Crypto.com Withdrawals Triggered

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Crypto.com Logo/Homepage

Crypto.com is based in Singapore and one of the largest cryptocurrency exchanges globally. A vulnerability allowed an attacker to trigger withdrawals without completing the 2FA checks which were intended to be necessary for a withdrawal.

After the initial confusion, the company eventually admitted what had happened and has since appeared to compensate all users. The 2FA system has been upgraded. They've also introduced some additional coverage (APP program) where they may cover up to $250k of losses.

[1][2][3][4][5][6][7][8][9][10]

About Crypto.com

Crypto.com is a Singapore-based exchange[11] which was founded in 2016[12]. As of November 23rd, 2021, the platform had over 300 employees[11] and served over 10 million customers worldwide[11][12][13].

"CRYPTO.COM EXCHANGE. Trade with confidence on the world’s fastest and most secure crypto exchange." "The World’s Fastest Growing Crypto App" "Buy crypto at true cost. Buy and sell 250+ cryptocurrencies with 20+ fiat currencies using bank transfers or your credit/debit card." "Join 10m+ users buying and selling 250+ cryptocurrencies at true cost. Spend with the Crypto.com Visa Card and get up to 8% back. Grow your portfolio by receiving rewards up to 14.5% on your crypto assets."

Crypto.com shares a strong brand vision for their platform[14].

"Powered by cryptocurrency, the future of the internet: Web3 will be more fair and equitable, owned by the builders, creators and users. You." "We believe it is your basic right to control your money, data and identity."

Like most platforms, they have a full page on their security policies and procedures[15].

"Security First. Always." "Our commitment to our customers is built on trust. We believe that security and data privacy are the foundations of achieving mainstream cryptocurrency adoption."

Crypto.com had recently been pushing hard into the US market with viral advertising stunts including actor Matt Damon, and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena[11][16][17]. Crypto.com also has official deals with Formula 1[18], the UFC, with the NBA, with the Philadelphia 76ers, with the NHL, with the Montreal Canadiens, and the Australian Football League[11].

Completion of SOC 2 Compliance Scheme

On November 23rd, 2021, Crypto.com announced their SOC 2 compliance. Jason Lau, Chief Information Security Officer of Crypto.com, made a statement at the time[12].

“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement, Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."

The Reality

Despite the strong regulatory and security focus, the Crypto.com platform still contained a vulnerability which allowed new withdrawal addresses to be whitelisted without authorization[11][17]. Full details on the nature of this vulnerability are not publicly known[17].

What Happened

Crypto.com suffered a breach where cryptocurrency was withdrawn from multiple customer accounts[11][17].

"On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts."

"Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company".


"On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation."

"On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent."


Key Event Timeline - Crypto.com Withdrawals Triggered
Date Event Description
January 16th, 2022 5:01:00 AM MST Bitcoin Withdrawal Transaction A large bitcoin withdrawal of 52.55312294 bitcoin is noted originating from Crypto.com[19][20].
January 16th, 2022 5:46:00 PM MST Risk Monitoring System Detection "Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user"[21][22].

Crypto.com reports that this "triggered an immediate response from multiple teams to assess the impact"[22].

