Crypto.com, the five-year-old cryptocurrency exchange which boasts Hollywood superstar Matt Damon as the face of the company (and as an investor), has allegedly been hacked.
On Monday morning, Crypto.com announced via Twitter: “We have a small number of users reporting suspicious activity on their accounts.” In response, the company paused withdrawals, to ensure the safety of user funds and launched an investigation, it said. Crypto.com said at the time that “all funds are safe.”
On Tuesday morning, the company tweeted that it had restored all withdrawal services,” stating again that no customer funds were lost. Crypto.com CEO Kris Marszalek tweeted via his personal account that the firm has strengthened its security infrastructure in response to the incident and will “share a full post mortem after the internal investigation is completed.”
Yet a series of subsequent tweets cast doubt on Crypto.com’s claim that all user money remained safe. Peckshield, a China-based blockchain security firm, wrote this morning that Crypto.com actually lost $15 million of funds, “with at least 4.6K ETHs [Ether] and half of them are currently being washed via [Tornado Cash],” a decentralized smart contract platform that allows users to conduct anonymous transactions on the Ethereum blockchain. Peckshield subsequently told Decrypt that the true scale of the damage is “definitely worse.”
Meanwhile, several users like @J8Arnold said that he had funds stolen from his account. “All funds are not safe. I had BTC [Bitcoin] withdrawn from my account that I did not authorize. These funds have yet to be returned to me…I have always had passcode & [2-factor authentication] enabled,” the user wrote. The user did not return Fortune‘s request for comment.
Industry analysts say Peckshield’s assessment is likely accurate. The blockchain data shows that a “significant sum” was taken from Crypto.com and moved into one wallet, then rerouted to a mixer, says Scott Pounder, head of investigations at Crystal Blockchain, a crypto transaction analysis and compliance firm. This chain of events is “a fairly clear sign that a hack [took] place” and that the attack was centralized, though it can’t be verified whether user funds were involved or not, says Pounder. Yong Li Khoo, a research analyst at blockchain analytics firm Nansen Alpha said that he cross-referenced the data from other sources like CertiK, a platform that monitors blockchain protocols, and found that 282 user wallets were affected in the alleged breach.
Crypto.com declined to comment beyond its official statements released on Twitter. The Hong Kong and Singapore-based platform became one of the world’s top cryptocurrency exchanges last year after a $1 billion marketing offensive helped it gain recognition worldwide. Last November, Crypto.com inked a $700 million deal to emblazon its name on Los Angeles’s iconic Staples Center—home of the National Basketball Association’s (NBA) Los Angeles Lakers and Clippers. Before that, the company spent a collective $500 million on a series of commercials led by actor Matt Damon and a bevy of endorsement deals with the Ultimate Fighting Championship (UFC); motor racing championship Formula 1; and elite hockey, football and soccer clubs.
Crypto.com is profitable and its revenue has surged 2,000% in the last 12 months. In the April to June quarter this year, it recorded $500 million in revenue, Crypto.com CEO Kris Marszalek told Fortune in a conversation in December. The price of CRO (Crypto.com coin) has dropped roughly 3.5% since Monday.
The alleged Crypto.com hack is yet another indication of how digital scammers are increasingly targeting lucrative crypto businesses—particularly centralized exchanges like Crypto.com and decentralized finance, or DeFi services. Last year, cryptocurrency swindlers stole a record $14 billion—up 79% from 2020—via scams and theft, according to a January report from data and blockchain analytics firm Chainalysis.
Just last month, crypto thieves made off with $200 million of customer funds from Cayman Islands-headquartered exchange BitMart. Scammers stole a private key to gain access to two ‘hot wallets’—a type of Internet-enabled digital storage where cryptocurrencies are stored—and took the digital assets stored in the wallets. Last summer, hackers stole $600 million from DeFi platform Poly Network—the biggest crypto heist in history—but subsequently returned the digital assets. In October 2021, Nasdaq-listed Coinbase told 6,000 customers that their accounts were compromised; hackers exploited a flaw in the platform’s SMS account recovery process to obtain a two-factor authentication token and access the accounts.
Thefts from cryptocurrency exchanges typically occur because a hacker is “able to access the exchange’s internal systems, and withdraw funds. Account takeovers can also take place, where a hacker is able to access the accounts belonging to individuals users of an exchange… for example a user’s login details might be obtained through a phishing attack,” says Tom Robinson, co-founder and chief scientist at Elliptic, a blockchain analysis firm. Crypto exchanges like BitMart and Crypto.com, which store user assets in hot wallets, are more convenient for the customer, but are also more susceptible to theft, says Khoo.
Cryptocurrency exchanges will continue to be targeted due to the nature of their work, says Pounder. But the major explosion in crypto thefts took place due to hackers exploiting DeFi protocols, says Robinson. DeFi services remove the need for exchanges and are built on top of a blockchain platform, which allows hackers to take advantage of a design flaw or coding error in the network.
After its platform breach, BitMart promised to reimburse users via the company’s own cash. Five weeks later, however, some users still haven’t received any updates or money from the exchange, according to a CNBC report last week. Coinbase also vowed to pay back its 6,000 affected users using its own funds.
Justin d’Anethan, institutional sales manager at crypto services provider Eqonex believes that Crypto.com will likely opt to pay users back with its own capital: “All the investors will probably be made whole [since] the company can afford it.”
Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.