Kris Marszalek, CEO at Crypto.com (reportedly the world’s third-largest cryptocurrency trading platform), has confirmed that a multi-million dollar cyberattack compromised 483 of its customer accounts.
Although, he also stresses that customer funds are not at risk. Why is that exactly?
Researchers had previously estimated the impact of hack to be $34.65 million worth of cash, Bitcoin, and Ethereum. But, Marszalek stressed in the interview that, “these numbers aren’t particularly material and customer funds were never at risk.”
Crypto.com Hacked – What Happened?
The company first detected the incident through its monitoring systems on January 17th, after some users had unauthorized crypto withdrawals on their accounts.
Crypto.com jumped in right away to suspend withdrawals of all tokens for approximately 14 hours (resuming transactions on January 17th, 5:46 PM UTC) and initiated an investigation to address the real source of this issue.
At least that’s what they reported.
They also revoked the two-factor authentication (2FA) tokens off the platform to make them log back into the app and set up new 2FA tokens.
Unfortunately, this isn’t the first time that crypto.com has suffered a technical issue.
Something similar happened back in May of 2021 when a reported technical glitch led to duplicate purchases, with customers inadvertently spending two or three times the intended amount on cryptocurrency purchases. The worst part? No refunds were issued.
Can this continue happening? Or…
Is Crypto.com Secure Now?
According to the company, the affected accounts have been restored and an additional layer of security was also announced after executing a full, internal audit of its infrastructure.
They brought in third-party security firms to perform additional security checks on its platform.
Last but not least, they introduced a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and first withdrawal. Meaning, there will be a time in between notifications of withdrawal addresses having been added, to give users enough time “to react and respond.”
These notifications will include contact instructions of the exchange in the case an unauthorized address is whitelisted.
It seems like their main objective is to release additional end-user security features (like MFA = multifactor authentication and the WAPP = Worldwide Account Protection Program) as it moves away from 2FA.
The first mentioned is designed to protect users’ funds, while the second one aims to restore funds up to USD $250,000. But for that to happen, you’ll have to be a “qualified user” which is the same as:
- Enable MFA on all transaction types where it’s available,
- Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
- Keep off of jailbroken devices,
- file a police report and provide a copy of it to Crypto.com,
- Complete a questionnaire to support a forensic investigation.
Is this a good ending, right?
It definitely is a great step for Crypto.com. Let’s hope for investors that this is not an end” of any means.
But what’s not too good, is that 2FA (two-factor authentication) measures have been penetrated with such.
So, which other security barriers your business protects under can be broken as well?
Let’s talk and find out. Maybe you’re not risking millions of crypto but there’s still a lot of value in your personal and business assets – and hackers/bad actors know that.