Crypto.com Sends $10.5m To Melbourne Woman

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:30, 5 June 2023 by Azoundria (talk | contribs) (Another 30 minutes complete.)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Crypto.com

Australian Thevamanogari Manivel was entitled to a $100 refund from Crypto.com. However, the platform instead transferred her $10.5m because an employee entered an account number in the balance field. Rather than return the money, she kept it, and worked with her sister to buy offshore houses. 7 months later, Crypto.com realized the error and decided that they would like to collect the funds from her.

Crypto.com accidentally transferred $10.5m to a woman in Australia. An employee reportedly messed up the account number and the amount to be transferred. 7 months later the platform realized the error and tried to pursue recovery.

About Crypto.com

Crypto.com is a Singapore-based exchange[1] which was founded in 2016[2]. As of November 23rd, 2021, the platform had over 300 employees[1] and served over 10 million customers worldwide[1][2][3].

"CRYPTO.COM EXCHANGE. Trade with confidence on the world’s fastest and most secure crypto exchange." "The World’s Fastest Growing Crypto App" "Buy crypto at true cost. Buy and sell 250+ cryptocurrencies with 20+ fiat currencies using bank transfers or your credit/debit card." "Join 10m+ users buying and selling 250+ cryptocurrencies at true cost. Spend with the Crypto.com Visa Card and get up to 8% back. Grow your portfolio by receiving rewards up to 14.5% on your crypto assets."

Crypto.com shares a strong brand vision for their platform[4].

"Powered by cryptocurrency, the future of the internet: Web3 will be more fair and equitable, owned by the builders, creators and users. You." "We believe it is your basic right to control your money, data and identity."

Like most platforms, they have a full page on their security policies and procedures[5].

"Security First. Always." "Our commitment to our customers is built on trust. We believe that security and data privacy are the foundations of achieving mainstream cryptocurrency adoption."

Crypto.com had recently been pushing hard into the US market with viral advertising stunts including actor Matt Damon, and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena[1][6][7]. Crypto.com also has official deals with Formula 1[8], the UFC, with the NBA, with the Philadelphia 76ers, with the NHL, with the Montreal Canadiens, and the Australian Football League[1].


On November 23rd, 2021, Crypto.com announced their SOC 2 compliance. Jason Lau, Chief Information Security Officer of Crypto.com, made a statement at the time[2].

“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement, Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."

About Thevamanogari Manivel

Thevamanogari Manivel is a woman from Melbourne, Australia[9].


This exchange or platform is based in Australia, or the incident targeted people primarily in Australia.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Thevamanogari Manivel was entitled to a $100 refund from Crypto.com. However, the platform instead transferred her $10.5m because an employee entered an account number in the balance field. Rather than return the money, she kept it, and purchased a large home in Cragieburn for her sister.

Key Event Timeline - Crypto.com Sends $10.5m To Melbourne Woman
Date Event Description
May 2021 Incident Occurred An employee reportedly made a typo and transferred Australian Thevamanogari Manivel over $10.5m instead of transferring her the requested $100 refund[9].
December 2021 Audit Uncovers Mistake The mistake was reportedly uncovered during a company audit[9].
February 2022 Purchase of Craigieburn Home "The court heard that $1.35m of the money had been used to buy a four-bedroom home in Craigieburn in Melbourne’s north in February, and the ownership of the property was then transferred into the name of Manivel’s sister, Thilagavathy Gangadory, who lives in Malaysia."

"The company launched legal action in the Victorian supreme court this year, and in February was granted a freeze on Manivel’s Commonwealth Bank account, but most of the money had been transferred to other accounts – which were later frozen."

