It was the very bad rumor (which has become a quasi-certainty) that has been circulating for a few days in the cryptosphere: Crypto.com now admits that it has indeed suffered a hack. The damage would concern less than 500 users, but would involve thousands of ethers (ETH), hundreds of bitcoins (BTC) and some other crypto-currencies.
Hemorrhage of ETH and Bitcoins
Since this January 17, 2022, strange and disturbing transactions related to the platform Crypto.com have been reported by various observers. The teams of the cryptocurrency exchange site had then quickly suspended the withdrawals, reinforcing the fears of a hacking.
While various analytics firms were already beginning to put a figure in the millions of dollars of potential damage, Crypto.com finally released a post-mortem report confirming the attack by hackers.
According to the report, which was released on January 20, 2022, what is referred to by the platform as “an incident” would have affected a total of 483 users. As for the stolen assets, it would be more than 4,836 ETH ($15.5 million), nearly 444 BTC ($19 million), and about $66,200 in other cryptos.
This would therefore equate to a total of about $34.5 million in crypto assets, as of this writing.
An overly reassuring speech
In its statement, Crypto.com claims that these “unauthorized withdrawals” would have been “prevented” in the majority of cases, and that customers would have been “fully refunded.”
However, research by PeckShield analysts has shown that 4,600 ETH went straight into the Tornado Cash mixer, to be mixed with other transactions and lost their trace.
According to Crypto.com, these withdrawals would have been approved without any double authentication checks (2FA) being performed by the legitimate owners, which triggered the alert and suspension of the withdrawals.
The release adds that additional security was added to all accounts on January 18, setting a mandatory 24-hour delay between the registration of a new withdrawal address and the first possible withdrawal.
Crypto.com also announced the launch of a global account protection program (WAPP), which would offer a $250,000 guarantee in the event of crypto asset theft from its users’ accounts. The WAPP rollout will begin on February 1, 2022, and will require customers to observe several security rules in order for them to qualify.
Crypto.com teams are otherwise remaining tight-lipped about the exact nature of this security breach. Was it an external attack by hackers, or an “inside job” by a malicious employee? While Crypto.com’s strategy in recent months has been to focus on wealthy institutional clients, it must be said that this bad news comes at a very bad time.