Crypto.com confirms 483 users hit in attack that saw over $31m in coins withdrawn
The company said on Monday that 483 users were impacted by unauthorised cryptocurrency withdrawals on their accounts.
“In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said.
“Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.”
At the time of writing, the amount of ether was just shy of $14 million and the fiat value of bitcoin was sitting over $17 million. All up, that put the total figure around the $31 million mark, depending on the volatile prices of cryptocurrency on any given day.
Crypto.com explained it saw transactions occurring on early Monday morning UTC, where users’ two-factor authentication was not involved.
“Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours,” it said.
“In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.”
The company said it has also added a new policy where the first withdrawal to a whitelisted address must wait 24 hours, as well as a program to refund users up to $250,000 if unauthorised withdrawals are made, and certain terms are met.
These terms include having multi-factor authentication on all transactions where possible, creating an anti-phishing code at least 21 days prior to the unauthorised withdrawal, users cannot use a jailbroken phone, they must file a police report and send the company a copy, and answer a “questionnaire to support a forensic investigation”.
“Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims,” the company said.