The CEO of cryptocurrency exchange Crypto.com, Kris Marszalek, has finally confirmed that hundreds of user accounts were indeed compromised by hackers and had funds stolen as a result, though details of the exact method of breach remain unclear.
Marszalek acknowledged the hack in an online interview with Bloomberg Wednesday, stating that around 400 customer accounts had been compromised. He also told Bloomberg that he had not received any outreach from regulators since the attack was first disclosed but would share information if official inquiries were made.
Previous statements from Marszalek and other communications from Crypto.com have been criticized for being vague and unclear. Official messaging from the company referred to a security “incident,” and an early Twitter post mentioned only that a small number of users were “reporting suspicious activity on their accounts.”
Marszalek followed up by tweeting that “no customer funds were lost” — a statement some commentators interpreted as meaning that the exchange would take the financial hit rather than passing it on to customers.
Some thoughts from me on the last 24 hours:
– no customer funds were lost
– the downtime of withdrawal infra was ~14 hours
– our team has hardened the infrastructure in response to the incident
We will share a full post mortem after the internal investigation is completed.
— Kris | Crypto.com (@Kris_HK) January 18, 2022
Shortly afterward, security company PeckShield posted a tweet claiming that, in reality, Crypto.com’s losses amounted to around $15 million in ETH and were being sent to Tornado Cash to be “washed.” Tornado Cash is a cryptocurrency privacy tool known as a “mixer” that can hide the final destination of ether being sent into it: a service that has legitimate uses but can easily be used to launder the proceeds of theft and other crypto-related crime.
The Crypto.com exchange has become one of the most recognizable brands in the cryptocurrency world due to a number of prominent sponsorship deals with sports teams, notably a $700 million deal that renamed the Los Angeles Lakers’ stadium — formerly known as the Staples Center — to the Crypto.com Arena.
The exchange has also inked deals with the UFC fight league, the Philadelphia 76ers NBA team, the NHL’s Montreal Canadiens, and, most recently, with the Australian Football League, deals worth as much as $1.5 billion in sponsorship.
As the size and user base of the cryptocurrency industry continues to grow, exchanges remain some of the most high-value targets for hackers to compromise. According to NBC News, there were more than 20 exchange hacks where the hacker escaped with more than $10 million in profit over the course of 2021, with six cases exceeding $100 million.