August 29th, 2022 6:28:25 PM MDT TickerNews Coverage A news article is published by TickerNews[10] on the situation which explains that Crypto.com accidentally transferred $10.5 million to a woman in Melbourne who was seeking a $100 refund, and it took the company more than seven months to realize the error. The platform launched legal action against two sisters to get the money back and discovered that the cash had already been moved and used to buy a multi-million dollar mansion. A judge has now ordered the property to be sold, with orders made for the remaining money to be returned[9]. TBD improve date.
August 29th, 2022 6:40:02 PM MDT Reddit Thread On Incident The incident is shared on a large Reddit thread, which simply linked to the TickerNews article[11].
August 29th, 2022 6:41:22 PM MDT HeraldSun Report The situation is reported by the HeraldSun[12]. "Crypto.com has launched Supreme Court action against a Melbourne woman and her sister after finding it made an error in sending her $10,474,143" TBD contents behind paywall[13].
August 30th, 2022 6:21:56 AM MDT Blockworks Article Published Blockworks publishes an article about the situation, with a focus on the reported failure to realize the problem for 7 months. “While random errors occur on most platforms, this one is too costly to ignore,” [lexander Tkachenko, CEO of asset tokenization platform VNN ]told Blockworks. Representatives for Crypto.com didn’t return request for comment by press time.[14]
August 30th, 2022 11:06:22 AM MDT Ethereum World News Report The incident is shared in an Ethereum World News article[15].
August 31st, 2022 12:46:00 AM MDT The Guardian Article The Guardian covers the situation[16]. TBD article content summary.
August 31st, 2022 3:03:55 PM MDT Ars Technica Article ArsTechnica reports on the situation[17]. "Last Friday, Justice James Elliott, a judge for the Victorian Supreme Court in Australia, issued a default judgment in the case. This became necessary because, as Crypto.com alleged in the court document, Manivel and other named defendants, including her sister Thilagavathy Gangadory, failed to respond to a court summons." "Attempting to serve court documents to the sisters, Crypto.com’s legal team reached out to Manivel’s lawyers. The Guardian reported that her lawyers responded just once to confirm receipt. Crypto.com had less success reaching Gangadory, who allegedly never responded to attempts to serve her court documents." "Crypto.com told Business Insider that Manivel's lawyers told the crypto firm that Gangadory is currently seeking legal advice on the default judgment."
September 18th, 2022 10:00:11 AM MDT YouTube Video Coverage The situation is covered in a YouTube video. According to the video, this is not the first time such mistakes have been made by crypto exchanges, with one case involving a $27 million mistake. In the recent case, an Australian woman who received the $10 million used it to buy a house, gave money to friends and family, and then disappeared. The funds belong to users and their use by the woman will have a cost. The consequences of such mistakes can be severe, leading to bankruptcies and customers losing access to their funds[18].

Technical Details

According to the Supreme Court, the situation came about because an employee for Crypto.com entered her account number in the payment field, where they should have entered the amount of $100[9].

It appears that there were no additional checks made on the outgoing payment, and that the same individual employees in the platform who process small refunds were authorized to release large sums of funds to customers[9].

"Cryptocurrency trading platform Crypto.com accidentally transferred $10.5m to an Australian woman when processing a $100 refund, and failed to notice the error for seven months."

"Crypto.com, which operates as Foris GFS in Australia, had paid out $10.5m instead of a $100 refund after Manivel’s account number was accidentally entered into the payment amount field."

Total Amount Lost

The total amount lost has been estimated at $10,500,000 USD.

"Crypto.com has launched Supreme Court action against a Melbourne woman and her sister after finding it made an error in sending her $10,474,143"

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Discussions on Reddit

Multiple users commented on the situation in a Reddit post[11][19][20][21].

She should tell them to raise a support ticket and she will get around to actioning it over the next 24 months.

7 months to realize? Nice accounting

How many flags will be raised when you just try to deposit 10 million into an account? Where would you even do that at?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

"The recipient, Thevamanogari Manivel, didn’t notify Crypto.com, instead allegedly transferring funds to bank accounts held by her and her family. Crypto.com claims Manivel used the money to buy her sister a modern million-dollar house, complete with a home gym and theater."

Property Purchase In Craigieburn

The sister reportedly purchased a large multi-million dollar mansion in Cragieburn[9].

"The court heard that $1.35m of the money had been used to buy a four-bedroom home in Craigieburn in Melbourne’s north in February, and the ownership of the property was then transferred into the name of Manivel’s sister, Thilagavathy Gangadory, who lives in Malaysia."

Judgement Rendered

"The company launched legal action in the Victorian supreme court this year, and in February was granted a freeze on Manivel’s Commonwealth Bank account, but most of the money had been transferred to other accounts – which were later frozen."

