2FA Bypassed in $34.6M Crypto.com Heist

Early Thursday morning, Crypto.com acknowledged that it had lost $34.65 million worth of cash, Bitcoin and Ethereum after getting ransacked in an attack that slipped fat transactions past two-factor authentication (2FA). Users had complained over the weekend that their accounts had been drained: thievery that the cryptocurrency exchange initially denied. On Sunday, Crypto.com wrote on Twitter that “a small number of users [are] reporting suspicious activity on their accounts,” but that “all funds are safe.” On Monday, the company’s CEO, Kris Marszalek, reiterated in a tweet that “no customer funds were lost.” We have a small number of users reporting suspicious activity on their accounts. We will be pausing withdrawals shortly, as our team is investigating. All funds are safe. — Crypto.com (@cryptocom) January 17, 2022 Now, Crypto.com has acknowledged that yes, the total amount of the loss is well over $300 million – far more than was initially estimated – but that all customers had been reimbursed. The company also said that the robbers pulled it off by blowing past the exchange’s 2FA system. In spite of customers having reported losses over the weekend, Crypto.com’s Thursday statement said that the heist happened on Monday at about 12:46 a.m. UTC. That’s when the exchange’s risk monitoring systems picked up on unauthorized transactions coming out of 483 accounts and being approved without users’ 2FA authentication. The company didn’t immediately respond to…