Trading platform Crypto.com lost about $US34 (A$47) million worth of cryptocurrency in a hack on Monday, according to a new blog post by the company published overnight. The company had previously declined to say much about the hack, which forced users to stop withdrawals for most of the day, and only reassured customers they wouldn’t lose any money.
Hackers made off with 4,836.26 ethereum, 443.93 bitcoin, and approximately $US66,200 (A$91,899) in other crypto coins from precisely 483 users, according to the company. Crypto.com, which has about 10 million users, halted all withdrawals on Monday for about 14 hours after “suspicious activity” was detected, and forced all users to reset their two-factor authentication methods.
The ethereum that was taken is worth about $US15.3 (A$21) million and the bitcoin is worth $US18.6 (A$26) million at today’s conversion rate, bringing the grand total to about $US34 (A$47) million in lost funds. But Crypto.com is quick to note that no users have lost any money because the company has topped up their accounts.
“All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored,” Crypto.com said in a statement.
Hackers were able to get into the accounts without the need for two-factor authentication, though it’s not clear how they pulled it off. Crypto.com has revamped its two-factor authentication program and has introduced a 24-hour delay for white-listed withdrawal addresses, according to the company’s post mortem.
The unknown hackers are currently trying to launder their stolen crypto using crypto mixers, as Gizmodo reported yesterday. The ethereum is being laundered through an app called Tornado Cash, which bills itself as a privacy tool. The bitcoin appears to be getting laundered through an unknown bitcoin mixer, sometimes known as a tumbler or peel chain.
Crypto.com also announced it was launching an insurance program called the Worldwide Account Protection Program. But this isn’t the same “WAPP” you might be more familiar with. This program allows qualified users to reclaim up to $US250,000 (A$347,050) in funds if their accounts get hacked.
What does it mean to be qualified? According to the company, users must first:
- Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
- Set up an anti-phishing code at least 21 days prior to the reported unauthorised transaction,
- Not be using jailbroken devices,
- File a police report and provide a copy of it to Crypto.com; and
- Complete a questionnaire to support a forensic investigation.
It sounds like any future hacks won’t necessarily be covered universally, as Crypto.com did in Monday’s hack.
“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,” Jason Lau, Chief Information Security Officer of Crypto.com said in a statement published online.
“While our goal is to prevent any security breaches, our industry leading insurance policy and Worldwide Account Protection Programs offer our customers additional protections in rare instances when there is an incident.”