Back to the list

Crypto.com Suffers Hack for At Least $15M in Ethereum


decrypt.co 18 January 2022 07:42, UTC
Reading time: ~3 m

Cryptocurrency exchange Crypto.com has reportedly fallen victim to a hack, with at least $15 million worth of Ethereum stolen.

Despite reports of missing funds, the platform has yet to confirm that it has indeed been attacked.

With almost $3 billion in trading volume in the last 24 hours, Crypto.com is the industry’s fourth-largest centralized crypto exchange, according to CoinGecko.

A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Center—the Los Angeles home venue of the NBA's Lakers and Clippers.

Crypto.com Pays Reported $700 Million for Naming Rights to Lakers, Clippers Arena

On Monday, Crypto.com announced it was pausing withdrawals after “a small number of users experienced unauthorized activity in their accounts,” stressing that “all funds are safe.”

Citing the need to enhance security, the exchange also urged users to sign back into their accounts and reset their two-factor authentication (2FA).

Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe.

In an abundance of caution, security on all accounts is being enhanced, requiring users to:

-Sign back into their App & Exchange accounts
-Reset their 2FA

— Crypto.com (@cryptocom) January 17, 2022

Unpacking the Crypto.com hack

Despite users complaining about funds missing from their accounts, and Dogecoin co-founder Billy Markus pointing to “odd activity” on one of the Ethereum wallets associated with Crypto.com, the exchange announced that withdrawals had resumed at 17:42 UTC on Monday.

The events took a turn for the worse when security research company Peckshield took to Twitter in the early hours on Tuesday to reveal that Crypto.com has lost at least 4,600 ETH (around $15 million in current prices).

Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service.

The @cryptocom loss is about $15M with at least 4.6K ETHs and half of them are currently being washed via @TornadoCash https://t.co/PUl6IrB3cp https://t.co/6SVKvk8PLf pic.twitter.com/XN9nmT857j

— PeckShield Inc. (@peckshield) January 18, 2022

Peckshield told Decrypt via a Twitter message that the true scale of the damage is “definitely worse.”

Quite remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.

According to Marszalek, the exchange “has hardened the infrastructure in response to the incident” and “will share a full post mortem after the internal investigation is completed.”

Some thoughts from me on the last 24 hours:

- no customer funds were lost
- the downtime of withdrawal infra was ~14 hours
- our team has hardened the infrastructure in response to the incident

We will share a full post mortem after the internal investigation is completed.

— Kris | Crypto.com (@Kris_HK) January 18, 2022

It’s worth noting, though, that some users confirmed that the funds they claimed were missing were eventually returned to their accounts.

Decrypt has also reached to Crypto.com for comments and will update the story should we hear back.

Back to the list