Singapore-based cryptocurrency exchange Crypto.com hacked; more than 400 users affected
A Crypto.com Arena sign hangs outside Staples Center before an NBA basketball game between the Los Angeles Lakers and the San Antonio Spurs Thursday, Dec. 23, 2021, in Los Angeles. Staple Center will officially be renamed Crypto.com Arena on Christmas Day. (AP Photo/Jae C. Hong)
SINGAPORE: Singapore-based cryptocurrency exchange platform Crypto.com confirmed on Thursday (Jan 20) that it had been hacked, with the accounts of 483 users being affected.
In a blog post, the company said that on Jan 17, it learned that a "small number of users" had unauthorised withdrawals on their accounts.
These unauthorised withdrawals totalled 4,836.26 Ethereum, 443.93 Bitcoin and approximately US$66,200 in other currencies.
This amounted to about US$31 million (S$41.7 million), according to the exchange rate on Friday.
The company had detected unauthorised activity on some accounts on Monday, with transactions being approved without two-factor authentication (2FA) provided by users.
"Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue," it said, adding that no customers experienced a loss of funds.
Unauthorised withdrawals were prevented in the "majority of cases", with customers being fully reimbursed in all other cases, the company said.
Affected accounts were "fully restored", it said.
Existing 2FA tokens were revoked, while additional "security hardening" measures were added requiring all customers to login and set up their 2FA tokens again, it added.
Withdrawals were down for about 14 hours, said the company.
In addition to migrating to a "completely new 2FA infrastructure", Crypto.com said it introduced a feature where withdrawals can only be made 24 hours after a new withdrawal address is registered.
Users will be notified that withdrawal addresses have been added, with the notification message providing instructions on contacting Crypto.com if the addition of a new address was unauthorised.
The company said it had engaged third-party security firms to perform additional checks on its platform, adding it would be introducing more security features for users as it moved away from 2FA to "multi-factor authentication".
Crypto.com added it is introducing a "worldwide account protection program" which restores funds up to USD$250,000 in instances of unauthorised withdrawals for users who have taken steps such as enabling multi-factor authentication and filing a police report.
Bloomberg reported on Thursday that Crypto.com chief executive Kris Marszalek said during a conference that the company had not received any "outreach" from regulators following the breach.
In response to media queries, the Monetary Authority of Singapore (MAS) said Crypto.com's operator Foris DAX Asia is currently exempt from holding a licence under the Payment Services Act while its licence application is under review.
"MAS is aware of the cyber security breach at Crypto.com and is following up with the applicant," it added.
CNA has also contacted the Cyber Security Agency of Singapore for comment.
Founded in Hong Kong in 2016, Crypto.com moved its headquarters to Singapore last year.
The company made headlines in November when it won a US$700 million deal for the naming rights to the home arena of popular basketball team the Los Angeles Lakers.
