Crypto.com confirms $34 million hack caused by 2FA bypass exploit

A collection of various coins with cryptocurrency logos embedded onto them
(Image credit: Shutterstock)

Singapore-based cryptocurrency exchange Crypto.com has confirmed its two-factor authentication (2FA) was exploited by unauthorised individuals to drain $34 million (around £25 million) from user accounts this week.

The exchange said 483 of its customers were involved in the hack that saw attackers bypass 2FA controls and make unauthorised withdrawals of 4,836.26 Ethereum tokens, worth around $14 million or £10.3 million.

RELATED RESOURCE

Optimising the management of hybrid cloud

Having the right foundations in place can make an organisation’s hybrid cloud infrastructure work much better

FREE DOWNLOAD

Bitcoin tokens worth around $17.3 million or £12.75 million, and approximately $66,200 (£48,786) in other cryptocurrencies, were also stolen in the attack. Prices are correct at the time of writing.

The details around the 2FA exploitation are currently unclear but Crypto.com has since "migrated to a completely new 2FA infrastructure" and revoked the 2FA tokens for all global users in order for this to be applied.

Crypto.com also implemented an additional layer of security involving a 24-hour delay between registering whitelisted withdrawal addresses and the first withdrawal to that address. It will allow users to screen these addresses as they're registered via notifications sent to them by the exchange and "give them adequate time to react and respond," the exchange said.

In addition to the 2FA overhaul, Crypto.com has also engaged with third-party security outfits to examine the security of its new system and also plans to eventually transition to a multi-factor authentication (MFA) model.

"We don't have the details on how the Crypto.com hack evolved, but it appears that the policy controlling 2FA was exploited in some way, deactivating it for certain users," said Robert Byrne, field strategist at One Identity, speaking to IT Pro.

"There are various ways hacking may be able to circumvent 2FA services, but the most likely explanation here is that they compromised and exploited a privileged user account - the hackers then use that account to deactivate the 2FA policy for some users and, having compromised those accounts they can then login in and steal the funds.

"The 2FA service here is likely offered by a third-party service, so that supplier's infrastructure may well have been one of the targets of the attack," Byrne added. "Of course, it is possible there was an honest administrative error in security configuration that was detected by the thieves, who then rushed in to exploit it before it was remediated. Sadly, misconfigurations are not uncommon due to the pressure on security staff and the lack of sanity checks and surveillance of configuration settings."

The exchange has now introduced a worldwide Account Protection Program (APP), which will reimburse qualified users up to $250,000 in cases where unauthorised actors drain their accounts. To qualify, users must enable MFA on all transaction types, set up an anti-phishing code, not use jailbroken devices, file a police report, and complete a questionnaire to support a forensic investigation.

The wider story

Crypto.com users first started reporting unauthorised withdrawals from their accounts on Monday, according to a Tweet from the exchange which assured "all funds are safe". The sentiment was echoed by the exchange's CEO in a follow-up Tweet posted Tuesday confirming no customer funds were lost, that the infrastructure downtime was around 14 hours, and said infrastructure "hardened" following the incident.

Meanwhile, blockchain security and data analytics company PeckShield tweeted the Exchange had lost $15 million (£11 million) and stolen Ethereum was being "washed" using Tornado Cash, a cryptocurrency tumbling and mixer service - the equivalent of cryptocurrency money laundering.

After the official update was published on Thursday, affected customers were still reporting that they had not been reimbursed and others said they were still unable to access their account.

What is Crypto.com?

The Singapore-based cryptocurrency exchange was founded in 2016, then known as 'Monaco' before being rebranded to Crypto.com in 2018. The company has sponsorship ties with a number of high-profile sports teams including Paris St-Germain, the Philadelphia 76ers, the Italian Serie A football league, Formula 1, and the Ultimate Fighting Championship (UFC).

It also bought the naming rights to the Staples Center arena in 2021, located in Los Angeles, for a reported $700 million (£516.3 million) with the rights lasting 20 years.

The company is a big proponent of Web3 and has been quick to capitalise on the recent popularity of non-fungible tokens (NFTs), adding a dedicated marketplace for the asset to its offering.

The company has 10 million users across 90 countries and employs 3,000 staff to run the business.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.