Culture

Crypto.com confirms $34 million was stolen in 2FA breach

Euro coins and paper currency in broken piggy coin bank, money savings in home budget and finances c...

$34M

Funds stolen in the hack.

Crypto.com

Igor Stevanovic / 500px/500Px Plus/Getty Images

A series of unauthorized withdrawals on Crypto.com, the company that now owns the Staples Center, held about $34 million hostage on January 17. The company reported the breach earlier this week and today published a relatively brief postmortem about the attack.

The report is for the most part not all that interesting, given that we already knew about the attack. It reads more like an attempt to placate worried users than a detailed explanation of how the attackers managed to weasel their way in.

All told, approximately 4,836 Ethereum, 443 Bitcoin, and $66,200 were stolen during Tuesday’s breach. Crypto.com says every one of the 483 affected users has already been reimbursed for the missing funds. The platform completely suspended withdrawals for 14 hours while investigating the incident.

If it feels at this point like you’re hearing about a new crypto-related breach or scam every single day, that’s because you basically are. It’s going to be very difficult for crypto enthusiasts to turn the currency mainstream when this just keeps happening.

Here’s what we know — How, exactly, anyone was able to bypass Crypto.com’s security systems is still a mystery to the public. The company isn’t ready to reveal all its secrets just yet.

What we do know now is that, by some method, some accounts on the site began initiating withdrawals without two-factor authentication (2FA) approval. This is concerning, to say the least; 2FA is implemented specifically to thwart others from accessing your account. A 2FA system capable of being worked around isn’t worth much at all.

Crypto.com says it’s completely “revamped” the 2FA infrastructure in response to the attack. Beginning on January 18, the company also implemented a mandatory 24-hour waiting period between adding a new withdrawal address and actually being able to withdraw funds to that address.

The site is also introducing a new feature called the Worldwide Account Protection Program (WAPP, not unlike the song), which will protect users who use every security feature on the site and are willing to file a police report. WAPP will only restore funds up to $250,000.

Careful out there — Security breaches are inevitable. Even our best-protected systems are flawed; every system can be bested by creative hackers. Often there are way more than 483 people affected by these breaches.

The world of cryptocurrency is particularly susceptible to these attacks because, well, there’s a ton of money involved. If 483 users could provide a hacker with $34 million, imagine the potential riches behind the rest of the user base. Unlike traditional banks, crypto exchanges are also run entirely online, making them a prime target for hacks.

The lesson here is simple, really: Exercise the utmost caution when putting your money into even the best-known cryptocurrency platforms. Your money could be stolen right from under your nose — with no guarantee you’ll ever get it back.