2FA Compromise Led to $34M Crypto.com Hack

The company's post-mortem came just one day after CEO Kris Marszalek admitted the breach in a Bloomberg TV interview. After many Crypto.com users claimed their funds had been stolen, he confirmed the breach, which had previously been received with cryptic responses from the corporation, referring only to an ‘event.’ During the interview, Marszalek did not reveal how the hack occurred, but he did disclose that Crypto.com has refunded all affected accounts.

According to today's announcement, Crypto.com discovered the suspicious activity on Monday, when ‘transactions were being approved without the user entering the Two-Factor Authentication (2FA) authentication control.’ To investigate the problem, the site temporarily halted all withdrawals for 14 hours.

The attacker was able to approve transactions without triggering 2FA, which is required for all users, according to Crypto.com.

Customers were asked to enter into the platform and set up their 2FA tokens again after the company ‘revoked all client 2FA tokens and added additional security hardening measures,’ according to the company. Users will be warned and have ‘enough time to react and respond’ by contacting the Crypto.com staff if the withdrawal appears to be unlawful. The extra precautions include a mandatory 24-hour delay between the registration of a new withdrawal address and the first withdrawal.

Following the incident, the company undertook an internal investigation and hired third-party security experts to examine its platform, according to the company. To improve security, it announced plans to move away from two-factor authentication and toward ‘real multi-factor authentication,’ though it did not provide a date.

In a statement today, Crypto.com also stated that ‘beginning February 1st, the Worldwide Account Protection Scheme (WAPP) will be introduced in select regions,’ a programme that will recover cash up to $250,000 for "eligible consumers" in the event of an unauthorized withdrawal. Users must enable multi-factor authentication on all transaction types where it is available, set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction, file a police report and provide it to Crypto.com, complete a forensic investigation questionnaire, and not be using a jailbroken device to qualify for the programme, according to the company.

While Crypto.com is the world's fourth-largest cryptocurrency exchange, it has been aggressively expanding its presence in the United States in recent months, with stunts such as viral advertisements starring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena. It bills itself as the ‘fastest-growing’ cryptocurrency exchange, and earlier this week announced a $500 million expansion of its venture capital arm to support early-stage crypto businesses. The consequences from this week's hack, as well as the company's tardy response, may threaten to halt some of the company's expansion in the United States.