In context: A couple of days ago, we reported that cryptocurrency trading platform Crypto.com had been hacked, with analysts predicting that roughly $14 million worth of Ethereum tokens were lost in the process. Company CEO Kris Marszalek later downplayed the incident, saying that "no customer funds were lost." After his team conducted an internal investigation, however, it seems that statement was not quite true.
Crypto.com has published a full security report on its website detailing exactly how much currency was lost as part of the hack. The company also briefly discussed how and when it first detected the hack and listed the steps it has taken and will be taking to better protect its users in the future.
For starters, not only were customer funds most certainly lost despite the CEO's claim to the contrary, but that loss was significantly greater than the $14 million initially predicted by data analytics firm PeckShield. According to the exchange, 483 Crypto.com users were affected by the hack, with 4,836.26 ETH ($15.3 million), 443.93 BTC ($18.8 million), and around $66,200 USD being lost in total. If you don't feel like doing the math, that adds up to a loss of about $34.1 million.
We just published full incident report which a sums up what happened and how we addressed it. All 483 affected accounts were fully reimbursed, ie. no customer loss of funds.--- Kris | Crypto.com (@Kris_HK) January 20, 2022
We're also launching US$250,000 Worldwide Account Protection Program covering funds held with us. https://t.co/8SHGaaoaCn
To be clear, Crypto.com hasn't simply cut its losses and run here. All affected customers have already been reimbursed; a fact Marszalek has used to justify his initial claim that "no customer funds were lost."
So, how did this happen in the first place? Crypto.com says the breach was detected three days ago on January 17 by its "risk monitoring systems." The systems noticed that transactions were taking place across a "small number" of user accounts without said users inputting their 2FA codes. Withdrawals were immediately suspended while Crypto.com investigated, and all 2FA tokens were revoked.
To bolster its security, Crypto.com says it has already switched to a new 2FA infrastructure and added a mandatory 24-hour delay period between the time a user registers a new "whitelisted withdrawal address" and makes their first withdrawal to said address. Other measures have also been implemented, but the company is (understandably) not elaborating on what those are.
Crypto.com is well aware that customers might be a bit concerned about doing business on its platform after this incident, so it has created the new "Worldwide Account Protection Program" in response. This program will restore funds lost through future third-party hacks "up to" $250,000 for qualified users.
It remains to be seen whether or not these measures will be enough to restore customer faith in Crypto.com as a platform, but we'll let you know if the situation develops any further.