Crypto.com opened the game on Thursday (20) and admitted that 483 customers of the platform had their accounts hacked into by hackers who stole 4,836.26 ETH, 443.93 BTC and another $66,200 in other cryptocurrencies.
In total, the “security incident” gave the exchange a loss of around BRL 184 million, based on the current price of Bitcoin and Ethereum.
Until then, the estimate of the hack’s damage had been made only by independent investigators. Security firm PeckShield, for example, disclosed the Ethereum theft earlier in the week. Later, Twitter user @ErgoBTC was the first to reveal that 444 BTC was also embezzled.
In the meantime, Crypto.com CEO Kris Marszalek was insisting that no users had been harmed in the incident. On Wednesday (19), he backed down and confirmed in an interview with Bloomberg TV that more than 400 accounts had been hacked.
How Crypto.com was hacked
In the early hours of this Thursday (20), the brokerage made a Publication oficial to reveal the real impact of the hack. In addition to exceeding the estimates of independent investigations with losses of BRL 184 million in cryptocurrencies, the company also explained how it identified the attack:
“On Monday (17), at approximately 00:46 UTC, Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without 2FA authentication control. [de dois fatores] entered by the user”.
That is, attackers managed to bypass the security step to steal users’ funds. The note went on to say that after the risk was identified, an investigation was launched and all withdrawals on the platform were suspended.
“Crypto.com revoked all 2FA tokens from customers and added additional security protection measures, which required all customers to log in again and configure their 2FA token to ensure that only authorized activity took place,” the exchange explained.
The entire process interrupted the withdrawals at the brokerage for 14 hours, which only returned to normal on Tuesday afternoon (18).
Minimizing the impact
Both in the official note and in statements by the CEO, Crypto.com tries to minimize the attack by stating that users did not lose their funds because those who had their accounts hacked were reimbursed on the same day.
However, the refund does not exclude the fact that a glitch in the platform allowed these funds to be stolen in the first place.
The CEO of Crypto.com even assessed as “irrelevant” the more 400 hacked accounts and BRL 184 million in stolen cryptocurrencies, given the scale of the company.
Currently, Crypto.com is among the ten largest exchanges in the world, moving more than BRL 15 billion daily, according to the CoinMarketCap.
The company has not yet detailed what flaw existed in its platform that opened the gap for the hack, limiting itself to saying that it migrated to a new two-factor authentication infrastructure.
Crypto.com has also introduced an additional layer of security that forces a 24-hour delay between registering a new whitelisted cashout address and the first withdrawal.