Crypto.com, the industry's fourth-largest cryptocurrency exchange, finally admitted it lost user funds due to a recent security breach.
According to a blog post published on Thursday, the incident affected a total of 483 users, resulting in unauthorized withdrawals totaling 4,836.26 Ethereum, 443.93 Bitcoin, and approximately$66,200 in other cryptocurrencies, or roughly $33.84 million in current prices.
Singapore-based Crypto.com announced it was pausing withdrawals after "a small number of users experienced unauthorized activity in their accounts" on Monday, urging customers to reset their two-factor authentication (2FA).
Security company Peckshield later revealed that the incident resulted in Crypto.com losing at least 4,600 ETH (around $15 million) in user funds, telling Decrypt that the scale of the damage was "definitely worse."
According to Peckshield, half of the stolen funds were sent to Tornado Cash, a crypto mixing service that enables users to obfuscate their transactions.
On top of that, blockchain analyst ErgoBTC said hackers managed to make it away with about 444 BTC, the number Crypto.com confirmed in today's post-mortem.
Despite the litany of evidence, Crypto.com initially refused to acknowledge the hack, with the company's CEO Kris Marszalek claiming that "no customer funds were lost."
Crypto.com CEO: "Numbers not particularly material"
Marszalek appeared on Bloomberg TV on Wednesday, finally confirming that around 400 customer accounts had been compromised.
According to him, Crypto.com quickly paused withdrawals after detecting that "some of the defense layers were breached," fixed the issue, and was "back online in about 13 to 14 hours."
He added that the same day, "all of the accounts that were affected were reimbursed, so there was no loss of customer funds."
When pressed with the question about the actual extent of the losses suffered by the exchange, Marszalek said that "given the scale of the business, these numbers are not particularly material."
The company's post-mortem confirmed that the security incident occurred due to issues with 2FA.
Crypto.com said it also revamped and migrated to an entirely new 2FA infrastructure, with 2FA tokens for all users revoked "to ensure the new infrastructure was in effect."
The exchange introduced an additional layer of security to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and the first withdrawal of funds.
According to the company, this will give users "adequate time to react and respond" to notifications that new withdrawal addresses have been added.
Crypto.com has also announced the launch of the Worldwide Account Protection Program (WAPP), which is "designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user's permission."
WAPP opens up a possibility to restore funds up to $250,000. Still, it comes with several conditions to qualify, including the requirement to enable multi-factor authentication and set up an anti-phishing code at least 21 days before the reported unauthorized transaction.
Users will also have to file a police report and complete a questionnaire to support a forensic investigation.
Stay on top of crypto news, get daily updates in your inbox.