The CEO of Crypto.com admits that massive security breaches and cryptocurrency theft have occurred. The incident occurred last Monday, when hackers gained access to 483 Crypto.com user accounts and carried out a series of fraudulent withdrawals to give away more than $30 million in various cryptocurrencies.
Overall, the cybercriminals hit $46,200 in Ethereum ($13 to $15 million), 443.93 Bitcoin ($16 to $19 million) and other currencies. Chris Marsalek, CEO of Crypto.com, said that all victims of the attack were compensated, but did not provide many details about how the theft was carried out. In particular, the total amount stolen exceeded estimates by industry analysts, raising concerns about the security of the platform.
As for what happened, Marsalek admitted that the hackers managed to circumvent Crypto.com’s two-factor authentication obligations. This requires a second form of authentication for each person who checks out. Marszalek did not explain how the hacker could clear the transaction without entering a second item, but in response to the incident, he confirmed that the company has canceled all existing 2FA tokens. Account owners will need to set up a new 2FA token to regain access to their wallet.
Crypto.com suspended all withdrawals for 14 hours immediately after the theft. The company is also implementing some new security measures to prevent further incidents in the future. In particular, the account owner who has changed the withdrawal address will have to wait 24 hours before making another withdrawal, creating a window where someone can respond if the change is not allowed.
Meanwhile, Crypto.com introduced a Global Account Protection Program (WAPP) to help restore customer trust. WAPP will be available in select markets on February 1, allowing eligible customers to recover up to $250,000 in the event of another theft. Eligible customers must enable multi-factor authentication for all transactions, generate an anti-poaching code, and report the event to the police. You also need to fill out a forensic questionnaire and you will not be able to access your account with a jailbroken device.
According to Marszalek, Crypto.com will eventually make MFA (instead of 2FA) the platform’s default security standard, but it is unclear when this transition will occur. Meanwhile, the company has asked an outside security company to investigate its security system. Several cryptocurrency exchanges have implemented biometric setup and authentication in the past few years. In particular, Emirex and Impily have partnered with iDenfy, and Simplex and Bitex have also recently partnered with Onfido.
Source: TechCrunch, Wired