Singapore-based exchange, Crypto.com was the victim of a hack in the wee hours of the 17th of January, 2022. A total of 4.6K ETH, worth $15 million, was previously estimated to have been stolen. In a recent update, the total stolen amount is said to have gone up by another 444 BTC.
Even though there have been large outflows from the custodian wallet into ETH’s Tornado Cash, and a well-known BTC tumbler, there has been no acknowledgment of the losses suffered. Tornado Cash is an Ethereum-based non-custodial privacy solution.
How was the crypto.com hack carried out?
Twitter user ErgoBTC tweeted a thread explaining steps that have unfolded in the attack.
An abnormally large withdrawal was taken notice of from Crypto.com’s payout wallet bc1q7cyrfmck2ff2ud3rn5l5a8yv6f0chkp0zpemf. Soon after, several hundred withdrawals were combined into four outputs of 67.75 BTC each. The 271 BTC then deposited a sequence of 24 or 25 BTC to a well-known BTC tumbler. This tumbler has been seen in DPRK Lazarus Group breaches and, most recently, in the attempted laundering of BTC from the Darkside ransomware activities.
173 BTC at address bc1qk8wlwypvvr6v5lmsngg5a248k2a9cgrsrw5jsq, supposedly is associated with the hack and has not yet been sent to the tumbler. The alleged amount lost in terms of Bitcoin is around $33 million.
The hack is thought to have occurred when the attackers discovered a means to get through the exchange’s 2FA security procedures. Crypto.com has issued a notice to users, advising them to reset their 2FA information and log back into the platform to recover access to their accounts.
The hack has put into question the safety of crypto deposits, especially at a time when the industry is pushing for widespread adoption. Moreover, Singapore’s wary outlook regarding crypto doesn’t help crypto.com’s situation.