In January 2022, the Crypto.com exchange was the victim of an attack.  The attackers stole an estimated $33.7 million in tokens from users of the centralized exchange.

Inside the Attack

Crypto.com is a cryptocurrency exchange that manages users’ private keys for their blockchain accounts.  Instead of remembering and protecting a private key, exchanges like this allow users to log in with a username, password, and, for increased security, a 2FA code.

In the January 2022 attack, Crypto.com identified unauthorized activity on users’ accounts, and further investigation revealed that transactions were performed on these accounts without the users entering 2FA codes.  This indicates that the attacker identified a vulnerability in Crypto.com’s security infrastructure that enabled them to completely bypass the 2FA requirement during the authentication process.  As a result, the protections provided by 2FA were rendered useless, and users’ accounts were protected only by a password.

By taking advantage of this 2FA bypass, the attackers were able to extract 4,836.26 ETH ($15.2 million) and 443.93 BTC ($18.6 million) from the accounts of 483 Crypto.com users.  These tokens were then sent to Tornado Cash, which rendered them impossible to track further.

Official statements by Crypto.com have been limited and misleading; early statements by the CEO Kris Marszalek claimed that no customer funds were lost despite clear evidence to the contrary.  As a result, the exact mechanism used by the attacker to bypass 2FA remains unknown, but the company claims that it has taken the opportunity to move to a new 2FA infrastructure and otherwise bolster its security.

Lessons Learned From the Attack

The Crypto.com hack demonstrates the truth of the statement “not your keys, not your coins.”  By allowing a cryptocurrency exchange to manage their account keys, Crypto.com users entrusted the security of their cryptocurrency to them as well.  As a result, any security issues, such as this 2FA bypass, can result in a permanent loss of funds.  For more information on how to properly protect account keys, check out this blog.

Rob Behnke
01.24.2022