SINGAPORE, Jan 21 — Cryptocurrency exchange Crypto.com said yesterday that its users had lost tens of millions of dollars worth of bitcoin, ethereum and other cryptocurrencies after its security was breached.
More than 480 users were affected and they have been fully reimbursed, said the Singapore-based exchange.
Crypto.com said the company detected unauthorised withdrawals on a small number of accounts on Monday through its risk monitoring systems.
These transactions were being approved even though users did not input their two-factor authentication control.
The firm then suspended withdrawals of all tokens to investigate the issue.
The unauthorised withdrawals involved 4,836.26 ethereum, 443.92 bitcoin and US$66,000 worth of other cryptocurrencies. The price of cryptocurrencies swing wildly but at current prices the affected withdrawals were worth about US$31 million.
Crypto.com revoked all customer two-factor authentication tokens, and added additional security measures. All customers were required to re-login and set up their two-factor authentication token to ensure only authorised activity would occur.
"Any accounts found to be impacted were fully restored," said the company in a security report published on its website.
After 14 hours, withdrawals were resumed in the early hours of Wednesday.
Crypto.com said that it revamped and migrated to completely new two-factor authentification infrastructure out of an abundance of caution.
It also introduced an additional layer of security by delaying the first request of a withdrawal to a new whitelisted withdrawal address by 24 hours.
"Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond. The notification message provides useful reminders and instructions on contacting our team if the address whitelisting was unauthorised," said the company.
In addition to their own security tests, it has also engaged third-party security firms to perform additional security checks on its platform, as well as initiating additional threat intelligence services.
Crypto.com also said that it will be moving away from two-factor authentication to multi-factor authentication.
The cryptocurrency platform was in the news in November last year when it bought the naming rights for Los Angeles' Staples Center for a record US$950 million.
