The leading cryptocurrency exchange crypto.com suffered a breach on its platform on 17 January, and the community had since been waiting for a detailed analysis of the hack to be released. While several independent analysts had uncovered parts of the heist, Crypto.com has now released a postmortem for the same, revealing the breach of around 483 accounts.
In a blog post shared earlier today, the Singapore-based exchange admitted that a total of 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other currencies were stolen. This amounted to almost $34 million at the time of writing.
However, the exchange has also claimed that no customers experienced a loss of funds. It added that while unauthorized withdrawals were blocked in most of the cases, the remaining aggrieved customers were fully reimbursed.
The unauthorized activity was detected by the exchange in the early hours of 17 January, post which all withdrawals were suspended to prevent further losses. This caused a total downtime of around 14 hours.
Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe.
In an abundance of caution, security on all accounts is being enhanced, requiring users to:
-Sign back into their App & Exchange accounts
-Reset their 2FA
— Crypto.com (@cryptocom) January 17, 2022
The post-mortem noted that an alarm was raised when platform administrators realized that withdrawals were being initiated without the completion of Two-Factor Authentication (2FA).
“Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur.”
Shortly after the hack, a prognosis carried out by security consultancy Peckshield had earlier found that the stolen ETH tokens were being laundered through Tornado Cash, which is an Ethereum mixer.
— PeckShield Inc. (@peckshield) January 18, 2022
The stolen Ether was being sent through the mixer in batches of 100 tokens. Ethereum mixers break the on-chain link between the sender and recipient address, allowing users to remove their tokens’ transaction history and remain anonymous.
Later on 19 January, Bitcoin researcher ‘Ergo’ also took to Twitter to reveal that stolen Bitcoin was being laundered in a similar fashion through “a well-known BTC tumbler.”
The 271 BTC then make a series 24 or 25 BTC deposits to a well known BTC tumbler.
— ∴Ergo∴ (@ErgoBTC) January 18, 2022
In order to increase the platform’s security, Crypto.com claims to have revamped its 2FA infrastructure. It added that a shift to Multi-Factor Authentication (MFA) will be undertaken soon, for which it will be releasing additional end-user security features.
Apart from this, a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal has also been enacted.
Being the third-largest cryptocurrency spot exchange globally, the breach could have potentially translated to a full-blown PR disaster for the firm. This would have been especially harrowing since it recently spent $700 million to purchase the naming rights to the Los Angeles Lakers and Clippers Arena.
Moreover, its viral advertisements featuring Matt Damon had already run into trouble recently for being misleading to un-knowledgeable investors.
However, its quick response and reimbursement of lost funds could work in its favor when compared to how other exchanges had reacted to similar incidents. For instance, users of both Bitmart and Cream Finance, which lost $200 million and $18.8 million in similar hacks last year, have been expressing agitation over continued delays on the promised reimbursement of their lost funds.