With a formal statement from the Singapore-based crypto exchange announcing a block on withdrawals after discovering “strange actions” in user accounts, the Crypto.com security breach narrative gains clarity.
Crypto.com announced today that “4,836.26 ETH, 443.93 BTC. As well as about US$66,200 in other currencies” had been taken without their authorization from their accounts. According to the current market value, the total loss is approximately around $33.8 million.
Several Crypto.com users have complained that their money disappeared as a result of a security vulnerability. The company’s past comments, however, have failed to allay fears.
According to the official statement, Crypto.com’s risk monitoring systems discovered “unauthorised behaviour on a small number of user accounts” on Jan. 17, 2022, at around 12:46 AM UTC, where transactions authorised without the user entering the 2FA authentication control.
As noted in the announcement, the exchange halted withdrawals and revoked all client 2FA tokens. As well as applying additional security hardening measures. That required everyone to re-login and reactivate their 2FA token before enabling only approved action. For a total of 14 hours, the withdrawal infrastructure was down.
New whitelisted withdrawal address
To prevent a repeat of the incident, Crypto.com claims to have added an extra degree of security. Requiring the registration of a new whitelisted withdrawal address within 24 hours of the first withdrawal.
“Users will receive a notification when withdrawal addresses are available”, the announcement reads.
The CEO of Crypto.com, Kris Marszalek, told Bloomberg on Wednesday that the exchange has not received any information from regulators regarding the incident. He went on to state:
“Clearly, we’ve learned a valuable lesson, and we’re working to improve our infrastructure.”
Over $15 million in Ethereum has been stolen, according to PeckShield. Half of the cash sent to Tornado Cash “for cleansing”, according to the blockchain security firm’s tweet on Monday. The heist may have cost the exchange $33 million in stolen funds, according to another researcher from blockchain data firm OXT Research.