Crypto Heist had $300 million stolen by-passing two-factor authentication

Crypto.com has been hit by a major heist that has affected 483 user accounts stealing $34.65 million worth of cryptocurrency including Bitcoin and Ethereum by getting over two-factor authentication (2FA). On January 17th, Crypto.com wrote on twitter that a small number of users reporting suspicious activity on their accounts, but claimed the funds are safe.

This Monday, Kris Marszalek, the CEO of Crpto.com mentioned in a tweet that the user’s funds weren’t lost and crypto.com will ensure the funds are with the users. However, Crypto.com later mentioned that there is a loss of $300 million overall, which is even more than their initial finding, but their customers whose funds were stolen have been reimbursed. The entire crypto theft was performed by getting over two-factor authentication.

The Crypto Heist and the exploitation of two-factor authentication

Crypto’s exchange risk monitoring system found there is a unauthorized transaction happening in 483 accounts and that is working without users 2FA authentication approval. To handle the situation Crypto.com halted withdrawals as they needed to investigate the situation, and later revoked the 2FA tokens to enhance additional security measures and hardening their protection protocols. Later, requested their users to update their login credentials along with their 2FA token.

The withdrawal halt was in place for around 14 hours. The halt had some adverse effects on Crypt.com as it lost around $66,200 worth of currencies because of their operational block. Later this week, Marszalek had an interview with Bloomberg stating that 400 user accounts were affected by the heist.

Crypto has now updated its 2FA to a completely new infrastructure, however, the new infrastructure implementation was done after proper 2FA policies by deploying it both at frontend and backend to keep their transition safe.

Though the exact means of 2FA compromise is yet to be determined, meanwhile Crypto.com improved their security layers by deploying a mandatory 24 delay between new registration, withdrawal address and a first withdrawal. There will be withdrawal alerts to give some time for users to respond and act upon the same. Crypto has already done a complete audit and inspection of their security infrastructure and has also included a third-party security firms to enhance their overall security of their organization.

Crypto is planning to upgrade its 2FA with MFA along with Worldwide Account Protection Program (WAPP) to increase further security and protection over user funds and the exchange’s safety. The security hardening is also done with jailbroken devices, anti-phishing code with at least 21 days prior notification for any unauthorized transaction, and a few other steps to ensure strong security posture.

Improving security by replacing 2FA with MFA

Since 2FA uses an already existing parameter for the authentication purpose, for example a password, PIN, mobile phone, USB token, fingerprints, etc the chances of these being compromised is increasing and are easy to be manipulated using social engineering, cookie session hijacking, man-in-the-browser attacks, device take over, overlay payloads, spyware, duplicate code generators and other nefarious actions.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.