January 16th, 2022 9:44:00 PM MST Crypto.com Reports Suspicious Activity Crypto.com posts on Twitter to report that "a small number of users" are "reporting suspicious activity". They state they will be "pausing withdrawals shortly" and that "[a]ll funds are safe"[23].
January 16th, 2022 11:53:00 PM MST Reports Unable To Withdraw Funds Twitter user Dr. Peter Wong reports being unable to withdraw funds from the Crypto.com website[24].
January 17th, 2022 6:14:00 PM MST Peckshield Reports Stolen Ethereum Peckshield posts on Twitter that the total loss is about $15M with at least 4.6K ETHs. They also report that half of the stolen ethereum is being washed via the TornadoCash service[25].
January 17th, 2022 8:17:00 PM MST Kris Marzalek Publishes Tweet Crypto.com CEO Kris Marzalek publishes a tweet with "thoughts from me on the last 24 hours", including that "no customer funds were lost ", "the downtime of withdrawal infra [structure]was ~14 hours", and "our team has hardened the infrastructure in response to the incident"[26]. He's "particularly happy" about "the support we received from the community both publicly and in DMs" and "the opportunity this incident gave us to further strengthen our setup"[27]. (TBD Publish more on the community reactions.)
January 17th, 2022 11:38:00 PM MST BeInCrypto First Article BeInCrypto publishes an article reporting that the hack affected a small number of users. According to reports on Twitter, an Ethereum hot wallet was compromised, leading to some customers claiming losses between 2-5 ETH. Crypto.com stated that no funds were compromised, but users expressed their losses on social media. One user, Ben Baller, reported losing 4.25 ETH, equivalent to $13,924 at the time. He discovered that 5,000 ETH, approximately $16 million, had disappeared from an ETH wallet within six hours. Other users also reported similar transfers to new wallets. Crypto.com assured users that no funds were compromised and advised them to reset their two-factor authentication. Withdrawals were temporarily suspended and would be re-enabled after implementing new security measures. The incident was not favorable for Crypto.com, which had recently made significant marketing moves, such as acquiring the naming rights to the former Staples Center and launching the Crypto.com Visa Card. Despite the hack, Crypto.com remains a leader with over 14 million clients and robust security measures in place, including offline cold wallets and insurance for user funds[28].
January 17th, 2022 8:46:00 PM MST Investigation Started Withdrawals Disabled According to the Crypto.com postmortem, "withdrawals were resumed" at "5:46 PM UTC, 18 January 2022," after 14 hours of downtime[22]. In his interview on Bloomberg TV, CEO Kris Marzalek stated "we paused withdrawals, we fixed it [and] we were back online in about 13/14 hours"[29][30]. His statement on Twitter says "~14 hours"[26]. Based on a simple calculation, that puts the time of withdrawals being disabled close to 3:46 AM UTC on January 18th.

Crypto.com also reports that "withdrawals on the platform were suspended for the duration of the investigation"[22], which suggests that their investigation was also started at this time, which would be approximately 25 hours after initial identification by the risk monitoring system.

