Hackers sweep past 2FA and hit 483 users in Crypto.com attack

Crypto.com heist leaves hundreds of customers shocked

Hackers manage to bypass 2FACrypto.com hack results in lost millions

When facing cyber issues and hacks, acting on time is key. Yet, Crypto.com failed to acknowledge the issue and now, is in need to reimburse millions lost due to a cyber attack. Crypto.com users spotted some alarming incidents back over the weekend. People complained that their accounts had been drained. However, Crypto.com denied that there is any problem. They mentioned that only an insignificant amount of users complained and all funds are safe.

This now is known to be a lie. Monday morning Crypto.com CEO, Kris Marszalek took to Twitter to reiterate that nobody lost anything. Yet, an investigation into suspicious activities was launched, and withdrawals were paused. Only a few days after the company came out and stated the loss of funds actually happened, and the lost sum is not insignificant either. It is stated that the total loss is equal to over $300 million.[1]

Unauthorized withdrawals totaled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.[2] All customers that were affected by this inconvenience will be reimbursed, and it seems there will be many people seeking that reimbursement. At least 483 accounts were compromised and had funds drained as a result. Even after coming forward with the information about the heist, Crypto.com CEO continues to downplay the value of the lost funds.

2FA bypass leads to no protection for customers

Crypto.com is a cryptocurrency exchange app based in Singapore. The app has over 10 million users and supports trading, investing, staking, wallets, NFTs, and more. Overall, it offers more than 150 different currencies.[3] As cryptocurrencies remain on the high, companies all over the world continue to invest in their security. However, the Crypto.com heist showed that there is still a lot to improve.

Crypto.com explained that the alarm went on when 483 accounts were being approved without users' 2FA authentication. Withdrawals were suspended, and later on, all 2FA tokens were revoked. Now, security is upgraded, and all customers need to re-login and set up their 2FA token. 2FA is a layered approach to security that requires verifying two separate authentication factors to confirm an individual's identity.

However, in recent times, customers cannot trust even the secure deemed 2FA. This approach could be bypassed in various situations, like real-time phishing, social engineering, and man-in-the-middle attacks.[4] Threats arise while using SMS authentication, account recovery, or third-party login as well. Crypto.com from now on will rely on additional security too, not just 2FA as a time cushion function will be added to give users time to react and respond.

With crypto on the rise, so is the criminal activity

As already mentioned, cryptocurrency remains the hot topic and interest of many. With popularity comes attention and not always good. Crime actors seem to be finding the new industry to use their schemes as more and more threatening hacks seem to hit crypto companies and different apps. Back in 2021, crypto-currency exchange BitMart said that hackers have stolen about $150m worth of tokens from its “hot wallets”.[5]

Quite recently, cybersecurity researchers from Akamai Technologies outlined a new fraud that could leverage Amazon's name to promote a fraudulent “Amazon to create its own digital token” scheme.[6] With this scheme, hackers use time-sensitive functions that make people act fast, without much consideration. Fake social media posts were published in groups of cryptocurrency.

When clicked on, users were directed to the soon-to-be-released “Amazon crypto-token” page. Later on, users were asked to pay for the pre-sale tokens with their own cryptocurrency. That is how easily users could pay for something that in reality doesn't even exist. As most of these hacks happened in America and Asia, cryptocurrency crimes are on the rise globally too.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions