Crypto.com admitted it lost approximately $35 million in a recent cyber attack.
On Monday, the Singapore-based cryptocurrency exchange issued an alert on Twitter and Telegram that “a small number of users experienced unauthorized activity in their accounts.” Crypto.com CEO Kris Marszalek also addressed the incident on Twitter and stated, “no customer funds were lost.”
However, Crypto.com published a blog post Thursday that showed it had lost a hefty amount to unauthorized withdrawals — nearly $35 million in total.
The company’s investigation uncovered that threat actors had taken 4,836.26 ETH, valued at approximately $15 million, confirming a Monday report from blockchain analytics company PeckShield. Crypto.com had declined to comment on the PeckShield report and instead referred to Marszalek’s Twitter statements.
Additionally, Crypto.com confirmed that 443.93 bitcoin, or nearly $19 million, was stolen as well as around $66,200 in other currencies. According to the report, the incident affected 483 users; Crypto.com’s LinkedIn account notes that it serves 10 million customers.
Despite the revelations, the cryptocurrency company reiterated that “no customers experienced a loss of funds.”
“In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the blog post said.
While the blog post provided further details on the attack timeline, such as a 14-hour downtime, the exact number of account intrusions is still unclear. Crypto.com declined to comment further on the attack.
Immediately following the attack, the report said, Crypto.com “migrated to a completely new 2FA infrastructure.” Now, the cryptocurrency exchange will replace two-factor authentication with a “true multifactor authentication (MFA), providing added strength for our global user base.”
The company also introduced what it calls the Worldwide Account Protection Program (WAPP), designed to protect user funds in the case of third-party attacks where accounts are illegally accessed, according to the report. WAPP restores funds up to $250,000, but users must meet certain security requirements. Those include the use of MFA and setting up an anti-phishing code at least 21 days prior to the reported unauthorized transaction.