Summary
On 17 January 2022, Crypto.com learned that a small number of users had unauthorized crypto withdrawals on their accounts. Crypto.com promptly suspended withdrawals for all tokens to initiate an investigation and worked around the clock to address the issue. No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.

The incident affected 483 Crypto.com users.

Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies.

What happened?
On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored. Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur. Downtime of the withdrawal infrastructure was approximately 14 hours, and withdrawals were resumed at 5:46 PM UTC, 18 January 2022.

What did Crypto.com do to correct the problem?
In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.

Crypto.com introduced an additional layer of security on 18 January 2022 to add a mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal. Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorized.

Full audit of the entire infrastructure has been conducted internally with a number of improvements being implemented to further harden the security posture. While Crypto.com already performs internal and external penetration tests, Crypto.com has immediately engaged with third-party security firms to perform additional security checks on our platform, as well as initiating additional threat intelligence services.

Crypto.com will be releasing additional end-user security features as we move away from 2-Factor Authentication and to true Multi-Factor Authentication (MFA), providing added strength for our global user base.

Next Steps?
Crypto.com is introducing the Worldwide Account Protection Program (WAPP). WAPP offers additional protection and security for user funds held in the Crypto.com App and the Crypto.com Exchange.

WAPP is designed to protect user funds in cases where a third party gains unauthorized access to their account and withdraws funds without the user’s permission. WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.

“The safety of our customers’ funds is our highest priority, and we are continually enhancing our Defence-in-Depth security and protection measures,” said Kris Marszalek, Co-founder and CEO of Crypto.com. “While we are reminded of the existence of bad actors intent on committing fraud, this new Worldwide Account Protection Program, along with our new MFA infrastructure, gives our users unprecedented protection of their funds, and hopefully, peace of mind.”

To qualify for the WAPP program, users must:

  1. Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,
  2. Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,
  3. Not be using jailbroken devices,
  4. File a police report and provide a copy of it to Crypto.com; and
  5. Complete a questionnaire to support a forensic investigation.

“Crypto.com is a leader in security and compliance, including our recent SOC 2 announcement,'' said Jason Lau, Chief Information Security Officer of Crypto.com. “While our goal is to prevent any security breaches, our industry leading insurance policy and Worldwide Account Protection Programs offer our customers additional protections in rare instances when there is an incident.”

Terms and conditions may vary by market according to local regulations. Crypto.com will make the final determination of eligibility requirements and approval of claims. WAPP will begin rolling out in select markets starting 1 February 2022.