2FA compromise led to Crypto.com hack

Thieves managed to withdraw funds without having to input 2FA codes

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

More details have emerged about the recentCrypto.com hackthat left almost 500 customers without their hard-earned cryptocurrencies.

The company has publisheda post mortem on its websitein which it says that whoever was behind the theft, managed to withdraw millions of dollars in cryptocurrencies from hundreds of accounts, without inputting two-factor authentication.

In total, 483 accounts were compromised, with more than $31 million taken - made up of 4,836.26 ETH, 443.93 BTC, and approximately $66,200 in “other cryptocurrencies” stolen.

Security breaches and fraud

Crypto.com did not provide more details on how it was possible to withdraw the tokens without inputting2FA, and whether or not anendpointwas compromised, but it did say what it did at the moment - and what it plans on doing, going forward.

Once it discovered the incident, the company first suspended all withdrawals from the platform, reimbursed the affected accounts, revoked all customer 2FA tokens, and added “additional security hardening measures”.

Now, after a new withdrawal address is added to the account, the owner needs to wait for 24 hours before it is approved, giving legitimate owners enough time to report a potential issue.

Furthermore, Crypto.com said it plans to move away from 2FA into “true multi-factor authentication,” although it did not specify what that meant, or when it might happen.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Finally, the customers were required to re-login and set up their 2FA tokens again.

An actual security breach on a cryptocurrency exchange rarely happens. In most cases, cryptocurrency theft happens through fraud, in which owners are either tricked into sending their tokens elsewhere, or tricked into giving away personally identifiable information. That information can later be used inidentity theft, allowing criminals to easily withdraw funds fromwalletsand exchanges.

In more recent times, with the emergence of DeFi (Decentralized Finance), a scam method known as a “rugpull” has risen in popularity.

In the most simplest of explanations, a rugpull happens when a blockchain project’s owners decide to remove all liquidity from the project, dropping the value of the token they’ve created virtually to zero.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

How to turn off Meta AI