Online security

Crypto.com hack from 2FA bypass exceeds $30 million in forced refunds and new security measures

Singapore-based cryptocurrency exchange Crypto.com has admitted hackers stole $34.65 million worth of cryptocurrency after bypassing its two-factor authentication (2FA) system. According to the company’s statement posted online, at least 483 user accounts were affected by the 2FA Crypto.com bypass hack.

The world’s fourth largest cryptocurrency exchange said the incident led to unauthorized withdrawals of 4,836.26 Ethereum tokens worth around $15 million and 443.93 bitcoin tokens worth approximately $17.3 million. Crypto.com also lost digital assets worth around $66,200 in other cryptocurrencies.

Crypto.com Hack Victims Reimbursed After Company’s Initial Denial

Crypto.com’s 2FA bypass led to the introduction of the company’s Worldwide Account Protection Program (WAPP) which would reimburse “eligible users” in “select markets” up to $250,000 after unauthorized withdrawals.

To be eligible, users must enable multi-factor authentication (MFA) for all transactions, create an anti-phishing code, avoid using jailbroken devices, complete a forensic questionnaire to facilitate forensic investigations, and deposit a police report.

The cryptocurrency exchange previously denied the heist, to assure its customers that “all funds are safe” after several users complained about missing funds. Kris Marszalek, CEO of Crypto.com reiterated that “no client funds were lost” but acknowledged a 14 hour downtime. He also assured users that his team “has beefed up the infrastructure in response to the incident.”

However, blockchain security firm PeckShield has blown the lid off the Crypto.com hack, indicating that the exchange lost about $15 million. Additionally, PeckShield said hackers are laundering stolen Ethereum through the Tornado Cash mixing service.

The Crypto.com CEO later acknowledged the Crypto.com hack during a Bloomberg TV interview, adding that the victims had been fully reimbursed. However, some Crypto.com hack victims complained that they had not yet received their refunds after the official announcement.

Marszalek also played down the losses, saying “these materials are not particularly important” and that “customer funds were never at risk.”

Crypto.com Migrates to New Authentication Infrastructure After 2FA Bypass Incident

The 2FA bypass prompted the cryptocurrency exchange to migrate to a new 2FA infrastructure. Additionally, Crypto.com revoked all 2FA tokens for global users to make the new changes and introduced a 24-hour delay between registration of whitelisted withdrawal addresses and the first transaction.

According to the company, the delay would give users “adequate time to react and respond” and filter addresses after receiving notifications.

Robert Byrne, a field strategist at One Identity, told IT Pro: “We don’t have any details on the evolution of the Crypto.com hack, but it appears the policy controlling 2FA has been exploited in a one way or another, disabling it for some users. ”

However, Byrne suggested that the hackers circumvented 2FA services after compromising a privileged account which they then used to modify the 2FA policy of other users. He also suggested that third-party provider 2FA was likely among the targets of the attack. Similarly, the 2FA bypass incident was a potential oversight in the administrative security setup, according to Byrne.

The Crypto.com hack also prompted the exchange to hire third-party security experts to review the new 2FA infrastructure before eventually moving to a true multi-factor authentication (MFA) service. External parties would also conduct additional “threat intelligence services”.

#Cryptocurrency worth over $30M stolen in Crypto.com hack stemming from #2FA bypass, forcing company to issue refunds and adopt new #security measures. #respectdataClick to tweet

“In 2022, the technical environment has evolved into, ‘I steal cryptocurrency exchanges because that’s where the money is,'” said Neil Jones, cybersecurity evangelist at Egnyte. I’m actually more surprised at the number of users who had their money stolen, almost 500 according to published reports, rather than the $30 million+ that was stolen.”