January 18th, 2022 1:36:00 AM MST 2FA Reset Reported Twitter user Saint_Pump reports that he was logged out of the Crypto.com application and asked to set up 2FA[31]. It's unclear if this was a result of the hack or part of the 2FA reset procedure initiated by Crypto.com.
January 18th, 2022 9:26:00 AM MST Vice Article Published Vice publishes their article[32]. They state that several users complained about funds being stolen[33]. (TBD Expand this description.)
January 18th, 2022 10:46:00 AM MST Withdrawals Enabled Again According to the Crypto.com postmortem, "withdrawals were resumed" at this time, after 14 hours of downtime[22].
January 18th, 2022 1:44:00 PM MST ErgoBTC Reports Stolen Bitcoin Twitter user ErgoBTC references the previously reported 4.6k ETH from the Crypto.com breach and reports an additional 444 BTC in suspicious withdrawals also appearing to be withdrawn from Crypto.com. The tweet chain includes a reference to the large bitcoin withdrawal transaction[34][35], an analysis on the path of the funds being laundered[36][37], and other users of the same tumbler services[38]. They note that while there is still no public acknowledgement released by Crypto.com[39], Crypto.com appears to be making customers whole[40].
January 19th, 2022 8:28:00 AM MST BeInCrypto Article Released BeInCrypto releases an updated article on the situation, which includes some backstory and information about the additional withdrawal of bitcoin which was uncovered by ErgoBTC[41].
January 19th, 2022 9:38:00 AM MST Bloomberg Live Interview Completed Crypto.com CEO Kris Marszalek discussed the hack in an interview on Bloomberg Live[30].
January 20th, 2022 10:14:37 AM MST Futurism Article Released An article by Futurism is critical of the decentralized finance space, citing the hack, which adds to the growing trend of crypto exchange hacks, with losses reaching a record-breaking $14 billion in 2021[42]. The rise of decentralized finance (DeFi) platforms, which grew by 912 percent in 2021, is a significant factor driving this trend[42]. However, the rush to replicate traditional banking on these platforms has led to sloppy security practices, leaving them vulnerable to hacks[42]. Despite the risks, investors continue to be drawn to the promise of huge gains, contributing to the ongoing problem[42]. The Crypto.com hack serves as a reminder that DeFi platforms need to prioritize security to avoid further losses and maintain investor confidence[42].
January 19th, 2022 10:15:00 AM MST TheBlock Article Released An article is released on TheBlock in which the CEO of Crypto.com addresses the hack[29]. Crypto.com CEO Kris Marszalek has confirmed that approximately 400 accounts were compromised in a recent security breach. However, he assured customers that their funds were not in danger and stated that the stolen funds were not significant to the overall business. A report released by Crypto.com revealed that a total of $33.8 million worth of cryptocurrencies, including Ethereum, Bitcoin, and other digital assets, were stolen during the breach. In response to the attack, Crypto.com plans to enhance its security infrastructure by implementing a Worldwide Account Protection Program (WAPP). The program will include additional security measures such as protection against phishing attacks and the introduction of a multi-factor authentication system. Marszalek emphasized that the company quickly halted the unauthorized withdrawals, paused withdrawals, resolved the issue, and restored affected accounts within approximately 13 to 14 hours. He also mentioned that all affected customer accounts were fully reimbursed on the same day. The exact monetary value of the theft has not been confirmed yet, as Crypto.com is still conducting a post-mortem investigation into the security breach. However, Marszalek downplayed the financial impact of the incident, considering the size of the business[29]. The article is references by ErgoBTC as Crypto.com "com[ing] clean"[43].
January 19th, 2022 3:07:59 PM MST CoinTelegraph Article Released An article released on CoinTelegraph "3 HOURS AGO" provides a loss estimate of $33m. It mostly repeats the information in ErgoBTC's post. CoinTelegraph reports that they reached out to Crypto.com but did not receive any response as of their publishing time[44].
January 20th, 2022 1:24:07 AM MST Crypto.com Releases Post-Mortem Crypto.com releases a post-mortem on their website prior to 1:24:07 AM[22]. The post-mortem calls the situation "the 17th of Jan security incident", which triggered "an immediate response from multiple teams", and confirms that "withdrawals on the platform were suspended for the duration of the investigation". It totals the amount lost, provides a rough timeline of some key events, and announces their new "Worldwide Account Protection Program (WAPP)" program[22].
January 20th, 2022 4:05:19 AM MST EnGadget Releases Article EnGadget reports that Crypto.com has disclosed that a total of 483 accounts were affected in a recent hack, resulting in the loss of approximately $34 million[45]. The unauthorized withdrawals included 4,836.26 ETH, 443.93 BTC, and around $66,200 in other currencies. Initially, estimates from security analytics and research firms suggested losses ranging from $15 million to $33 million. The company's risk monitoring systems detected unauthorized activity where transactions were approved without two-factor authentication for a small number of accounts, prompting the exchange to pause withdrawals and implement enhanced security measures. Crypto.com revoked all customer 2FA tokens, introduced additional security protocols, and plans to transition to true Multi-Factor Authentication (MFA) in the future. They are also launching the Worldwide Account Protection Program (WAPP) on February 1st, which can restore up to $250,000 for participating users in case of unauthorized access to their accounts. Users must meet certain criteria and follow specific procedures to qualify for the program[45].
January 20th, 2022 6:13:00 AM MST ErgoBTC Reports PostMortem Researcher ErgoBTC reports on the Crypto.com post-mortem[46], referencing a screenshot of the Crypto.com website.
January 20th, 2022 7:38:47 AM MST Crypto.com Fixes Post-Mortem Title The original post-mortem failed to have a title[22], which Crypto.com subsequently fixed with an update that happened at some point between 5:38:21 AM MST[47] and 7:38:47 AM MST[48].
January 20th, 2022 11:13 AM MST TechCrunch Article Released TechCrunch releases their article covering the breach with information from Crypto.com's post-mortem report[17].
January 20th, 2022 3:15:00 PM MST CBS News MoneyWatch Report CBS News reports that Crypto.com revealed that cybercriminals breached its security systems and stole over $30 million in bitcoin and ethereum earlier in the week[49]. The hackers bypassed the platform's two-factor authentication system, withdrawing funds from 483 customer accounts[49]. The company reimbursed all affected customers and detailed the hack in a blog post, but did not identify the hackers[49]. The delayed public statement raised concerns, especially after reports of suspicious activity surfaced days before[49]. The incident also questioned the reliability of two-factor authentication, prompting Crypto.com to migrate to a new authentication infrastructure[49]. As a result, shares of Crypto.com fell over 6% following the breach[49]. A discussion video covers the market sentiment at the time[49].
January 20th, 2022 7:00:37 PM MST Crypto.com Renames Protection Program The original post-mortem announced a protection program called WAPP (Worldwide Account Protection Program)[22][50]. A subsequent updated between 0:59:54 UTC and 2:00:37 UTC renamed this program to APP (Account Protection Program)[51].
January 21st, 2022 3:27:09 AM MST Currencies Typo Fixed The post-mortem is once-again revised, this time to correct a typo where the original post-mortem stated that "approximately US$66,200 in other currencies" were lost[22][52], as opposed to the proper wording of "approximately US$66,200 in other cryptocurrencies"[53].
January 21st, 2022 4:15:01 PM MST Andrei Jikh Video Uploaded Well known YouTuber Andrei Jikh uploads a video about the breach. In this video, he indicates that the funds are presently being laundered through TornadoCash[11].
January 26th, 2022 1:22:00 PM MST Zaky Not Reimbursed Twitter user Zaky reports that they were not reimbursed[54][55].
February 1st, 2022 WAPP Program Launches Crypto.com launched the Worldwide Account Protection Program (WAPP) on February 1st, which can restore up to $250,000 for participating users in case of unauthorized access to their accounts[45].
February 18th, 2022 10:12 AM MST Scott Weaver Not Reimbursed Twitter user Scott Weaver reports still having not received any reimbursement for his lost funds[56][57].

