Cryptocurrency exchange Crypto.com admitted on Thursday that hackers were able to breach its security systems and stole more than $34 million worth of Bitcoin and Ethereum.
The Singapore-based cryptocurrency exchange, which popularly hired actor Matt Damon for one of its commercials, said the cybercriminals were able to bypass its two-factor authentication system and withdraw the money from 483 customer accounts. The company said on its corporate blog that a total of 4,836.26 Ethereum, 443.93 Bitcoin, and $66,200 were stolen from its users' accounts.
Based on current prices, the stolen cryptocurrency and money are worth more than $34 million. Crypto.com said that it had already fully reimbursed customers who had lost money from the cyber attack.
The company said the attack had happened on Monday. In its blog post, the company describes the incident in detail. It also outlined the company's identification and response to the attack, as well as the company's plans to prevent such attacks from happening again. Crypto.com did not reveal the identities of the hackers or if it had identified who perpetrated the breach.
Before the company had admitted the attack, several articles were published alleging that millions of dollars worth of cryptocurrencies were stolen from the website. An article from CoinDesk, published on Wednesday, claimed that the stolen cryptocurrency was being laundered via a service called Tornado Cash.
On Thursday, Crypto.com Chief Executive Kris Marszalek admitted that around 400 customer accounts might have been affected by a breach in its systems. Earlier in the week, the company told customers that it was temporarily suspending withdrawals after several users reported "suspicious activity" on their accounts. The company said it has already begun investigating the reports and assured customers that their funds were safe.
Two-factor authentication, or 2FA, is a multistep security system that requires users to provide two distinct forms of identification, such as a one-time passcode in addition to a password when logging into an online account. Monday's breach calls into question the reliability of 2FA in keeping digital assets safe from hackers.
Cyrpto.com said that it had immediately revoked all 2FA tokens when it first discovered the breach. The company said that it had since revamped its systems and that all affected accounts were transferred to a "completely new 2FA infrastructure."
Cyrpto.com said it plans to eventually get rid of 2FA and replace it with a new authentication security system called True Multi-Factor Authentication (MFA). Following the breach, the company's share price tumbled by more than 6%, closing Thursday at 46 cents per share.
