More details have emerged about the recent Crypto.com hack that left nearly 500 customers without their hard-earned cryptocurrencies.
The company posted an autopsy on its website saying that whoever was behind the theft managed to withdraw millions of dollars in cryptocurrency from hundreds of accounts, without entering two-factor authentication.
A total of 483 accounts were compromised, with more than €31 million stolen, consisting of 4,836.26 ETH, 443.93 BTC, and around €66,200 in “other cryptocurrencies” stolen.
Security breaches and fraud
Crypto.com did not provide further details on how it was possible to withdraw the tokens without entering 2FA, and whether or not an endpoint was compromised, but did say what it has done so far, and what it plans to do, in the future.
After the incident was discovered, the company first suspended all withdrawals from the platform, refunded affected accounts, revoked all 2FA tokens from customers, and added "additional security strengthening measures."
Now, after adding a new withdrawal address to the account, the owner must wait 24 hours for it to be approved, giving legitimate owners plenty of time to report a potential issue.
Additionally, Crypto.com said it plans to move from 2FA to "true multi-factor authentication," though it did not specify what that means or when it might happen.
Ultimately, customers had to log in again and set up their 2FA tokens again.
Rarely does a real security breach happen on a cryptocurrency exchange. In most cases, cryptocurrency theft occurs through fraud, where owners are tricked into sending their tokens elsewhere or providing personally identifiable information. This information can then be used in identity theft, allowing criminals to easily withdraw funds from wallets and exchanges.
More recently, with the emergence of DeFi (Decentralized Finance), a scam method known as "rugpull" has gained popularity.
In the simplest explanation, a pullpull occurs when the owners of a blockchain project decide to extract all of the liquidity from the project, reducing the value of the token they created to virtually zero.