Total Amount Lost

The unauthorized withdrawals included 4,836.26 ETH, 443.93 BTC, and around $66,200 in other currencies[22]. Initiall estimates from security analytics and research firms suggested losses ranging from $15 million to $33 million[22][45].

Reported Losses By Source
Source Date Ethereum Bitcoin Other Customers Total
PeckShield[25] Jan 16th 4600 ETH $15 million USD
ErgoBTC[39] Jan 18th 4600 ETH 444 BTC
CoinTelegraph[58] Jan 19th 4600 ETH 444 BTC $33 million USD
Crypto.com[22] Jan 20th 4836.26 ETH 443.93 BTC $66,200 USD $34 million USD
TechCrunch[17] Jan 20th $15 million USD $19 million USD $66,200 USD 483
Futurism[42] Jan 20th $30 million USD
Andrei Jikh[11] Jan 21st 4836 ETH 443 BTC 400 $30 million USD

The total amount lost has been estimated at $34,358,000 USD.

Immediate Reactions

The company's risk monitoring systems detected unauthorized activity where transactions were approved without two-factor authentication for a small number of accounts, prompting the exchange to pause withdrawals and implement enhanced security measures[45]. Crypto.com revoked all customer 2FA tokens, introduced additional security protocols, and plans to transition to true Multi-Factor Authentication (MFA) in the future[45].

The event was quickly covered by many media sources.

Crypto.com experienced a hack that affected a small number of users. According to reports on Twitter, an Ethereum hot wallet was compromised, leading to some customers claiming losses between 2-5 ETH. Crypto.com stated that no funds were compromised, but users expressed their losses on social media. One user, Ben Baller, reported losing 4.25 ETH, equivalent to $13,924 at the time. He discovered that 5,000 ETH, approximately $16 million, had disappeared from an ETH wallet within six hours. Other users also reported similar transfers to new wallets[28].

Crypto.com assured users that no funds were compromised and advised them to reset their two-factor authentication. Withdrawals were temporarily suspended and would be re-enabled after implementing new security measures. The incident was not favorable for Crypto.com, which had recently made significant marketing moves, such as acquiring the naming rights to the former Staples Center and launching the Crypto.com Visa Card. Despite the hack, Crypto.com remains a leader with over 14 million clients and robust security measures in place, including offline cold wallets and insurance for user funds[28].

