QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$34 358 000 USD
JANUARY 2022
SINGAPORE
CRYPTO.COM
DESCRIPTION OF EVENTS
"Founded in 2016, Crypto.com today serves over 10 million customers with the world’s fastest growing crypto app, along with the Crypto.com Exchange and Crypto.com DeFi Wallet."
"CRYPTO.COM EXCHANGE. Trade with confidence on the world’s fastest and most secure crypto exchange." "The World’s Fastest Growing Crypto App" "Buy crypto at true cost. Buy and sell 250+ cryptocurrencies with 20+ fiat currencies using bank transfers or your credit/debit card." "Join 10m+ users buying and selling 250+ cryptocurrencies at true cost. Spend with the Crypto.com Visa Card and get up to 8% back. Grow your portfolio by receiving rewards up to 14.5% on your crypto assets."
"Powered by cryptocurrency, the future of the internet: Web3 will be more fair and equitable, owned by the builders, creators and users. You." "We believe it is your basic right to control your money, data and identity."
"Security First. Always." "Our commitment to our customers is built on trust. We believe that security and data privacy are the foundations of achieving mainstream cryptocurrency adoption."
"While Crypto.com is the world’s fourth-largest crypto exchange, it has been pushing hard into U.S. markets in recent months, with stunts including viral advertisements featuring actor Matt Damon and a $700 million purchase of the naming rights to the Los Angeles Lakers and Clippers Arena."
“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,” said Jason Lau, Chief Information Security Officer of Crypto.com. "Crypto.com [recently became] the First Cryptocurrency Platform to Achieve SOC 2 Compliance, ISO27001, ISO27701, PCI:DSS 3.2.1 (Level 1), and Highest “Adaptive” maturity levels for the NIST Cybersecurity Framework and NIST Privacy Framework." Crypto.com "successfully completed the Service Organization Control (SOC) 2 Audit, conducted by globally recognized audit and consulting firm Deloitte, which affirms that Crypto.com’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, confidentiality and privacy."
"On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts." "The incident affected 483 Crypto.com users. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies."
"Several users of [the] exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident" in communications." Complaint had initially only "been met with vague responses from the company".
"Crypto.com first paused withdrawals on its platform on Sunday after noting via Twitter that a “small number of users [are] reporting suspicious activity on their accounts.” It also asked customers to reset their two-factor authentication out of “an abundance of caution.”" "The company then reassured users numerous times in its communications that customer funds were safe, drawing speculation that Crypto.com would cover any customer losses incurred." "The site suspended all withdrawals for 14 hours to investigate the issue."
"On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation."
"On Monday, reports emerged that Crypto.com had halted withdrawals "after a small number of users" experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users' money was "safe," but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash." "PeckShield claimed in the tweet that about half of the funds were being sent to Tornado Cash to be “washed.” Tornado Cash says it provides “non-custodial anonymous transactions” on the Ethereum blockchain, meaning it can hide where crypto is being sent."
"The company “revoked all customer 2FA tokens and added additional security hardening measures” before asking customers to log back into the platform and set up their 2FA tokens again, the company says. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized."
"ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com's payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com's custodial wallet."
"Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler— a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers." "The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus."
"The total losses, worth over $34 million at current cryptocurrency values, are even higher than what analysts had predicted before Crypto.com released its statement."
"According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet."
"Crypto.com CEO Kris Marszalek said around 400 customer accounts have been compromised in a hack in an interview with Bloomberg TV on Wednesday." "Marszalek did not share details on how the breach occurred during the interview, though he did confirm that Crypto.com had reimbursed all the impacted accounts." "The exchange said that in most cases it “prevented the unauthorized withdrawal,” and added that in the other cases it reimbursed customers for their losses."
"Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022." "In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure."
"Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized."
"The company conducted an internal audit and engaged third-party security firms to check its platform after the breach, it says. It announced its plans to transition away from 2FA and to “true multi-factor authentication” to bolster security, though it did not provide an expected timeline for this change."
"Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services."
"Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base."
"Crypto.com is introducing the worldwide Account Protection Program (APP). APP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange." "APP restores funds up to USD$250,000 for qualified users; terms & conditions apply." "Crypto.com will make the final determination of eligibility requirements and approval of claims. APP will begin rolling out in select markets starting 1 February 2022."
“Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”
Crypto.com is one of the largest cryptocurrency exchanges globally. While details are vague, it appears that a vulnerability allowed an attacker to trigger withdrawals without completing the 2FA checks which were intended to be necessary for a withdrawal.
After the initial confusion, the company eventually admitted what had happened and has since appeared to compensate all users. The 2FA system has been upgraded. They've also introduced some additional coverage (APP program) where they may cover up to $250k of losses.
HOW COULD THIS HAVE BEEN PREVENTED?
There were no customer losses in this case, as the funds which were able to be stolen were a very small fraction of the available funds on the platform. The original loss could have been prevented by using cold storage and requiring multiple signatures on withdrawals. Even within the hot wallet infrastructure, there are opportunities to add additional factors, which make it exponentially harder for an adversary. While the APP is a great program, the decisions about coverage are subject to Crypto.com, which has an incentive only to cover smaller losses, where the value of the customer relationship and/or reputation damage is greater than the amount lost. An inustry insurance fund would act in a more impartial capacity.
$30 MILLION CRYPTO STOLEN - YouTube (Jan 21)
https://crypto.com/ (Jan 22)
https://crypto.com/about (Jan 22)
Formula 1 announce Crypto.com as inaugural global partner of the F1 Sprint series | Formula 1® (Jan 22)
2FA compromise led to $34M Crypto.com hack – TechCrunch (Jan 22)
Crypto.com breach may be worth up to $33M, suggests onchain analyst (Jan 23)
@ErgoBTC Twitter (Jan 23)
OXT (Jan 23)
Crypto.com CEO admits hundreds of customer accounts were hacked – TechCrunch (Jan 23)
@Kris_HK Twitter (Jan 23)
Crypto.com Says Alleged $15 Million Hack Was Just an 'Incident' (Jan 23)
https://crypto.com/product-news/crypto-com-security-report-next-steps (Jan 23)
Crypto.com The Most Secure Crypto Platform Worldwide Adds SOC 2 Compliance (Jan 23)
Crypto.com Admits $35 Million Hack (Jan 23)
Crypto.com admits over $30 million stolen by hackers - The Verge (Jan 23)
Crypto.com shares details on security breach: 483 accounts compromised (Jan 23)
@cryptocom Twitter (Jan 23)
@peckshield Twitter (Jan 23)
@cryptocom Twitter (Jan 23)
https://www.cnbc.com/2022/01/18/news-peckshield-says-15m-lost-on-cryptocom-tesla-accepts-doge.html (Jan 23)
Rekt - Crypto.com - REKT (Feb 8)
Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12)
