CEO Kris Marszalek of Crypto.com has confirmed that over 400 customer accounts were hacked and millions of dollars stolen.
In an interview with Bloomberg, the CEO confirmed there were unauthorized transactions on these accounts but assured Crypto.com users that his team had taken care of the situation and reimbursed everyone whose money was stolen from their accounts.
In the wake of the incident, the company has released a report detailing the findings of their post mortem. In this case, there were 483 accounts that were hacked. The unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC, and about $66,200 in other currencies. At current exchange rates, that’s $15.3 million of ETH and $18.7 million of ETC for a total of $34.
According to the report, some transactions were being approved without two-factor authentication for a small number of accounts just a few days ago. The company’s risk monitoring systems caught this. Thus, withdrawals were halted by the cryptocurrency exchange on January 16th. Some users reported that even though they had two-factor authentication activated, their cash was taken.
“No customer funds were lost,” Marszalek tweeted on January 17. The company’s infrastructure went down for about 14 hours, but his team made sure their security was better because of what happened. A report has confirmed that Crypto.com has revoked all client 2FA tokens and imposed extra security measures, which prompted all account users to re-login.
Crypto.com claims the action was taken because a new 2FA infrastructure was set up. As time goes on, it wants to move away from two-factor authentication and to true Multi-Factor Authentication (MFA).
A new security measure from Crypto.com also requires users to wait 24 hours before withdrawing money to a new whitelisted address. Users who want more protection for their money will be able to sign up for the Worldwide Account Protection Program (W.A.P.P) on February 1.
If a third party gets into a user’s account, WAPP can return up to $250,000 of that user’s money. The program requires customers to employ multi-factor authentication for all transactions to avoid having their devices hacked. They must have set up an anti-phishing code at least 21 days before an unauthorized transaction took place, filed a police report and given Crypto.com a copy, and completed a questionnaire to help Crypto.com with their investigation.