Online Media Coverage

In an article published on The Block, Crypto.com CEO Kris Marszalek has confirmed that approximately 400 accounts were compromised in a recent security breach[29]. However, he assured customers that their funds were not in danger and stated that the stolen funds were not significant to the overall business[29]. A report released by Crypto.com revealed that a total of $33.8 million worth of cryptocurrencies, including Ethereum, Bitcoin, and other digital assets, were stolen during the breach[29]. In response to the attack, Crypto.com plans to enhance its security infrastructure by implementing a Worldwide Account Protection Program (WAPP)[29]. The program will include additional security measures such as protection against phishing attacks and the introduction of a multi-factor authentication system[29]. Marszalek emphasized that the company quickly halted the unauthorized withdrawals, paused withdrawals, resolved the issue, and restored affected accounts within approximately 13 to 14 hours[29]. He also mentioned that all affected customer accounts were fully reimbursed on the same day[29]. The exact monetary value of the theft has not been confirmed yet, as Crypto.com is still conducting a post-mortem investigation into the security breach[29]. However, Marszalek downplayed the financial impact of the incident, considering the size of the business[29].

The hack of Crypto.com was also covered by Futurism, which called it a DeFi platform, and compared it to the growing trend of crypto exchange hacks, with losses reaching a record-breaking $14 billion in 2021[42]. The rise of decentralized finance (DeFi) platforms, which grew by 912 percent in 2021, is a significant factor driving this trend. However, the rush to replicate traditional banking on these platforms has led to sloppy security practices, leaving them vulnerable to hacks[42]. Despite the risks, investors continue to be drawn to the promise of huge gains, contributing to the ongoing problem[42]. The Crypto.com hack serves as a reminder that DeFi platforms need to prioritize security to avoid further losses and maintain investor confidence[42].

Bloomberg TV Event Coverage

Crypto.com's CEO later appeared on Bloomberg TV and explained the reaction.

The last 48 hours activity. What happened here? What was behind this hack?

Alright, so, first and foremost, umm, we invest very heavily in cybersecurity. We have over 200 professionals, around the world whose collectively spent the last few years building a very robust infrastructure. And we call it defense in depths. There are multiple layers, and in this particular incident, some of these, uhh, layers were breached, which resulted in about, 400 accounts, umm, having unauthorized transactions, alright. We very quickly stopped it. We paused withdrawals. We fixed it. We were back, umm, online, in about 13/14 hours, and during the same day all the accounts that were affected very fully reimbursed, so there was no loss of customer funds. Uhh, obviously, you know, it's a very great lesson, and, uhh, I mean we are continuously strengthening our infrastructure.

One outside analyst estimates $15 million dollars was lost. I saw another estimate as high as $33m. Can you give us a number?

Alright, we are still working on a post-mostem for the incident, and it's gonna be posted on, uhh, on our blog, in the next couple of days. Uhh, so I'll, uhh, leave the final numbers, till, umm, till that report. And, in any case, uhh, one has to remember that, given the scale of the business that I have, these numbers are not particularly material, and customer funds were never at risk.

So, I'm curious. Traders reported being suspicious.

“We very quickly stopped it, we paused withdrawals, we fixed it [and] we were back online in about 13/14 hours and during the same day, all the accounts that were affected very fully reimbursed, so there was no loss of customer funds,” Marszalek stated, during the interview.

CBS News Coverage

CBS News reports that Crypto.com revealed that cybercriminals breached its security systems and stole over $30 million in bitcoin and ethereum earlier in the week[49]. The hackers bypassed the platform's two-factor authentication system, withdrawing funds from 483 customer accounts[49]. The company reimbursed all affected customers and detailed the hack in a blog post, but did not identify the hackers[49]. The delayed public statement raised concerns, especially after reports of suspicious activity surfaced days before[49]. The incident also questioned the reliability of two-factor authentication, prompting Crypto.com to migrate to a new authentication infrastructure[49]. As a result, shares of Crypto.com fell over 6% following the breach. A discussion video covers the market sentiment at the time[49].