"Last Friday[ August 26th, 2022], Justice James Elliott, a judge for the Victorian Supreme Court in Australia, issued a default judgment in the case. This became necessary because, as Crypto.com alleged in the court document, Manivel and other named defendants, including her sister Thilagavathy Gangadory, failed to respond to a court summons."

"Attempts to serve Gangadory the freezing orders were unsuccessful, as she never responded to emails from Crypto.com’s solicitors. The only communication provided to the court was an email reply to Manivel’s solicitors saying “received, thank you”."

A judge has reportedly ordered the property to be sold and the remaining money to be returned[9].

Controversy Over Service of Documents

The documents were served via a OneDrive link sent via email with an expiry time of 30 days. According to established Australian law, service by email with a link to view the attachment counts as successfully serving a defendant[17].

The difference matters, Elliott wrote, because not every person will have the technical proficiency to navigate to and review documents on a shared drive. He also wrote that anyone could “justifiably” decide not to click a link in a personal email due to scam risks. However, he ultimately decided that, in this case, the link to the online drive in a personal email was acceptable, partly because courts in other contexts have accepted links to court documents sent via text message.

Total Amount Recovered

The total amount recoverable is still being determined through the courts.

Ongoing Developments

This case is still being collected against.

"Neither Manivel nor Gangadory could be reached by Ars or other outlets for comment. A Crypto.com spokesperson told Ars, “As the matter is before the courts, we are unable to comment.”

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

While this loss did not involve cryptocurrency funds, the same multi-signature requirement can be instituted at a policy level on outgoing fiat transfers.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 $30 MILLION CRYPTO STOLEN - YouTube (Jan 21, 2022)
  2. 2.0 2.1 2.2 Crypto.com The Most Secure Crypto Platform Worldwide Adds SOC 2 Compliance (Jan 23, 2022)
  3. Crypto.com Homepage (Jan 22, 2022)
  4. Crypto.com About Page (Jan 22, 2022)
  5. Security - Industry-Leading Security Infrastructure | Crypto.com (Mar 13, 2023)
  6. Crypto.com CEO admits hundreds of customer accounts were hacked - TechCrunch
  7. 2FA compromise led to $34M Crypto.com hack – TechCrunch (Jan 22, 2022)
  8. Formula 1 announce Crypto.com as inaugural global partner of the F1 Sprint series | Formula 1 (Jan 22, 2022)
  9. 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 Crypto.com accidentally transfers $10.5m to woman - TickerNews (Sep 27, 2022)
  10. Crypto.com accidentally transfers $10.5m to woman instead of $100 - TickerNews (May 1, 2023)
  11. 11.0 11.1 Crypto.com accidentally transfers $10.5m to woman instead of $100 : CryptoCurrency (Apr 22, 2023)
  12. Crypto.com goes to court for $10.5m it incorrectly sent to Melbourne woman - HeraldSun Archive August 29th, 2022 6:41:22 PM MDT (May 1, 2023)
  13. Crypto.com goes to court for $10.5m it incorrectly sent to Melbourne woman - HeraldSun (May 1, 2023)
  14. Crypto.com Sues User After Refunding $10M Instead of $100 - Blockworks (Apr 22, 2023)
  15. Crypto.Com Sues A Woman In Australia After Accidentally Issuing Her A Refund of $10M Instead Of $100 - Ethereum World News (Apr 22, 2023)
  16. Cryptocurrency company accidentally transfers $10.5m to Australian woman and doesn’t notice for seven months - The Guardian (Apr 22, 2023)
  17. 17.0 17.1 Crypto firm accidentally gave $10.5M to sisters, now wants their $1.35M house - Ars Technica (Apr 22, 2023)
  18. Crypto.com's $10,000,000 MISTAKE - YouTube (Apr 22, 2023)
  19. Deleted Account - "She should tell them to raise a support ticket and she will get around to actioning it over the next 24 months." - Reddit (May 1, 2023)
  20. hammerandanvilpro - "7 months to realize? Nice accounting" - Reddit (May 1st, 2023)
  21. peanutbuttergoodness - "How many flags will be raised when you just try to deposit 10 million into an account? Where would you even do that at?" - Reddit (Apr 22, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Crypto.com_Sends_$10.5m_To_Melbourne_Woman&oldid=4524"