Crypto.com allegedly suffers $15 million breach in latest exchange heist

Quick Take

  • Crypto.com paused withdrawals on January 17 citing that users were reporting unauthorized activity.
  • Researchers PeckShield estimate that $15 million was stolen from the exchange and mixed through TornadoCash.

At least 4,830 ETH ($15 million) has been stolen from crypto exchange platform Crypto.com, according to blockchain researchers PeckShield.

Per blockchain records, it appears the alleged hacker has laundered almost all of the proceeds from the incident via TornadoCash, a “coin mixer” that serves to obfuscate the on-chain link between the source and destination of transactions on the Ethereum blockchain.

The attacker began laundering the siphoned funds at 12:53 AM UTC on Tuesday in batches of 100 ETH ($317,000) per transaction. In total, the hacker sent 48 deposits of 100 ETH each and three deposits of 10 ETH each to TornadoCash.

It is not yet known how the hacker was able to steal funds from Crypto.com but the exchange first announced that some users were reporting suspicious activities on their accounts on January 17. At the time, the exchange stated that it was going to pause withdrawals while it investigated the matter.

The following day, the platform tweeted that some users had reported unauthorized activity on their accounts but did not specify the nature of the incident. In response, the exchange reset all two-factor authentication (2FA) protocols, requiring all users to repeat the security verification step before withdrawals would be enabled on the platform.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Tweeting on Tuesday morning, Crypto.com CEO Kris Marszalek maintained that user funds were not lost in the incident  — but did not specify whether the exchange's own funds were taken. “We will share a full post mortem after the internal investigation is completed,” Marszalek added.

We have reached out to Crypto.com for comment and will update this story should we hear back.

Crypto.com has been on a marketing spree recently, doling out $700 million to rename the Staples Center in Los Angeles to the Crypto.com Arena. The exchange has also inked a multi-year sponsorship deal with the LA Angel City Football Club.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.