Crypto.com Withdrawals Triggered: Difference between revisions
(Added the About Crypto.com section to Witty-Season-3914 case study and Crypto.com Withdrawal case study.) |
(Crypto.com Withdrawals Triggered information split between the various sections of the article.) |
||
| Line 13: | Line 13: | ||
On November 23rd, 2021, Crypto.com announced their SOC 2 compliance. Jason Lau, Chief Information Security Officer of Crypto.com, made a statement at the time<ref name="cryptoblog-59352" />.<blockquote>“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement, Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."</blockquote> | On November 23rd, 2021, Crypto.com announced their SOC 2 compliance. Jason Lau, Chief Information Security Officer of Crypto.com, made a statement at the time<ref name="cryptoblog-59352" />.<blockquote>“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement, Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."</blockquote> | ||
== The Reality == | |||
This sections is included if a case involved deception or information that was unknown at the time. Examples include: | |||
* When the service was actually started (if different than the "official story"). | |||
* Who actually ran a service and their own personal history. | |||
* How the service was structured behind the scenes. (For example, there was no "trading bot".) | |||
* Details of what audits reported and how vulnerabilities were missed during auditing. | |||
== What Happened == | |||
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it. | |||
"On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts | "On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts." | ||
"Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company". | "Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company". | ||
"On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation." | "On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation." | ||
| Line 26: | Line 33: | ||
"On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent." | "On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent." | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Crypto.com Withdrawals Triggered | |+Key Event Timeline - Crypto.com Withdrawals Triggered | ||
| Line 97: | Line 51: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
"The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies." | |||
The total amount lost has been estimated at $34,358,000 USD. | The total amount lost has been estimated at $34,358,000 USD. | ||
| Line 102: | Line 59: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
"Crypto.com first paused withdrawals on its platform on Sunday after noting via Twitter that a “small number of users [are] reporting suspicious activity on their accounts.” It also asked customers to reset their two-factor authentication out of “an abundance of caution.”" "The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred." "The site suspended all withdrawals for 14 hours to investigate the issue." | |||
"The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized." | |||
"ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com's payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com's custodial wallet." | |||
"Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler— a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers." "The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus." | |||
"The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement." | |||
"According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet." | |||
"Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022." "In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure." | |||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
=== Crypto.com Strengthening Security === | |||
"Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized." | |||
"The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change." | |||
"Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services." | |||
"Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base." | |||
=== Account Protection Program === | |||
"Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange." "APP restores funds up to USD$250,000 for qualified users; terms & conditions apply." "Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022." | |||
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
"Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday." "Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts." "The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses." | |||
The total amount recovered has been estimated at $34,358,000 USD. | The total amount recovered has been estimated at $34,358,000 USD. | ||
| Line 114: | Line 103: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.” | |||
== Prevention Policies == | == Prevention Policies == | ||
Revision as of 13:35, 13 March 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Crypto.com is one of the largest cryptocurrency exchanges globally. While details are vague, it appears that a vulnerability allowed an attacker to trigger withdrawals without completing the 2FA checks which were intended to be necessary for a withdrawal.
After the initial confusion, the company eventually admitted what had happened and has since appeared to compensate all users. The 2FA system has been upgraded. They've also introduced some additional coverage (APP program) where they may cover up to $250k of losses.
This exchange or platform is based in Singapore, or the incident targeted people primarily in Singapore. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]
About Crypto.com
Crypto.com was founded in 2016[18]. As of November 23rd, 2021, the platform served over 10 million customers worldwide[18][19].
"CRYPTO.COM EXCHANGE. Trade with confidence on the world’s fastest and most secure crypto exchange." "The World’s Fastest Growing Crypto App" "Buy crypto at true cost. Buy and sell 250+ cryptocurrencies with 20+ fiat currencies using bank transfers or your credit/debit card." "Join 10m+ users buying and selling 250+ cryptocurrencies at true cost. Spend with the Crypto.com Visa Card and get up to 8% back. Grow your portfolio by receiving rewards up to 14.5% on your crypto assets."
Crypto.com shares a strong brand vision for their platform[20].
"Powered by cryptocurrency, the future of the internet: Web3 will be more fair and equitable, owned by the builders, creators and users. You." "We believe it is your basic right to control your money, data and identity."
Like most platforms, they have a full page on their security policies and procedures[21].
