Crypto.com, a crypto exchange based in Singapore, has released a statement detailing the security breach incident. The crypto exchange had halted withdrawals after “suspicious activities” occurred on user accounts.
The official report from Crypto.com noted that “4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies” had been unwillingly withdrawn from user accounts. Within the current market, those losses equate to around $33.8 million.
On a Monday in February at 12:46 am (UTC), Crypto.com’s security system detected “unauthorized activity on a small number of user accounts.” It was reported that transactions were being authorized without the user inputting the two-factor authentication (2FA) control. Crypto.com subsequently halted all withdrawals and rescinded users’ 2FA tokens. This reaction contributed to the exchange’s security measures while requiring all users to re-login and reactivate their 2FA tokens. It was a total of 14 hours before the withdrawal infrastructure was up again.
Crypto.com publicized implementing additional security by requiring registration for all new withdrawals within 24 hours in order to proceed with the withdrawal. Additionally, the report states, “Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond.”
Kris Marszalek, CEO of Crypto.com, stated, “Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
PeckShield reports that the amount stolen was over $15 million in Ether (ETH). The blockchain security firm sent out a tweet on Monday stating that about half of the stolen funds were sent to Tornado Cash to be cleared. Another firm reported that this occurrence may have lost Crypto.com $33 million in assets.