Crypto.com

On January 17, 2022, Crypto.com, a Singapore-based centralized cryptocurrency exchange, was hit by a sophisticated cyberattack, resulting in the theft of $33.8 million in assets, including 4,836.26 ETH ($15.2 million), 443.93 BTC ($18.6 million), and $66,200 in other cryptocurrencies from 483 user accounts, as reported by Crypto.com and PeckShield. Detected at 00:46 UTC, the breach exploited a vulnerability in the exchange’s two-factor authentication (2FA) system, allowing attackers to bypass 2FA and approve transactions using only passwords, per Halborn’s analysis. The stolen funds were laundered through Tornado Cash, rendering them untraceable, per CoinDesk. Crypto.com, with $2.5 billion daily volume per CoinMarketCap, suspended withdrawals for 14 hours, revoked all 2FA tokens, and migrated to a new 2FA infrastructure, as announced on Twitter (@cryptocom).

CEO Kris Marszalek initially downplayed the incident, claiming no fund losses, drawing criticism from Reddit’s u/CryptoSkeptic for vague communication, per TechCrunch. All affected users were fully reimbursed, and a Worldwide Account Protection Program (WAPP) was launched, offering up to $250,000 coverage for qualified users, per Crypto.com’s blog. No perpetrators were identified, and no funds were recovered in 2022’s regulatory gaps, per Chainalysis. One of over 20 exchange hacks in 2021-2022 costing $3.8 billion, per NBC News, the incident underscored the risks of centralized key management, fueling calls for self-custody, multi-factor authentication beyond 2FA, and mandatory withdrawal delays to enhance exchange security.