Crypto.com acknowledges ‘unauthorized activity’ on servers, maintains no funds have been lost

Crypto.com, a Singapore-based cryptocurrency exchange, has denied reports that the firm lost nearly $15m in Ethereum in a possible network intrusion over the weekend.

According to blockchain biz PeckShield, Crypto.com lost about $14.3m or 4,600 ETH, based on its analysis of public blockchain addresses. And the China-based security firm claims that about half of that is being washed through a service called TornadoCash, which offers anonymous transactions.

Crypto.com, which recently paid $700m to rename the Los Angeles Staples Center and saw a high-profile ad campaign disallowed in the UK for being misleading, acknowledged on Sunday that something curious happened and briefly suspended withdrawals.

“We have a small number of users reporting suspicious activity on their accounts,” Crypto.com said via its Twitter account. “We will be pausing withdrawals shortly, as our team is investigating. All funds are safe.”

On Monday, Crypto.com, the eighth largest cryptocurrency exchange by volume, acknowledged a security incident and continued to insist no funds had been lost.

“Earlier today a small number of users experienced unauthorized activity in their accounts,” the company said. “All funds are safe.”

Purported customers have claimed on Twitter that they lost funds though without offering a means to verify those claims. Cryptocurrency podcast host Ben Baller claims to have lost $16m worth of ETH from his crypto.com wallet.

As a precaution, Crypto.com said that all customers were logged out of their app and exchange accounts (to cancel authentication tokens) and had their two-factor authentication reset, which requires them to log back in.

The Crypto.com status page shows ongoing service degradation. Nonetheless, company CEO Kris Marszalek insists no funds were lost.

“We will share a full post mortem after the internal investigation is completed,” he said.

The Register asked a Crypto.com spokesperson to explain what happened but the spokesperson declined to comment beyond the remarks published to Twitter by Marszalek and the company. Our request to specifically address Peck Shield’s claim that funds had been stolen has gone unanswered.

PeckShield did not immediately respond to a request for comment.

Meanwhile, on Monday, a blockchain biz called Multichain warned of a critical vulnerability affecting six cross-chain tokens. Just another day in the crypto world. ®

READ MORE HERE