Tuesday, September 26

How they managed to hack Crypto.com and steal more than 800 BTC

Key facts:
  • The exchange’s losses amount to more than $30 million.

  • Following the hack, the exchange changed its entire two-factor authentication infrastructure.

On Monday, January 17, news broke that the Crypto.com exchange had been the victim of a hack. The first reports informed that the platform had detected unauthorized withdrawals from several users, which led the company to suspend all withdrawals for a period of 14 hours, while “they investigated what happened.”

originally if reported that about 4,500 ETH had been stolen from a few hundred accounts. But, in a recent report, points out that 443 BTC (about USD 17 million) would be added to the total losses plus USD 66 thousand in other cryptocurrencies, which gives an approximate amount of more than USD 30 million in losses from the hack.

The company’s attitude towards the theft drew quite a bit of attention. Although they covered the stolen funds of the 483 affected users, they do not seem to admit what happened at all. Initially, the theft was treated as a “suspicious activity” meaning that there was nothing to worry about.


Another aspect that draws attention is how one of the two-factor authentication systems could be violated, which could be assured that it was one of those that greater security could offer thanks to its validation system.

How two-factor authentication works

Two-factor authentication or 2FA is a cryptographic security system consisting of a key —also known as a token— which, together with a time value (time and date), generates a unique temporary code that changes every certain number of seconds. This is the basic operation of 2FA. There are other types of validators in which the authentication code is sent via email or SMS.

Google Autheticator, one of the most widely used authenticators, generates 8-digit codes from authentication keys. Source: Authenticator App.

This verification code is held by both the platform and the user. Remaining on each side to protect that a third party does not have access to the key, since it will be able to generate the security codes.


According to Crypto.com’s statement, the flaw was generated directly on the 2FA system, which led the company to completely reset all the 2FA keys of the users registered on the platform.

In statements from the CEO of the exchange, Kris Marskalek, after the hack they decided to completely change the infrastructure used for the generation of 2FA keys. According to the CEO himself, the hackers did not go beyond exploiting the 2FA.

More than USD 30 million in losses, where did they go?

The losses in Crypto.com were substantial. However, the company’s attitude was passive, saying, at first, that the incident was only about a “small number of users with suspicious activity”. While Crypto.com has more than 10 million registered users, 483 compromised accounts is less than 1% of the total registered, but USD 30 million is not a small amount.

A Twitter user, @ErgoBTC, took on the task of track back, through exploration tools of the Bitcoin blockchain, where the funds stolen from Crypto.com were going to end up. According to their research, 271 bitcoin were deposited to different addresses in series of 24 and 25 BTC, while 173 still remain unspent.

The scheme generated by @ErgoBTC shows how, to date, 172 BTC is still in one direction without being spent. Source: OTX.

In the Twitter thread, @ErgoBTC shows how one of the destination addresses of the hacked BTC has been commonly used by the hacker group Lazarus Group, who, according to some reports made by CriptoNoticias, would be associated with the North Korean government.

What will change now in Crypto.com?

According to the official Crypto.com announcement, as of now the platform completely changed all its policies regarding the use of 2FA, along with improvements to the security infrastructure, making the new 2FA mandatory for all registered users.

In addition to this, other types of security measures have been added: every time a user adds a withdrawal address, they will not be able to use it until a 24-hour period has expired. Along with this, all withdrawal addresses that are added by users will receive a notification via email.

The report details that Crypto.com would be trying to get away from two-factor authentication in view of what happened, in order to use a more secure system, known as multi-factor authentication or MFA.

Along with these changes at the platform and security level, Crypto.com has joined the World Account Protection Program (WAPP). This insurance has a coverage of up to USD 250 thousand per violated account, in case a third party accesses it. But certain conditions apply, since it would be aimed only at qualified users.

Safety tips in this scenario

In view of what happened with this exchange, it is important to always remember the Bitcoin maxim: if they are not your keys, they are not your bitcoins. Having savings deposited in exchanges whose private keys are managed by third parties does not give real power over bitcoins. Although the losses were covered 100%, no platform is completely safe, much less will they always be responsible for stolen cryptocurrencies.

In this sense, the most advisable thing to have deposited in any exchange, not only Crypto.com, the amount of cryptocurrencies you are going to use, which means that, in case of loss, the amount does not represent any problem for the personal economy.

On the other hand, although it is always advisable to activate two-factor authentication to provide an extra layer of security for accounts, the Crypto.com hack showed that this is not a complete sign of security. In this case, it is best to activate all the security measures offered by an exchange, although, on some occasions, doing this means giving up a little privacy, as is the case with authentication via SMS.