Crypto.com Postmortem

Raw content extract from web search (WebFetch tool not available).

Crypto.com Hack — January 17–18, 2022

Summary

In January 2022, Crypto.com suffered an attack in which approximately $33.7M was stolen from user accounts. The attackers bypassed two-factor authentication.

Attack Vector

Crypto.com identified unauthorized activity on user accounts. Investigation revealed that withdrawal transactions were being approved without users entering 2FA codes — the attacker had identified a vulnerability in Crypto.com's security infrastructure that completely bypassed the 2FA requirement during the withdrawal authentication flow.

The exact technical mechanism for the bypass was never publicly disclosed.

Impact

• 483 user accounts affected.

• 4,836.26 ETH stolen.

• 443.93 BTC stolen.

• ~$66,200 in other cryptocurrencies.

• Total: ~$33.84M at the time.

Response

• Crypto.com paused withdrawals across the platform for ~14 hours.

• All affected user funds were reimbursed in full.

• Crypto.com decommissioned its old 2FA system "in an abundance of caution" and migrated to a completely new 2FA infrastructure.

• Required all users to re-enroll in 2FA.

• Introduced a new "Worldwide Account Protection Program" (WAPP) to fully restore funds in eligible cases.

• Initial public statements by CEO Kris Marszalek that "no customer funds were lost" were contradicted by later disclosures.