With a formal statement from the Singapore-based crypto exchange announcing a block on withdrawals after discovering “strange actions” in user accounts, the Crypto.com security breach narrative gains clarity.
Crypto.com announced on Thursday that “4,836.26 ETH, 443.93 BTC, and about US$66,200 in other currencies” had been taken without permission from clients’ accounts. According to the current market value, the total loss is estimated to be roughly $33.8 million.
Several Crypto.com users have complained that their money has been taken as a result of a security vulnerability. The company’s past comments, however, have failed to allay fears.
According to the official statement, Crypto.com’s risk monitoring systems discovered “unauthorized activity on a small number of user accounts” on Jan. 17, 2022, around 12:46 AM UTC, where transactions were authorized without the user entering the 2FA authentication control.
As mentioned in the announcement, the exchange halted withdrawals and revoked all client 2FA tokens, as well as installed even more security hardening measures that required everyone to re-login and reactivate their 2FA token before enabling only approved action. For a total of 14 hours, the withdrawal infrastructure was unavailable.
To prevent such an occurrence in the future, Crypto.com claims to have added an extra layer of safety, requiring a new whitelisted withdrawal address to be registered within 24 hours of the first withdrawal.
“Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond,” the statement reads.
According to Bloomberg, Crypto.com CEO Kris Marszalek stated on Wednesday that the exchange has not received any communication from regulators regarding the incident. He went on to remark:
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
Over $15 million in ETH has been stolen, according to PeckShield. Half of the cash had been delivered to Tornado Cash “to be cleansed,” according to the blockchain security firm’s tweet on Monday. The heist could have cost the exchange $33 million in stolen funds, according to another researcher from blockchain data firm OXT Research.