"Crypto.com first paused withdrawals on its platform on Sunday after noting via Twitter that a “small number of users [are] reporting suspicious activity on their accounts.” It also asked customers to reset their two-factor authentication out of “an abundance of caution.”" "The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred." "The site suspended all withdrawals for 14 hours to investigate the issue."

"The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized."

"ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com's payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com's custodial wallet."

"Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler— a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers." "The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus."

"The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement."

"According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet."

"Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022." "In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure."

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Kris Marszalek, Co-founder and CEO of Crypto.com, released a statement on the post-mortem[22].

“The safety of our customers’ funds is our highest priority, and we are continually enhancing our Defence-in-Depth security and protection measures, While we are reminded of the existence of bad actors intent on committing fraud, this new Worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind.”

Ultimate Outcome

Customers Reportedly Made Whole

Crypto.com reportedly made all customers whole[11][17][40][59]. However, several customers have publicly reported not receiving back anything[54][55][56][57][60].

They have not even come close to paying back all funds. To this date I have yet to get back anything. All I get everyday is the same BS...please send picture of you holding a sign with today[']s date. I have been doing this for over a month with nothing. They took everything.

Lost my crypto money still can’t long in

Me too...em[ai]l was swapped and they play with us stupid game that we use wrong email. Yes we are stupid cows[. W]e cant remember email.

Funds Laundered Through TornadoCash

Stolen funds were laundered through TornadoCash[11].

Crypto.com Strengthening Security

"Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized."

"The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change."

"Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services."

"Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base."

Account Protection Program

They are also launching the Worldwide Account Protection Program (WAPP) on February 1st, which can restore up to $250,000 for participating users in case of unauthorized access to their accounts[45]. Users must meet certain criteria and follow specific procedures to qualify for the program[45]. "Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange." "APP restores funds up to USD$250,000 for qualified users; terms & conditions apply." "Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022."

According the TechCrunch, the program is called WAPP (WorldWide Account Protection Program). They summarized the terms and conditions for users[17].

Crypto.com also announced in its statement today that it will be introducing the Worldwide Account Protection Program (WAPP) in select markets” starting on February 1, a program that will restore funds up to $250,000 for “qualified users” in cases where an unauthorized withdrawal occurs. To qualify for the program, users must enable multi-factor authentication on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a questionnaire to support a forensic investigation, and not be using a jailbroken device, according to the company.

Total Amount Recovered

"Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday." "Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts." "The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses."


The total amount recovered has been estimated at $34,358,000 USD.

Ongoing Developments

“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual. There were no customer losses in this case, as the funds which were able to be stolen were a very small fraction of the available funds on the platform, and Crypto.com has agreed to compensate for any losses.

Were the losses more substantial, users may not have been as lucky.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Further independent validation of the two-factor authentication system would prevent this situation, and an industry fund can ensure victims are compensated in even more situations.

Further Review of 2FA System

All security aspects should be validated by an expert. The risk could have been reduced by having less funds in the hot wallet, and more in a cold storage wallet requiring multiple signatures on withdrawals.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Handling of Exploit Losses

Programs like the new APP work well if there is an agreement over the loss, and nothing happens to the Crypto.com platform. Crypto.com has an incentive to cover losses where the value of the customer relationship and reputation damage is greater than the amount lost, as long as they are still operating. An industry insurance fund would act in a more impartial and permanent capacity.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Further independent validation of the two-factor authentication system would prevent this situation, and an industry fund can ensure victims are compensated in even more situations.

Improved 2FA Security Standards

Third party validation can help establish standards and ensure that platforms have the right safeguards in place to prevent unauthorized withdrawals. There may be opportunities to add additional factors of protection.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Handling of Exploit Losses

