrawal activity.
The 2FA infrastructure was then completely updated, which added an additional layer of security. The company plans to ditch 2FA for “true Multi-Factor Authentication (MFA) shortly, which offers additional security for our global customer base.” Despite news of Crypto.com’s security breach, their shares plunged more than 6% Thursday, closing at 46 cents a share.
In response to the hack, the exchange has migrated its two-factor authentication system to a new architecture and revoked all existing tokens, requiring customers to migrate to the new system. Crypto.com is the latest in a string of attacks against cryptocurrency exchanges in the steadily growing cryptocurrency ecosystem. An analysis by NBC News revealed that there were more than 20 exchange hacks in 2021 that netted hackers more than $10 million in profit and that there were six cases where hackers stole more than $100 million from exchanges. Like crypto.com, every company is susceptible to a cyber-attack. Surenomics can be your resource for risk mitigation solutions through your organization's optimal blend of people, processes, and technologies. Reach out for more information.