Pierluigi Paganini January 20, 2022

Crypto.com confirmed that a cyber attack compromised around 400 of its customer accounts leading in the theft of $33 million.

Crypto.com is a cryptocurrency exchange app based in Singapore, the app currently has 10 million users and 3,000 employees. Recently, several Crypto.com users reported suspicious transactions that stole thousands of dollars in Ethereum (ETH) despite their accounts being protected with 2FA.

The company initially confirmed the unauthorized access to wallets belonging to a ‘small number’ of users.

The company reassured its users saying that all funds are safe.

Now the company’s CEO Kris Marszalek has confirmed during an interview with Bloomberg Live that 483 customer accounts were compromised and that threat actors stole $33 million worth of cryptocurrency.

“On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.” reads a security report published by Crypto.com. “The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies.”

Initial news about the security breach reported the theft of 4,830 ETH (roughly $15 million), but according to ErgoBTC, an analyst at bitcoin research firm OXT Research, the attackers may have stolen around $33 million.

ErgoBTC also discovered another wallet containing 172.9 BTC ($7 million) that belongs to the threat actors behind the Crypto.com security breach.

The threat actors may also have stolen 444 BTC (18.4 million) from the exchange’s custodial wallet. Experts also reported that the threat actors have already laundered 271 BTC ($11 million) via a bitcoin tumbler service that was often used by North Korea-linked APT groups.

“Per ErgoBTC’s tweet on Tuesday, an additional 444 BTC ($18.5 million) was siphoned from Crypto.com’s payout wallet. Detailing the suspicious transactions, ErgoBTC said OXT Research first flagged a suspicious payout from the exchange’s custodial wallet to the tune of 52.55 BTC ($2.18 million).” reported an article published by TheBlockCrypto. “This transaction was followed by “several hundred withdrawals” as noted by ErgoBTC that were later batched into four outputs of 67.75 BTC ($2.81 million) each. These four batched outputs totaling 271 BTC ($11.25 million) were funneled via a bitcoin tumbler — a mixing service that allows users to combine different transactions to make it difficult to trace BTC transfers.”

The impacted accounts were restored at the time of this writing, the company also revoked all customer 2FA tokens and announced to have implemented additional security measures to protect its platform.

“Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized.” states the company.

Crypto.com announced the introduction of the Worldwide Account Protection Program (WAPP) that aims at protecting user funds in cases threat actors will gain unauthorized access to their account and withdraws funds without the user’s permission. WAPP will cover losses up to USD$250,000 for qualified users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BITCOIN)

[adrotate banner=”5″]

[adrotate banner=”13″]