Crypto.com hacked and hackers walked away with over $30 Million in cryptocurrencies. According to Crypto.com, the hackers gained access to 483 user accounts and performed a series of unauthorized withdrawals. The hackers managed to withdraw around 4,836.26 Ethereum (worth $13-$15 million), 443.93 Bitcoin ($16-$19 million), and $66,200 in other currencies.
Kris Marszalek, Crypto.com CEO in a statement said, all the victims have been reimbursed, though the details of the heist have not been shared. This is rather concerning as the total amount stolen exceeds the estimates of industry analysts.
The hackers managed to bypass Crypto.com’s two-factor authentication mandate which requires a second form of authentication for anyone to perform a withdrawal.
Marszalek was not able to explain how the hackers were able to clear transactions without inputting that second factor. Though he stressed the company had revoked all existing 2FA tokens in response to the incident. All the account holders were informed to set up a new 2FA token to regain access to their wallets.
After the theft took place, Crypto.com halted all withdrawals for 14 hours and rolled out new security measures to prevent another incident in the future. Also, the account holders who change their withdrawal address will be required to wait for 24 hours before making another withdrawal. This will create a window in which someone can respond if that change was not authorized.
A Worldwide Account Protection Program (WAPP) has been introduced by Crypto.com to help restore trust with customers. It will go live in select markets from February 1 and allow eligible customers to get reimbursed for up to $250,000 in the case of another theft. These customers will be required to enable multi-factor authentication for all transactions, establish an anti-phishing code, and file a police report in the wake of the event. They will also be required to fill out a forensic questionnaire, and cannot use a jailbroken device to access their account.
Crypto.com has plans to implement MFA as a default security standard for its platform, though there is no set time frame for it. In the meanwhile, third-party security firms are investigating the security measures of the company. Various cryptocurrencies exchanges have implemented biometric onboarding and authentication in the past few years. Emirex and Impily have teamed up with iDenfy, while Simplex and Bitex recently partnered with Onfido.
Emotet Malware Botnet Using Unconventional IP Address Formats to Evade Detection
Myanmar’s Military Junta Wants to Ban VPNs and Digital Currency
US Sanctions 4 Ukrainian Government Officials for Working with Russia To Destabilize Ukraine