In a display of 2FA’s fallibility, unauthorized transactions approved without users’ authentication bled 483 accounts of funds.
Early Thursday morning, Crypto.com acknowledged that it had lost $34.65 million worth of cash, Bitcoin and Ethereum after getting ransacked in an attack that slipped fat transactions past two-factor authentication (2FA).
Users had complained over the weekend that their accounts had been drained: thievery that the cryptocurrency exchange initially denied. On Sunday, Crypto.com wrote on Twitter that “a small number of users [are] reporting suspicious activity on their accounts,” but that “all funds are safe.”
On Monday, the company’s CEO, Kris Marszalek, reiterated in a tweet that “no customer funds were lost.”
We have a small number of users reporting suspicious activity on their accounts.
We will be pausing withdrawals shortly, as our team is investigating. All funds are safe.
— Crypto.com (@cryptocom) January 17, 2022
Now, Crypto.com has acknowledged that yes, the total amount of the loss is well over $300 million – far more than was initially estimated – but that all customers had been reimbursed.
The company also said that the robbers pulled it off by blowing past the exchange’s 2FA system.