During a Thursday interview on Bloomberg TV, Crypto.com CEO Kris Marszalek confirmed suspicions, calling the Monday morning hack an instance of unauthorized activity.
Shortly after, Crypto.com published a blog post that said 400 user accounts were drained of 4,836 ETH and 443.93 BTC, as well as other currencies, bringing the confirmed total to above $34 million in theft.
“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,” Jason Lau, Chief Information Security Officer, said in the post. He linked to a two-month-old blog post that called Crypto.com, “The Most Secure Crypto Platform Worldwide.”
“While our goal is to prevent any security breaches, our industry-leading insurance policy and Worldwide Account Protection Programs offer our customers additional protections in rare instances when there is an incident.”
Still, users on Twitter, Reddit, and elsewhere complained that their accounts were not reimbursed or locked out.
The company and Marszalek labeled the hack as merely “an incident,” though they had to shut out their entire customer base the world over to stop hackers from draining funds out of accounts.
After a full review, they said Crypto.com would move toward a new Multi-Factor Authentication system beyond 2FA, without specifics.
Where did the money go?
PeckShield found evidence of $15 million moving from the site through a coin “washing” anonymous payments service called Tornado Cash.
Another company researching BTC, OXT, illustrated the $33M they estimated hackers pocketed on Tuesday.
In the end, Crypto.com CEO Marszalek said that regulators still have not reached out, with their usual concern over consumers.
Crypto.com has said it reimbursed anyone affected by the hack. The firm claims a theft insurance policy that covers up to $750M in theft and a partnership with a cold storage custodian LedgerVault.
Cash held on Crypto.com is actually in the hands of banking partner Metropolitan Commercial Bank, an FDIC-insured depository institution.
What happened Monday morning
With a message on Twitter and complaints of locked accounts, Crypto.com announced it was the first significant exchange hacked in 2022.
The announcement was released overnight just before midnight, as updates came in throughout the day.
The centralized Hong Kong exchange — known for its Matt Demon commercials and staking products — has 190 million active users, an unknown amount of which were locked out of trading as the hack was announced.
Some users pointed out the ironic nature of the misfortune: the same crypto.com that bought the rights to name the LA Staples Center for $700 million locked out customers to try to stop a leak of funds.
“Matt Damon rug Pulled,” one Twitter user, @FPSlebowski, wrote. The user appears to belong to the NeoTokyoCitdel NFT community, a group that prizes ownership and belonging in a futuristic, cyberpunk online world.
‘The Bourne (Stolen) Identity’
Hackers made off with the entire balance or large portions of user accounts.
To survey the damage, the site said in a Tweet that users would be locked out of withdrawing funds. Many Twitter Reddit and forum users also reported that two-factor authentication was down even after Crypto.com gave the all-clear around 1 pm EST. Some even sent screenshots that showed thousands of dollars in ETH were stolen.
“Earlier today, a small number of users experienced unauthorized activity in their accounts. All funds are safe. In an abundance of caution, security on all accounts is being enhanced, requiring users to sign back into their App & Exchange accounts; Reset their 2FA,” Crypto.com said in a post.
Even as Crypto.com CEO Kris Marszalek wrote that “all funds were safe” and that at 1:30 pm EST, “Withdrawals have been resumed,” while users still reported problems.
And Auld Lang Syne
The suspected hack has been one of many attacks in the crypto industry in the past months 12 months. On Oct 1, 2021, Coinbase announced that 6,000 users’ funds were swiped after hackers used a flaw in the SMS recovery texting process.
In August, PolyNetwork published an infamous ‘give the money back please‘ letter to the hacker that stole upwards of $600 million from the exchange. Bitmrt lost about $200 million at the end of the year in a single hack.
Immunefi.com, a crypto-security firm, found that in 2021 alone, $2.66 billion was lost through hacks. Other firms place that number higher at $4 billion or more.
$CRO, the exchange coin, is down -4.572% over the week, back up to around the same price before the news of the hack came out, at the time of writing Thur, 1/20.