Programs like the new APP work well if there is an agreement over the loss, and nothing happens to the Crypto.com platform. Crypto.com has an incentive to cover losses where the value of the customer relationship and reputation damage is greater than the amount lost, as long as they are still operating. An industry insurance fund would act in a more impartial and permanent capacity.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Crypto.com Admits $35 Million Hack - Forbes (Jan 23, 2022)
  2. Crypto.com admits over $30 million stolen by hackers - The Verge (Jan 23, 2022)
  3. Crypto.com shares details on security breach: 483 accounts compromised - CoinTelegraph (Jan 23, 2022)
  4. Crypto.com - "Following the 17th of Jan security incident, we are sharing our findings below, together with enhancements we’ve made to our security infrastructure and the introduction of the Worldwide Account Protection Program." - Twitter (Accessed Jan 23, 2022)
  5. Crypto exchange users report ‘suspicious activity’ and 5 other important updates to know in the space - CNBC (Jan 23, 2022)
  6. Rekt - Crypto.com - REKT (Feb 8, 2022)
  7. Cryptocurrency heists are getting more ambitious — and costlier to investors - CBS News (Nov 30, 2022)
  8. https://blog.crypto.com/crypto-com-security-report-next-steps/
  9. https://futurism.com/the-byte/staples-center-crypto-com-arena
  10. https://futurism.com/the-byte/crypto-ad-matt-damon
  11. 11.00 11.01 11.02 11.03 11.04 11.05 11.06 11.07 11.08 11.09 11.10 $30 MILLION CRYPTO STOLEN - YouTube (Jan 21, 2022)
  12. 12.0 12.1 12.2 Crypto.com The Most Secure Crypto Platform Worldwide Adds SOC 2 Compliance (Jan 23, 2022)
  13. Crypto.com Homepage (Jan 22, 2022)
  14. Crypto.com About Page (Jan 22, 2022)
  15. Security - Industry-Leading Security Infrastructure | Crypto.com (Mar 13, 2023)
  16. Crypto.com CEO admits hundreds of customer accounts were hacked - TechCrunch
  17. 17.0 17.1 17.2 17.3 17.4 17.5 17.6 17.7 2FA compromise led to $34M Crypto.com hack – TechCrunch (Jan 22, 2022)
  18. Formula 1 announce Crypto.com as inaugural global partner of the F1 Sprint series | Formula 1 (Jan 22, 2022)
  19. 52.55312294 Bitcoin Withdrawal Transaction From Crypto.com - OXT Research (Jan 23, 2022)
  20. 52.55312294 Bitcoin Withdrawal Transaction From Crypto.com - Blockchain.com (Mar 16, 2023)
  21. Crypto.com Security Report & Next Steps - Crypto.com (Jan 23, 2022)
  22. 22.00 22.01 22.02 22.03 22.04 22.05 22.06 22.07 22.08 22.09 22.10 22.11 22.12 22.13 Crypto.com Security Report & Next Steps - Crypto.com - Jan 20, 2022 (Mar 20, 2023)
  23. Crypto.com - "We have a small number of users reporting suspicious activity on their accounts. We will be pausing withdrawals shortly, as our team is investigating. All funds are safe." - Twitter (Jan 23, 2022)
  24. Dr. Peter Wong - "trying to withdraw money from their site, and it is being repeatedly denied" - Twitter (Mar 29, 2023)
  25. 25.0 25.1 PeckShield - "The @cryptocom loss is about $15M with at least 4.6K ETHs" - Twitter (Jan 23, 2022)
  26. 26.0 26.1 Kris Marzalek - "Some thoughts from me on the last 24 hours" - Twitter (Jan 23, 2022)
  27. Kris Marzalek - "the support we received from the community both publicly and in DMs" - Twitter (Mar 30, 2023)
  28. 28.0 28.1 28.2 Crypto.com Hot Wallet Hacked, No Funds Lost Says the Exchange - BeInCrypto (Jun 29, 2023)
  29. 29.00 29.01 29.02 29.03 29.04 29.05 29.06 29.07 29.08 29.09 29.10 29.11 "Crypto.com CEO acknowledged the hack but said customer funds were not in any danger" "the funds stolen were immaterial to the business" - TheBlock (Mar 16, 2023)
