2FA compromise led to $34M Crypto.com hack

Crypto.com shared new details about a recent hack on its platform last weekend in a statement on its website today, saying 483 of its users were affected and that unauthorized withdrawals of over $15 million worth of ETH, $19 million worth of BTC and $66,200 in “other currencies” occurred. The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement.

The company’s post-mortem comes just one day after CEO Kris Marszalek acknowledged the breach in an interview with Bloomberg TV. His confirmation of the breach came after multiple Crypto.com users alleged their funds had been stolen — complaints that had until then been met with vague responses from the company, referring only to an “incident.” Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts.

Today’s statement said Crypto.com detected the suspicious activity on Monday where “transactions were being approved without the 2FA authentication control being inputted by the user.” The site suspended all withdrawals for 14 hours to investigate the issue. 

Crypto.com did not say how the attacker was able to approve transactions without triggering 2FA, which is mandatory for all users. When TechCrunch reached out for more details, the company declined to comment on the breach outside of the statement issued today.

The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized.

The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change.

Crypto.com also announced in its statement today that it will be introducing the Worldwide Account Protection Program (WAPP) in select markets” starting on February 1, a program that will restore funds up to $250,000 for “qualified users” in cases where an unauthorized withdrawal occurs. To qualify for the program, users must enable multi-factor authentication on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a questionnaire to support a forensic investigation, and not be using a jailbroken device, according to the company.

While Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months, with stunts including viral advertisements featuring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena. It calls itself the “fastest-growing” crypto exchange and expanded its venture capital arm to $500 million to back early-stage startups in the space earlier this week. The fallout regarding this week’s breach and the company’s delayed response could threaten to stall some of its stateside growth.