Shortly after CEO Kris Marszalek of Crypto.com admitted that the exchange was hacked of $33 million worth of crypto assets and promised to release its findings after an investigation, the exchange platform has released details about the recent hack.
The information shared by the platform on its website said that 483 users of its platform were affected by the hack and that more than $15 million worth Ethereum, $19 million of Bitcoin and $66,200 worth of other currencies were stolen. In its latest statement, the platform said that the losses ran into a total of over $34 million, surpassing the forecast of analysts before its official statement.
Earlier, shortly after the hack, the CEO said that the platform was back online about 13 to 14 hours after the hack happened and that all the accounts that suffered from the hack had already been reimbursed.
The statement released by Crypto.com stated that the company, after a series of complaints, noticed on Monday that “transactions were being approved without the 2FA authentication control being inputted by the user”. Sadly, Crypto.com failed to mention how the hacker(s) were able to bypass the two-factor authentication protocol and approve transactions. It also declined to respond to comments surrounding questions.
To prevent the hack from happening again, the company said it “revoked all customer 2FA tokens and added additional security hardening measures” before requesting its users to log in and set up their two-factor authentication again. The additional measures include a mandatory 24-hour delay between registration of a new withdrawal address and the first withdrawal, so users will be notified and have “adequate time to react and respond” by contacting the Crypto.com team if the withdrawal appears to be unauthorized. Crypto.com also mentioned that it carried on an internal audit and requested third-party security firms to check their platform after the hack. It also announced that it will be transitioning to a “true multi-factor authentication” model even though it didn’t mention when this would come into play.
In its statement, it also mentioned that it will be introducing the Worldwide Accounts Protection Program (WAPP) in select markets starting from the 1st of February. The program will restore funds up to $250,000 for users who made the cut in case of unauthorized withdrawals. Users must enable multi-factor authentication on all transaction types, set up an anti-phishing code at least 21 days before a breach, file a police report and report to Crypto.com, to qualify.
The hack follows a trend of others that has been going on for the past months. Last year Poly Network was hacked and the hacker described as “White Hat” stole more than $600 million worth of cryptocurrency from the platform. The assets were, however, returned and the hacker seemed to have done it to notify the platform of its vulnerabilities. In December, Bitmart, another crypto exchange platform was hacked and the sum of $196 million worth of cryptocurrencies was stolen.