Summary
On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.
The incident affected 483 Crypto.com users.
Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies.
What happened?
On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022.
What did Crypto.com do to correct the problem?
In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.
2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.
Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized.
Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services.
Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base.
Next Steps?
Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange.
APP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. APP restores funds up to USD$250,000 for qualified users; terms & conditions apply.
“The safety of our customers’ funds is our highest priority, and we are continually enhancing our Defence-in-Depth security and protection measures,” said Kris Marszalek, Co-founder and CEO of Crypto.com. “While we are reminded of the existence of bad actors intent on committing fraud, this new worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind.”
To qualify for the APP program, users must:
- Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
- Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
- Not be using jailbroken devices,
- File a police report and provide a copy of it to Crypto.com; and
- Complete a questionnaire to support a forensic investigation.
“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,” said Jason Lau, Chief Information Security Officer of Crypto.com. “While our goal is to prevent any security breaches, our industry leading insurance policy and worldwide Account Protection Programs offer our customers additional protections in rare instances when there is an incident.”
Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022.
As an enthusiast deeply immersed in the world of cryptocurrency and cybersecurity, my extensive knowledge and hands-on experience position me as a reliable source to discuss the incident that occurred on January 17, 2022, involving Crypto.com. Having actively followed the developments in the crypto space, I can provide valuable insights into the security measures taken by Crypto.com in response to unauthorized crypto withdrawals affecting a small number of users.
In this incident, Crypto.com detected unauthorized activity on user accounts, prompting an immediate response. The affected users experienced transactions being approved without the 2FA authentication control, leading to a suspension of all withdrawals for a thorough investigation. The breach impacted 483 users, with unauthorized withdrawals totaling 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.
To address the issue, Crypto.com took several decisive steps. They revoked all customer 2FA tokens, implemented additional security measures, and introduced a mandatory 24-hour delay for new whitelisted withdrawal addresses. A comprehensive audit of the entire infrastructure was conducted, leading to the revamp and migration to a new 2FA infrastructure. Furthermore, Crypto.com engaged with third-party security firms for additional checks and initiated the development of a worldwide Account Protection Program (APP) to enhance user fund security.
The APP, designed to protect user funds in case of unauthorized access, offers up to USD$250,000 restoration for qualified users. To qualify, users must enable Multi-Factor Authentication (MFA), set up an anti-phishing code, refrain from using jailbroken devices, file a police report, and complete a questionnaire for forensic investigation support.
In addition to these measures, Crypto.com is transitioning from 2-Factor Authentication to true Multi-Factor Authentication (MFA) and plans to release additional end-user security features. The company emphasizes its commitment to enhancing security measures and assures users of unprecedented protection for their funds.
As of February 1, 2022, Crypto.com began rolling out the Account Protection Program (APP) in select markets. The terms and conditions of the program may vary by market based on local regulations, with Crypto.com making the final determination of eligibility requirements and approval of claims. The company's proactive approach, including engagement with third-party security firms, showcases its dedication to maintaining a secure platform for its global user base.