Crypto.com Confirms Breach, Nearly $34 Million in LossesLoss of Ethereum, Bitcoin, Other Tokens, Since Reimbursed
Singaporean cryptocurrency exchange Crypto.com confirmed on Thursday that its platform fell victim to a multimillion-dollar cyberattack. In a postmortem entry on its website, Crypto.com confirms that unauthorized withdrawals targeted the Ethereum and Bitcoin of 483 users. Associated losses were near $34 million, which the company says has been reimbursed.
Although suspicious activity was first detected on Monday and withdrawals were halted for some 14 hours, the company had vaguely reassured customers that their funds were not at risk. Crypto.com CEO Kris Marszalek later confirmed - during an interview with Bloomberg Live on Wednesday - that "unauthorized withdrawals" had taken place. He confirmed the funds had been reimbursed and did not share technical details.
But in the incident analysis posted to its site on Thursday, the platform said it had "initiated an investigation and worked around the clock to address the issue." Crypto.com, the fourth-largest exchange in the world, according to CoinGecko, confirmed that illicit withdrawals totaled 4,836.23 Ethereum, 443.93 Bitcoin and approximately $66,200 in other currencies. The current value of those tokens amounts to $33,812,346.
Incident in Review
In its analysis, Crypto.com says its risk monitoring systems detected unauthorized activity on the accounts after midnight, UTC, on Jan. 17. Transactions, they confirm, were approved "without the two-factor authentication control being inputted by the user."
Withdrawals were subsequently suspended, and any accounts found to be affected were "fully restored." The report states that Crypto.com "revoked all customer 2FA tokens and added additional security-hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur."
The platform says it has "revamped and migrated to a completely new 2FA infrastructure." It also says it will move away from 2FA and embrace "true multifactor authentication" to provide "added strength."
Crypto.com also says it added a mandatory 24-hour delay between registration of a new whitelisted address and first withdrawal. Users will also receive notifications that withdrawal addresses have been added - providing "useful reminders and instructions on contacting [the] team if the address whitelisting was unauthorized."
The company also confirms it has audited its "entire infrastructure" to further harden its security posture and has "engaged with third-party security firms to perform additional security checks" and "initiate additional threat intelligence services."
It also confirmed it has introduced the Worldwide Account Protection Program, which is designed to protect user funds in cases where a third party gains unauthorized access, and to restore funds up to $250,000 for qualified users.
"The safety of our customers' funds is our highest priority, and we are continually enhancing our defense-in-depth security and protection measures," Marszalek says in the statement. "While we are reminded of the existence of bad actors intent on committing fraud, [WAPP], along with new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind."
Crypto.com CISO Jason Lau says in the statement that the platform's goal is to prevent security breaches, but that its insurance policy and WAPP programs offer "additional protections in rare instances where there is an incident."
'Perfect Storm' for Cybercrime
As crypto adoption picks up steam, security experts continue to highlight the pros and cons of the asset class.
"Crypto.com is a significant cryptocurrency exchange, so it is an inviting target for criminals," says Rick Holland, a former intelligence analyst for the U.S. Army. "The cryptocurrency space is a perfect storm of opportunity for cybercriminals. It is cross-border, unregulated, speculative and experiencing a gold rush of vulnerable investors who don't understand the risks."
Holland, CISO at the security firm Digital Shadows, also says there is a "higher bar for technical knowledge" for crypto investors, as small slip-ups can lead to massive losses.
"One specific example is using an offline hardware wallet … which is a great way to reduce the risk of losing your crypto should an exchange be compromised," he says.
Nevertheless, the blockchain ecosystem - and its added visibility - has also enabled law enforcement agencies.
"Over the last few years - and accelerated over the last few months - we have seen a proliferation of attacks on cryptocurrency businesses. These attacks have been against large exchanges and small startups," says Ari Redbord, an ISMG contributor who formerly served at the Treasury Department as a senior adviser to the deputy secretary.
Still, he says, law enforcement agencies are leveraging "sophisticated blockchain analysis" technology to closely monitor illicit activity.
"The nature of the blockchain gives investigators more visibility and more opportunities to follow the money than ever before," says Redbord, head of legal and government affairs for the blockchain intelligence firm TRM Labs. "And we have even seen the industry police itself at times. In the days following the Poly Network attack [last] summer, we saw analytics companies and crypto sleuths take to social media to discuss the movement of funds in real time."
Bank of Russia Calls for Mining Ban
In other cryptocurrency news, the Bank of Russia issued a report this week that called for a ban on the use and mining of cryptocurrencies on Russian territory.
The report, written in Russian, outlines what it calls key financial stability risks associated with cryptocurrency. Experts close to the Russian financial system say the proposal likely will not involve an outright ban on ownership, however, according to Reuters.
Russia would not be the first nation to ban crypto-mining. Other nations with a full or limited ban include China, Iran, Egypt, Kosovo and Kazakhstan, among others.