On January 17th, 2022 Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Later during the day hundreds of users were hit and it became clear that it wasn’t just an unauthorized withdrawal phenomenon that they were witnessing but that a cybersecurity breach had occurred in their systems.
INCIDENT ANALYSIS
During the morning of the incident, Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts. Transactions were being approved without the usage of two-factor authentication (2FA), which consists in using more than one factor for authentication, such as a password and a OTP (one-time password), just like it used for classic bank transfers and transactions.
The response of the organization to this suspicious activity was fast and they successfully suspended all withdrawals on the platform for the entire time of the investigation. All users were asked to re-login into the site after all customers’ 2FA tokens got revoked, so that anyone using the site could set up their 2FA token once again to ensure that only authorized activity would take place.
The downtime of the withdrawal infrastructure was approximately 14 hours, and considering the time it took for the company to correctly diagnose what was happening inside of their systems, only on January 18th users were capable of executing withdrawals as usual.
AFTERMATH OF THE BREACH
The biggest impact of the breach was money related, in fact it has deeply affected the accounts of many users, in particular, the incident affected 483 Crypto.com users: unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies. The estimated value of the Bitcoin and Ether that was stolen at the time is around 35 million dollars.
The company has not yet been transparent about the technicalities behind the breach, it is not clear if the attackers were able to perform the withdrawals because of a vulnerability in the systems or because of a human or procedural error.
ADDITIONAL SECURITY MEASURES AND COMMUNICATION TO THE PUBLIC
Crypto.com promptly addressed the problem and issued an official statement on their website regarding what was happening and what will later be the way they would address the damages received:
“In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure”;
“No customers experienced a loss of funds. In the majority of cases, we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.”
Statements like these ones helped the company in keeping its reputation and public image safe, even if the consequences of the breach were very serious. Crypto.com introduced the worldwide Account Protection Program (APP) after this incident. APP is designed to protect user funds for all the cases in which someone gains unauthorized access to an account and tries to withdraw funds without the owner’s permission. APP restores funds up to USD$250,000 for qualified users; terms & conditions apply (terms & conditions are available at www.crypto.com).
LESSON LEARNT
Crypto.com has suffered a major security breach in its systems, however it has managed the response to the incident in a timely manner and with clear statements for its customers and stakeholders. The company had immediately called third-party auditors to further assess its security posture and all the customers who have suffered a monetary loss have been refunded. Even if Crypto.com did not release any information regarding how the hackers were capable of bypassing the 2FA, the way the company handled the incident is correct.
The world is increasingly shifting towards cryptocurrencies daily, and this incident shows that it is important for every company in the sector to have safeguards and security systems in place that are effective in reducing the risk of a breach, as well as a response and recovery plan in place, without forgetting the importance of a clear communication to the public.
Author: Andrea Borromini
B.Cyber 
Leave a Reply