2FA Bypassed in $34.6M Crypto.com Heist

In a display of 2FA’s fallibility, unauthorized transactions approved without users’ authentication bled 483 accounts of funds.

Early Thursday morning, Crypto.com acknowledged that it had lost $34.65 million worth of cash, Bitcoin and Ethereum after getting ransacked in an attack that slipped fat transactions past two-factor authentication (2FA).

Users had complained over the weekend that their accounts had been drained: thievery that the cryptocurrency exchange initially denied. On Sunday, Crypto.com wrote on Twitter that “a small number of users [are] reporting suspicious activity on their accounts,” but that “all funds are safe.”

On Monday, the company’s CEO, Kris Marszalek, reiterated in a tweet that “no customer funds were lost.”

We have a small number of users reporting suspicious activity on their accounts.

We will be pausing withdrawals shortly, as our team is investigating. All funds are safe.

— Crypto.com (@cryptocom) January 17, 2022

Now, Crypto.com has acknowledged that yes, the total amount of the loss is well over $300 million – far more than was initially estimated – but that all customers had been reimbursed.

The company also said that the robbers pulled it off by blowing past the exchange’s 2FA system.

In spite

Read More: https://threatpost.com/2fa-bypassed-crypto-com-heist/177846/