Crypto.com Admits $34 Million Hack

Image source: Getty Images

The popular exchange hasn’t revealed how customer funds were stolen, but it has refunded the losses.

Key points

• Crypto.com has now released details of this week’s $34 million hack.
• The cryptocurrency exchange will introduce a new account protection program.
• All cryptocurrency investors should take protective steps, such as using strong passwords and two-factor authentication.

At the start of this week, Crypto.com temporarily halted withdrawals due to a security incident. Now, several days later, the exchange has released details of how much was lost and the steps it’s taking to prevent future attacks.

Hackers stole over $34 million in Ethereum (ETH), Bitcoin (BTC), and U.S. dollars. Importantly, Crypto.com says it has reimbursed all customers who lost money.

How the hack unfolded

Just after midnight on Jan. 17, Crypto.com suspended withdrawals after its monitoring system flagged unauthorized activity. It found transactions were being approved without users’ two-factor authentication (2FA) codes. A 2FA code is a second access password users need to log in, adding an extra layer of security — for example, a six-digit code sent from the Google authenticator app.

After 14 hours, Crypto.com resumed withdrawal functionality. Users had to re-login and reset their 2FA. At that point, the popular cryptocurrency app and exchange claimed no customer funds had been lost. But, as highlighted by PeckShield security firm, hackers had made away with millions of dollars.

The company says it was able to prevent withdrawals in most cases, but a total of 483 Crypto.com users were affected. And even though that money was reimbursed, customer funds were lost. Today’s blog post confirms the losses, but is far from the “full post-mortem” CEO Kris Marszalek promised via Twitter.

Crypto.com has been criticized for its lack of transparency during the incident, especially as the exchange still hasn’t explained how hackers bypassed its 2FA systems. Another puzzle is that Crypto.com’s website says 100% of user assets are held offline in cold storage — raising questions about how the thieves gained access.

Crypto.com has put a lot of effort into promotion recently, including a global ad campaign and its purchase of the naming rights to the Staples Center (now Crypto.com arena). As a result, its Crypto.com Coin (CRO) is up over 285% in the past six months. It’s hard to see how much the token has been impacted by the hack, because many top cryptocurrencies have slumped in recent weeks.

There may be criticism over the company’s communication during the incident, but it’s reassuring to see that Crypto.com made good on customer losses. According to its blog post, it’s also working to prevent future breaches.

The biggest measure it has taken is to create a new Worldwide Account Protection Program. Once it’s running, qualified users can claim up to $250,000 in the event of future fraud or hacks. To qualify, Crypto.com customers need to set up multi-factor authentication and anti-phishing codes, among other steps.

Here are the other steps it has taken:

• It migrated to a new 2FA system.
• It introduced a 24-hour delay on withdrawals to new whitelist addresses. Customers who whitelist addresses can withdraw to those addresses and no others.
• It engaged a third-party security firm to carry out extra security checks.

How you can protect your crypto

Sadly, cryptocurrency exchange hacks are not uncommon. Since the first Mt. Gox hack back in 2011, there’s been a steady stream of exchange breach stories. Just last year, Coinbase revealed hackers had stolen from at least 6,000 customers.

Here are steps you can take to keep your crypto safe:

• Use strong passwords. Password security is your first line of defense against cyber criminals, so use a password manager to help you create codes that can’t be easily cracked. It’s also important not to use the same password for every account.
• Bookmark your crypto exchange sites. One common way scammers take crypto assets is to set up fake sites that look similar, then steal any money you deposit and personal data you enter.
• Create address whitelists. This makes it difficult to withdraw money to addresses you haven’t approved.
• Enable 2FA. It may not have helped Crypto.com customers, but in many cases, 2FA adds another layer of account protection.
• Use reputable exchanges. Top cryptocurrency exchanges take strong security measures. Some also have third-party insurance to refund any customer losses in the event of a breach.
• Consider an external crypto wallet. External cryptocurrency wallets give you more control over your cryptocurrency. If you move your funds to a wallet you control, especially a hardware wallet kept offline, you won’t be affected by crypto exchange hacks. That said, you need to protect your password — there are billions of inaccessible crypto dollars stuck in external wallets because people lost their access codes.

Don’t assume cryptocurrency exchanges have the same levels of security as a normal bank account. The lack of regulation means many don’t. But while we can’t create an electronic Fort Knox, the steps above will make it a bit harder for hackers to access your crypto assets.