  30. 30.0 30.1 BloombergLive - "CEO @cryptocom’s Kris Marszalek discusses the site's recent hack" - Twitter (Mar 22, 2023)
  31. Saint_Pump - "got logged out of the app and then asked to set up a 2fa as if I had never done it" - Twitter (Mar 29, 2023)
  32. Crypto.Com Says Alleged $15 Million Hack Was Just an 'Incident' - Vice (Mar 30, 2023)
  33. Crypto.com Says Alleged $15 Million Hack Was Just an 'Incident' (Jan 23, 2022)
  34. 52.55312294 Bitcoin Withdrawal Transaction From Crypto.com - OXT.me (Mar 16, 2023)
  35. ErgoBTC - "We noted this abnormally large withdrawal" - Twitter (Mar 16, 2023)
  36. ErgoBTC - "The 271 BTC then make a series 24 or 25 BTC deposits" - Twitter (Mar 16, 2023)
  37. ErgoBTC - Analysis Of Funds Laundering - OXT.me (Mar 16, 2023)
  38. ErgoBTC - "This tumbler has been commonly used in hacks attributed to the DPRK Lazarus Group" - Twitter (Mar 16, 2023)
  39. 39.0 39.1 ErgoBTC - "Still no acknowledgement of loss, despite large outflows from the custodial wallet" - Twitter (Jan 23, 2022)
  40. 40.0 40.1 ErgoBtc - "Great that crypto dot com appears to be making its users whole" - Twitter (Mar 16, 2023)
  41. Lost Funds From Crypto.com Hack Now Exceed $33M - BeInCrypto (Mar 29, 2023)
  42. 42.0 42.1 42.2 42.3 42.4 42.5 42.6 42.7 42.8 42.9 WILDLY OVERCONFIDENT CRYPTO.COM BROS ADMIT THAT HACKERS STOLE $30 MILLION OF ITS MONEY - Futurism (Accessed Apr 12, 2024)
  43. ErgoBTC - "BREAKING: Custodial Crypto Bank comes clean. Renegs on previous denial of security event and loss of funds after viral social media posts by blockchain analysts." - Twitter (Jun 29, 2023)
  44. Crypto.com breach may be worth up to $33M, suggests onchain analyst (Jan 23, 2022)
  45. 45.0 45.1 45.2 45.3 45.4 45.5 45.6 45.7 Crypto.com loses $34 million in hack that affected 483 accounts - EnGadget (Jun 30, 2023)
  46. ErgoBTC - Crypto.com Post-Mortem - Twitter (May 20, 2023)
  47. Crypto.com Security Report & Next Steps - Jan 20th 12:38:21 PM UTC - Crypto.com (Mar 21, 2023)
  48. Crypto.com Security Report & Next Steps - Jan 20th 2:38:47 PM UTC - Crypto.com (Mar 21, 2023)
  49. 49.00 49.01 49.02 49.03 49.04 49.05 49.06 49.07 49.08 49.09 49.10 49.11 49.12 Crypto.com says hackers stole more than $30 million in bitcoin and ethereum - CBS News (Oct 6, 2023)
  50. Crypto.com Security Report & Next Steps - Crypto.com - January 21st 00:59:54 UTC (Mar 28, 2023)
  51. Crypto.com Security Report & Next Steps - Crypto.com - January 21st 02:00:37 UTC (Mar 28, 2023)
  52. Crypto.com Security Report & Next Steps - Crypto.com - January 21st 08:14:03 UTC (Mar 28, 2023)
  53. Crypto.com Security Report & Next Steps - Crypto.com - January 21st 10:27:09 UTC (Mar 28, 2023)
  54. 54.0 54.1 Zaky - "No they didnt...I am one of them." - Twitter (Mar 22, 2023)
  55. 55.0 55.1 Zaky - "em[ai]l was swapped and they play with us stupid game that we use wrong email." - Twitter (Mar 22, 2023)
  56. 56.0 56.1 Scott Weaver - "I am still without reimbursement..." - Twitter (Mar 22, 2023)
  57. 57.0 57.1 Scott Weaver - "They have not even come close to paying back all funds. To this date I have yet to get back anything." - Twitter (Mar 22, 2023)
  58. Crypto.com breach may be worth up to $33M, suggests onchain analyst - CoinTelegraph (Mar 20, 2023)
  59. Sim1More - "Paying back all funds in full is definitely a great start and @cryptocom did it!" - Twitter (Mar 22, 2023)
  60. Lawrence - "Lost my crypto money still can’t long in" - Twitter (Mar 22, 2023)