Crypto.com says hackers stole more than $30 million in bitcoin and ethereum

Crypto.com said Thursday that cybercriminals had breached its security systems earlier in the week and made off with more than $30 million in stolen bitcoin and ethereum.

The cryptocurrency exchange Crypto.com, known for its viral commercial starring Matt Damon as well as its recent $700 million deal to rename the Staples Center in Los Angeles as Crypto.com Arena, said the hackers managed to bypass its two-factor authentication system and withdraw the funds from 483 customer accounts, according to a statement the Singapore-based crypto exchange posted Thursday on its corporate blog

“Unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies,” the company said in the post. 

That works out to around $15 million and $19 million in ethereum and bitcoin, respectively, based on current exchange rates. All customers have been “fully reimbursed” for any lost funds as a result of the hack, Crypto.com said.

The blog statement serves as a postmortem of the hack, which the company said happened Monday. It provides details of the event and the company’s detection and response to the cyber breach, as well as its “next steps,” but it does not offer information on the identity of the hackers behind the breach. 

The timing of Crypto.com’s public statement, a full three days after the hack, is viewed by many as belated confirmation. According to an article from CoinDesk on Wednesday, about 4,600 etherium that was reportedly stolen from Crypto.com was “currently being laundered via Tornado Cash — an Etherium Mixer.” Thursday’s blog post also followed a Bloomberg interview Wednesday with Crypto.com Chief Executive Kris Marszalek, in which the CEO acknowledged that approximately 400 customer accounts were hacked.

“Given the scale of the business, these numbers are not particularly material and customer funds were not at risk,” the CEO told Bloomberg.

Reports of “suspicious activity”

The company first acknowledged something unusual was up in a January 16 tweet in which it announced the temporary suspension of withdrawals following user reports of “suspicious activity on their accounts.” 

“We will be pausing withdrawals shortly, as our team is investigating. All funds are safe,” the company said.

The company’s claim that “All funds are safe” was quickly challenged by customers, most notably Los Angeles-based jeweler Ben Baller, who immediately tweeted back, “I messaged yah guys hours ago about my account having 4.28ETH stolen out of nowhere and I’m also wondering how they got passed the 2FA?”

2FA called into question

Two-factor authentication, or 2FA, is the multistep security system that requires users to provide two distinct forms of identification, such as a one-time passcode in addition to a password, when logging into an online account. The commonly used security measure provides an extra layer of protection against weak passwords such as, say, a surname followed by “123.” While used by industries across the board, 2FA is considered a must for digital currency accounts. Monday’s breach, however, brings into question the reliability of 2FA in keeping digital assets safe from hackers.

For now, Crypto.com says it is sticking with 2FA, but not for long. 

Upon discovery of the breach, the company “revoked all customer 2FA tokens” and used the 14 hours of downtime from withdrawal activity to “revamp,” according to the statement. Customers were then “migrated to a completely new 2FA infrastructure,” as an additional security measure. 

That is only temporary, however, as the company says it plans to ditch 2FA for “true Multi-Factor Authentication (MFA), providing added strength for our global user base.”

Shares of Crypto.com have fallen more than 6% since news of the security breach, closing Thursday at 46 cents a share.