Hackers steal $35 million in Crypto.com breach

• 483 Users accounts were breached during the attack
• Although Crypto.com admitted to the attack they insisted that ”no customer funds were lost”
• All withdrawals across Crypto.com were put on hold for 14 hours whilst investigations were conducted.
• The firm also announced the launch of its Worldwide Account Protection Program (WAPP), which promises to restore funds up to $250,000 for users who qualify.

After downplaying the severity of the attack, Crypto.com has admitted that 483 of it’s users’ accounts were compromised in a security breach earlier this month. After initially only reporting that $15million was lost in the breach; Crypto.com CEO Kris Marszalek has announced that Bitcoin and Ether worth $35 million was taken through unauthorized withdrawals. He also told Bloomberg that he had not been contacted by regulators since the attack, but would co-operate with officials if inquiries were made.

In a post on Thursday Crypto.com wrote: “On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.”

Shortly after, Blockchain security and analytics company PeckShield tweeted that Crypto.com had been robbed of about $15 million worth of ETH. The stolen crypto was then “washed” with Tornado Cash, a protocol that allows users to conduct anonymous transactions on the Ethereum network. These allegations, according to Fortune and various other industry analysts, are likely to be accurate.

On Monday the company noticed that, for a select few accounts, transactions were being approved without the second-factor of authentication being entered. All withdrawals across Crypto.com were put on hold for 14 hours whilst investigations were conducted. All customers were then required to login again and re-link their preferred 2 Factor authentication application.

Crypto.com also introduced additional security measures in light of the breach, which will see a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal.

The firm also announced its Worldwide Account Protection Program (WAPP), which promises to restore funds up to $250,000 for users who qualify. To qualify, users must have multi-factor authentication enabled and file a police report that must be shared with Crypto.com.

This apparent willingness to reimburse customers with its own capital will prove reassuring to users, as will moves made by the exchange to bolster its security. The same cannot be said for the company’s repeated insistence that “all funds are safe.” The vagueness in Crypto.com’s communications after the incident threatens to hurt their reputation and undoubtedly unravel some of the progress made by last year’s expensive marketing drive. Especially when there has been little in the way of an explanation of how the attack actually occurred.