Singapore-based cryptocurrency exchange Crypto.com has confirmed its two-factor authentication (2FA) was exploited by unauthorised individuals to drain $34 million (around £25 million) from user accounts this week.
The exchange said 483 of its customers were involved in the hack that saw attackers bypass 2FA controls and make unauthorised withdrawals of 4,836.26 Ethereum tokens, worth around $14 million or £10.3 million.
RELATED RESOURCE
Optimising the management of hybrid cloud
Having the right foundations in place can make an organisation’s hybrid cloud infrastructure work much better
Bitcoin tokens worth around $17.3 million or £12.75 million, and approximately $66,200 (£48,786) in other cryptocurrencies, were also stolen in the attack. Prices are correct at the time of writing.
The details around the 2FA exploitation are currently unclear but Crypto.com has since "migrated to a completely new 2FA infrastructure" and revoked the 2FA tokens for all global users in order for this to be applied.
Crypto.com also implemented an additional layer of security involving a 24-hour delay between registering whitelisted withdrawal addresses and the first withdrawal to that address. It will allow users to screen these addresses as they're registered via notifications sent to them by the exchange and "give them adequate time to react and respond," the exchange said.
In addition to the 2FA overhaul, Crypto.com has also engaged with third-party security outfits to examine the security of its new system and also plans to eventually transition to a multi-factor authentication (MFA) model.
"We don't have the details on how the Crypto.com hack evolved, but it appears that the policy controlling 2FA was exploited in some way, deactivating it for certain users," said Robert Byrne, field strategist at One Identity, speaking to IT Pro.
"There are various ways hacking may be able to circumvent 2FA services, but the most likely explanation here is that they compromised and exploited a privileged user account - the hackers then use that account to deactivate the 2FA policy for some users and, having compromised those accounts they can then login in and steal the funds.
"The 2FA service here is likely offered by a third-party service, so that supplier's infrastructure may well have been one of the targets of the attack," Byrne added. "Of course, it is possible there was an honest administrative error in security configuration that was detected by the thieves, who then rushed in to exploit it before it was remediated. Sadly, misconfigurations are not uncommon due to the pressure on security staff and the lack of sanity checks and surveillance of configuration settings."
The exchange has now introduced a worldwide Account Protection Program (APP), which will reimburse qualified users up to $250,000 in cases where unauthorised actors drain their accounts. To qualify, users must enable MFA on all transaction types, set up an anti-phishing code, not use jailbroken devices, file a police report, and complete a questionnaire to support a forensic investigation.
The wider story
Crypto.com users first started reporting unauthorised withdrawals from their accounts on Monday, according to a Tweet from the exchange which assured "all funds are safe". The sentiment was echoed by the exchange's CEO in a follow-up Tweet posted Tuesday confirming no customer funds were lost, that the infrastructure downtime was around 14 hours, and said infrastructure "hardened" following the incident.
Meanwhile, blockchain security and data analytics company PeckShield tweeted the Exchange had lost $15 million (£11 million) and stolen Ethereum was being "washed" using Tornado Cash, a cryptocurrency tumbling and mixer service - the equivalent of cryptocurrency money laundering.
After the official update was published on Thursday, affected customers were still reporting that they had not been reimbursed and others said they were still unable to access their account.
What is Crypto.com?
The Singapore-based cryptocurrency exchange was founded in 2016, then known as 'Monaco' before being rebranded to Crypto.com in 2018. The company has sponsorship ties with a number of high-profile sports teams including Paris St-Germain, the Philadelphia 76ers, the Italian Serie A football league, Formula 1, and the Ultimate Fighting Championship (UFC).
It also bought the naming rights to the Staples Center arena in 2021, located in Los Angeles, for a reported $700 million (£516.3 million) with the rights lasting 20 years.
The company is a big proponent of Web3 and has been quick to capitalise on the recent popularity of non-fungible tokens (NFTs), adding a dedicated marketplace for the asset to its offering.
The company has 10 million users across 90 countries and employs 3,000 staff to run the business.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Google Authenticator 2FA update accused of making service less secureNews Lack of end-to-end encryption in code backup has some developers worried
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
What is multi-factor authentication (MFA) fatigue and how do you defend against attacks?In-depth Strong authentication is key to security, but it needs to be properly managed to avoid MFA fatigue
-
Beyond Identity strikes up strategic partnership with World Wide TechnologyNews WWT will implement Beyond Identity’s authentication platform internally while also acting as a global channel partner
-
Implementing strong authentication across your businessIn-depth Strong authentication is hugely important, but implementing any regime at scale is not without its challenges
