Crypto.com Users Experience “Unauthorized Activity” on Accounts

CEO Kris Marszalek said on Twitter that "no customer funds were lost" but questions remain over the unauthorized access.
Aaron Drapkin

Cryptocurrency exchange app Crypto.com announced that it had abruptly halted all transactions on Monday after ‘unauthorized activity’ was reported on a number of customers’ accounts. 

The accounts the activity took place on were configured with two-factor authentication – which crypto.com asked users to reset – but confirmed that all users’ funds were safe. 

Whilst it’s unclear as of yet what exactly happened, the ominous reminder to reset 2FA – and its potential vulnerabilities – is also an implicit reminder to use security tools like password managers to ensure your first security barrier is as strong as possible. 

What Happened at Crypto.com?

According to the LA Times, Singapore-based crypto.com – which has 10 million account holders in the US alone – stopped all deposits and transactions on Monday after users took to social media to report thousands of dollars worth of cryptocurrencies disappearing from their accounts. 

“Earlier today a small number of users experienced unauthorized activity in their accounts. All funds are safe. In an abundance of caution, security on all accounts is being enhanced, requiring users to sign back into their App & Exchange accounts [and] Reset their 2FA”. – Crypto.com.

A UK-based crypto influencer called Ben Baller said on Monday that 4.28 Ether (ETH) – around $14,000 – had been taken out of his account. He alleged later on that an additional $16 million worth of cryptocurrency had been taken. 

Another big name in the crypto community, Billy Markus – the creator of Dogecoin, another digital currency that relies on blockchain technology to function – also claimed to have witnessed unusual activity on a crypto.com Ethereum wallet. 

Questions Crypto.com Needs to Answer

At present, the story is confusing. Sometimes, crypto sites experience outages and are forced to suspend transactions at peak trading times – popular cryptocurrency platform Binance had a huge outage last year, for instance, which was disastrous for traders who were unable to buy and sell their extremely volatile currencies. 

However, this doesn’t sound like a run-of-the-mill outage where a simple backlog of payments needs to be processed. But still, crytpo.com has told its customers that ‘all funds are safe’. The $750 million insurance policy probably reassures its clients, too. 

The problem is, if the funds are safe, why is crypto.com asking customers to reset their two-factor authentication credentials and sign in and out of accounts? These are typically mitigative measures that companies advise users to take when accounts have been compromised. 

What does ‘unauthorized access’ really mean? Who accessed the accounts? Their statement is vague and leaves many questions unanswered. 

How Secure is Two-Factor Authentication?

Multiple customers have confirmed they had two-factor authentication – a second, “one-time code” type of authentication that can keep your account secure even if someone does manage to guess or obtain your password – configured. 

Having both a password and another authentication method – usually, a code from an authenticator app or a code sent as a text message – is considered secure. A password plus 2FA is the full extent of the security provisions offered by many websites. 

Using your phone number for 2FA configuration is now considered less secure than it was a few years ago due to sim-swapping. 

That being said, it wouldn’t be surprising if 2FA was bypassed in this case. Using your phone number for 2FA configuration is now considered less secure than it was a few years ago, due to the ability of scammers and hackers to carry out sim-swapping. 

This involves impersonating a target and duping their telephone carrier into swapping their number over to a SIM card the scammer is in control of. After the swap, subsequent text messages – and more importantly authentication codes for accounts – are redirected to the scammer's device. 

2FA has Already Caused Crypto Investors Problems

Sim-swapping has already been used in the past year to empty crypto accounts – so it’s entirely possible the same technique was used again in this case. 

Scams like this are why dumps of stolen personal information – that includes data such as an individual’s date of birth – are worrying even if they do not include passwords because they can potentially be leveraged, for instance, to answer security questions. 

Hackers have regularly targeted cryptocurrency traders with a variety of other means too, including phishing attacks and fake hardware wallets – in total, around $14 billion worth of cryptocurrency was stolen last year. 

Bolstering Your Security

Whether this case was indeed a hack, security flaw or system error is currently unclear. 

But if you’re a crypto investor with money in the game, you can’t take any chances – so ensure your first line of defence, your password, is maximally secure and you’re taking advantage of tools like password managers

All of your passwords for every account you own should be different, at least 16 characters long, and include letters, numbers, and special characters/symbols – which is why it's good to have a place to manage them. 

On top of this, if you’re a crypto.com user resetting their 2FA, it’s always recommended to use authenticator apps over phone numbers for the reasons explained in the section above. Stay vigilant and protect your hard-earned cash.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals