In a blog post published in the early hours of Thursday morning, cryptocurrency exchange Crypto.com acknowledged that the company had lost well over $30 million in Bitcoin and Ethereum after a hack that took place on January 17th.
The company has been criticized for vague communication around the hack, which was only officially confirmed yesterday by CEO Kris Marszalek.
The new blog post said that the total value of the unauthorized withdrawals was 4,836.26 ETH and 443.93 BTC — equivalent to roughly $15.2 million and $18.6 million respectively, at current exchange rates — as well as $66,200 worth of other currencies. According to the post, 483 Crypto.com users had their accounts compromised.
Crypto.com has said that all affected customers have been fully reimbursed for the losses.
The latest communication from the company provides the most insight yet into the security breach, although details of the exact method of compromise remain unclear.
“On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user,” the post reads. “This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored.”
As a result of the hack, the exchange has migrated its two-factor authentication system to a new architecture, and revoked all existing 2FA tokens, meaning that all customers will need to switch over to the new system.
The Crypto.com hack is the latest in a string of attacks targeting cryptocurrency exchanges, which are some of the most high-value targets in the steadily growing cryptocurrency ecosystem. In 2021 there were more than 20 exchange hacks where the hacker escaped with more than $10 million in profit according to an analysis by NBC News, and six cases where the value of funds stolen exceeded $100 million.