Crypto.com Withdrawals Triggered

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Crypto.com

Crypto.com is one of the largest cryptocurrency exchanges globally. While details are vague, it appears that a vulnerability allowed an attacker to trigger withdrawals without completing the 2FA checks which were intended to be necessary for a withdrawal.

After the initial confusion, the company eventually admitted what had happened and has since appeared to compensate all users. The 2FA system has been upgraded. They've also introduced some additional coverage (APP program) where they may cover up to $250k of losses.

This exchange or platform is based in Singapore, or the incident targeted people primarily in Singapore. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21]

About Crypto.com

"Founded in 2016, Crypto.com today serves over 10 million customers with the world’s fastest growing crypto app, along with the Crypto.com Exchange and Crypto.com DeFi Wallet."

"CRYPTO.COM EXCHANGE. Trade with confidence on the world’s fastest and most secure crypto exchange." "The World’s Fastest Growing Crypto App" "Buy crypto at true cost. Buy and sell 250+ cryptocurrencies with 20+ fiat currencies using bank transfers or your credit/debit card." "Join 10m+ users buying and selling 250+ cryptocurrencies at true cost. Spend with the Crypto.com Visa Card and get up to 8% back. Grow your portfolio by receiving rewards up to 14.5% on your crypto assets."

"Powered by cryptocurrency, the future of the internet: Web3 will be more fair and equitable, owned by the builders, creators and users. You." "We believe it is your basic right to control your money, data and identity."

"Security First. Always." "Our commitment to our customers is built on trust. We believe that security and data privacy are the foundations of achieving mainstream cryptocurrency adoption."

"While Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months, with stunts including viral advertisements featuring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena."

“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,” said Jason Lau, Chief Information Security Officer of Crypto.com. "Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."

"On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts." "The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies."

"Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company".

"Crypto.com first paused withdrawals on its platform on Sunday after noting via Twitter that a “small number of users [are] reporting suspicious activity on their accounts.” It also asked customers to reset their two-factor authentication out of “an abundance of caution.”" "The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred." "The site suspended all withdrawals for 14 hours to investigate the issue."

"On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation."

"On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent."

"The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized."

"ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com's payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com's custodial wallet."

"Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler— a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers." "The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus."

"The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement."

"According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet."

"Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday." "Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts." "The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses."

"Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022." "In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure."

"Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized."

"The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change."

"Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services."

"Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base."

"Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange." "APP restores funds up to USD$250,000 for qualified users; terms & conditions apply." "Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022."

“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”

This exchange or platform is based in Singapore, or the incident targeted people primarily in Singapore.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Crypto.com Withdrawals Triggered
Date Event Description
January 17th, 2022 12:46:00 AM Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $34,358,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $34,358,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

There were no customer losses in this case, as the funds which were able to be stolen were a very small fraction of the available funds on the platform. The original loss could have been prevented by using cold storage and requiring multiple signatures on withdrawals. Even within the hot wallet infrastructure, there are opportunities to add additional factors, which make it exponentially harder for an adversary. While the APP is a great program, the decisions about coverage are subject to Crypto.com, which has an incentive only to cover smaller losses, where the value of the customer relationship and/or reputation damage is greater than the amount lost. An inustry insurance fund would act in a more impartial capacity.

References

  1. $30 MILLION CRYPTO STOLEN - YouTube (Jan 21, 2022)
  2. Crypto.com Homepage (Jan 22, 2022)
  3. Crypto.com About Page (Jan 22, 2022)
  4. Formula 1 announce Crypto.com as inaugural global partner of the F1 Sprint series | Formula 1 (Jan 22, 2022)
  5. 2FA compromise led to $34M Crypto.com hack – TechCrunch (Jan 22, 2022)
  6. Crypto.com breach may be worth up to $33M, suggests onchain analyst (Jan 23, 2022)
  7. @ErgoBTC Twitter (Jan 23, 2022)
  8. OXT (Jan 23, 2022)
  9. Crypto.com CEO admits hundreds of customer accounts were hacked – TechCrunch (Jan 23, 2022)
  10. @Kris_HK Twitter (Jan 23, 2022)
  11. Crypto.com Says Alleged $15 Million Hack Was Just an 'Incident' (Jan 23, 2022)
  12. https://crypto.com/product-news/crypto-com-security-report-next-steps (Jan 23, 2022)
  13. Crypto.com The Most Secure Crypto Platform Worldwide Adds SOC 2 Compliance (Jan 23, 2022)
  14. Crypto.com Admits $35 Million Hack (Jan 23, 2022)
  15. Crypto.com admits over $30 million stolen by hackers - The Verge (Jan 23, 2022)
  16. Crypto.com shares details on security breach: 483 accounts compromised (Jan 23, 2022)
  17. @cryptocom Twitter (Jan 23, 2022)
  18. @peckshield Twitter (Jan 23, 2022)
  19. @cryptocom Twitter (Jan 23, 2022)
  20. https://www.cnbc.com/2022/01/18/news-peckshield-says-15m-lost-on-cryptocom-tesla-accepts-doge.html (Jan 23, 2022)
  21. Rekt - Crypto.com - REKT (Feb 8, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Crypto.com_Withdrawals_Triggered&oldid=3034"