"Security First. Always." "Our commitment to our customers is built on trust. We believe that security and data privacy are the foundations of achieving mainstream cryptocurrency adoption."
Crypto.com had recently been pushing hard into the US market with viral advertising stunts including actor Matt Damon, and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena[22]. On November 23rd, 2021, Crypto.com announced their SOC 2 compliance. Jason Lau, Chief Information Security Officer of Crypto.com, made a statement at the time[18].
“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement, Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
"On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts."
"Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company".
"On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation."
"On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent."
| Date | Event | Description |
|---|---|---|
| January 17th, 2022 12:46:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
"The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies."
The total amount lost has been estimated at $34,358,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Crypto.com first paused withdrawals on its platform on Sunday after noting via Twitter that a “small number of users [are] reporting suspicious activity on their accounts.” It also asked customers to reset their two-factor authentication out of “an abundance of caution.”" "The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred." "The site suspended all withdrawals for 14 hours to investigate the issue."
"The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized."
"ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com's payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com's custodial wallet."
"Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler— a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers." "The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus."
"The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement."
"According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet."
"Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022." "In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure."
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
Crypto.com Strengthening Security
"Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized."
"The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change."
"Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services."
"Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base."
Account Protection Program
"Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange." "APP restores funds up to USD$250,000 for qualified users; terms & conditions apply." "Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022."
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
"Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday." "Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts." "The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses."
The total amount recovered has been estimated at $34,358,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
Prevention Policies
There were no customer losses in this case, as the funds which were able to be stolen were a very small fraction of the available funds on the platform. The original loss could have been prevented by using cold storage and requiring multiple signatures on withdrawals. Even within the hot wallet infrastructure, there are opportunities to add additional factors, which make it exponentially harder for an adversary. While the APP is a great program, the decisions about coverage are subject to Crypto.com, which has an incentive only to cover smaller losses, where the value of the customer relationship and/or reputation damage is greater than the amount lost. An inustry insurance fund would act in a more impartial capacity.
References
- ↑ $30 MILLION CRYPTO STOLEN - YouTube (Jan 21, 2022)
- ↑ Formula 1 announce Crypto.com as inaugural global partner of the F1 Sprint series | Formula 1 (Jan 22, 2022)
- ↑ 2FA compromise led to $34M Crypto.com hack – TechCrunch (Jan 22, 2022)
- ↑ Crypto.com breach may be worth up to $33M, suggests onchain analyst (Jan 23, 2022)
- ↑ @ErgoBTC Twitter (Jan 23, 2022)
- ↑ OXT (Jan 23, 2022)
- ↑ @Kris_HK Twitter (Jan 23, 2022)
- ↑ Crypto.com Says Alleged $15 Million Hack Was Just an 'Incident' (Jan 23, 2022)
- ↑ https://crypto.com/product-news/crypto-com-security-report-next-steps (Jan 23, 2022)
- ↑ Crypto.com Admits $35 Million Hack (Jan 23, 2022)
- ↑ Crypto.com admits over $30 million stolen by hackers - The Verge (Jan 23, 2022)
- ↑ Crypto.com shares details on security breach: 483 accounts compromised (Jan 23, 2022)
- ↑ @cryptocom Twitter (Jan 23, 2022)
- ↑ @peckshield Twitter (Jan 23, 2022)
- ↑ @cryptocom Twitter (Jan 23, 2022)
- ↑ https://www.cnbc.com/2022/01/18/news-peckshield-says-15m-lost-on-cryptocom-tesla-accepts-doge.html (Jan 23, 2022)
- ↑ Rekt - Crypto.com - REKT (Feb 8, 2022)
- ↑ 18.0 18.1 18.2 Crypto.com The Most Secure Crypto Platform Worldwide Adds SOC 2 Compliance (Jan 23, 2022)
- ↑ Crypto.com Homepage (Jan 22, 2022)
- ↑ Crypto.com About Page (Jan 22, 2022)
- ↑ Security - Industry-Leading Security Infrastructure | Crypto.com (Mar 13, 2023)
- ↑ Crypto.com CEO admits hundreds of customer accounts were hacked - TechCrunch
Cite error: <ref> tag with name "crypto-5924" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "crypto-5925" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "techcrunch-5931" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "cryptoblog-5935" defined in <references> is not used in prior text.