2FA compromise led to Crypto.com hack

(Image credit: Shutterstock / Wit Olszewksi)

More details have emerged about the recent Crypto.com hack that left almost 500 customers without their hard-earned cryptocurrencies. 

The company has published a post mortem on its website in which it says that whoever was behind the theft, managed to withdraw millions of dollars in cryptocurrencies from hundreds of accounts, without inputting two-factor authentication.

In total, 483 accounts were compromised, with more than $31 million taken - made up of 4,836.26 ETH, 443.93 BTC, and approximately $66,200 in “other cryptocurrencies” stolen.

Security breaches and fraud

Crypto.com did not provide more details on how it was possible to withdraw the tokens without inputting 2FA, and whether or not an endpoint was compromised, but it did say what it did at the moment - and what it plans on doing, going forward.

Once it discovered the incident, the company first suspended all withdrawals from the platform, reimbursed the affected accounts, revoked all customer 2FA tokens, and added “additional security hardening measures”. 

Now, after a new withdrawal address is added to the account, the owner needs to wait for 24 hours before it is approved, giving legitimate owners enough time to report a potential issue.

Furthermore, Crypto.com said it plans to move away from 2FA into “true multi-factor authentication,” although it did not specify what that meant, or when it might happen.

Finally, the customers were required to re-login and set up their 2FA tokens again.

An actual security breach on a cryptocurrency exchange rarely happens. In most cases, cryptocurrency theft happens through fraud, in which owners are either tricked into sending their tokens elsewhere, or tricked into giving away personally identifiable information. That information can later be used in identity theft, allowing criminals to easily withdraw funds from wallets and exchanges.

In more recent times, with the emergence of DeFi (Decentralized Finance), a scam method known as a “rugpull” has risen in popularity. 

In the most simplest of explanations, a rugpull happens when a blockchain project’s owners decide to remove all liquidity from the project, dropping the value of the token they’ve created virtually to zero.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.