S'pore-based Crypto.com loses S$40m worth of cryptocurrencies after security breach; over 480 users affected

SINGAPORE — Cryptocurrency exchange Crypto.com said on Thursday (Jan 20) that its users had lost tens of millions of dollars worth of bitcoin, ethereum and other cryptocurrencies after its security was breached.

More than 480 users were affected and they have been fully reimbursed, the Singapore-based exchange said. 

Crypto.com said that the company detected unauthorised withdrawals on a small number of accounts on Monday through its risk-monitoring systems. 

These transactions were being approved even though users did not input their two-factor authentication control. 

The firm then suspended withdrawals of all tokens to investigate the issue.

The unauthorised withdrawals involved 4,836.26 ethereum, 443.92 bitcoin and US$66,000 (about S$88,800) worth of other cryptocurrencies.

The price of cryptocurrencies swing wildly but at current prices, the affected withdrawals were worth about US$31 million.

Crypto.com revoked all customer two-factor authentication tokens and added extra security measures. All customers were required to re-login and set up their two-factor authentication token to ensure only authorised activity would occur. 

"Any accounts found to be impacted were fully restored," the company said in a security report published on its website. 

After 14 hours, withdrawals resumed in the early hours of Wednesday. 

Crypto.com said that it revamped and migrated to a completely new two-factor authentication infrastructure out of an abundance of caution. 

It also introduced an added layer of security: Delaying by 24 hours the first request of a withdrawal to a new whitelisted withdrawal address. A whitelist, as opposed to a blacklist, is one deemed to be trusted.

"Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorised," the company said.

In addition to its own security tests, Crypto.com has also engaged third-party security firms to perform extra security checks on its platform, as well as initiating more threat intelligence services. 

The company also said that it will be moving away from two-factor authentication to multi-factor authentication. 

The cryptocurrency platform was in the news in November last year when it bought the naming rights for Los Angeles' Staples Center for a record US$950 million.