Crypto.com has confirmed that a total of 483 users were impacted with unauthorised withdrawals totalling 4836.26 ETH, 443.93 BTC and about $66,200 in other currencies.
The Singapore-based crypto exchange was breached on Monday where the attackers allegedly got away with more than $15 million in Etherium. Blockchain security and data analytics company, Peckshield put the loss at over 4600 ETH. CEO Kris Marszalek put the number of impacted accounts at around 400.
Apart from confirming these numbers in the report published Thursday, the company also outlined the mitigation steps they took, including the migration to a new and revamped 2FA infrastructure and plans to migrate to a Multi-Factor authentication system in the future.
As part of a new security measure, the company also announced the introduction of the Worldwide Account Protection Program (WAPP).
In the News: Russian Central Bank wants to ban cryptocurrencies
Better late than never
As additional protection measured, Crypto.com has now revoked all customer 2FA tokens and has placed additional security measures in place requiring all customers to re-login and set up their 2FA tokens. The withdrawal infrastructure was taken down on January 17, with the downtime lasting about 14 hours as withdrawals opened the next day again.
No customers faced any loss of funds as Crypto.com claims they prevented authorised withdrawal of funds in most cases and fully reimbursed all other customers.
As reported before, revamped 2FA infrastructure now adds a mandatory 24-hour delay between registration of a new “whitelisted” withdrawal address and first withdrawal. Users will also receive notifications when new withdrawal addresses get added, allowing them time to review and respond to any suspicious activity.
The exchange will be moving away from 2FA systems to a multi-Factor authentication infrastructure whilst adding additional end-user security features. They also announced that they’re working with third-party security firms to perform further security checks on the platform while also initiating other threat intelligence services.
Lastly, the company also introduced the Worldwide Account Protection Program offering additional protection and security for user funds held in the Crypto.com App and the web exchange.
The program is designed to protect user finds in cases where a third party gains unauthorised access to their account and withdraws funds. WAPP will restore funds up to $250,000 for qualified users under their terms and conditions.
To qualify for the WAPP program, a user must perform the following actions:
- Enable MFA on all transaction types where its currently available.
- Have an anti-phishing code atleast 21 days prior to the authorised transaction.
- Not using jailbroken devices.
- File a police report and provide a copy to Crypto.com
- Complete a questionnaire to support forensic investigations.