When suspicious behavior was discovered on the crypto wallet and trading site Crypto.com, it suspended transactions yesterday. This was in response to claims of stolen funds made by users on social media. Users discovered that funds were missing from their balances, while some claimed their entire wallet had been emptied.
Peckshield, a blockchain security and data analytics firm, announced today that about $15 million in crypto assets, around 4.6k ETH, were carted away by hackers.
Crypto.com posted on Twitter that a small number of users are reporting suspicious activity on their accounts but quickly mentioned that all monies are safe. CEO Kris Marszalek said in a tweet on Monday that no client monies were lost.
This is in contrast to many comments from the exchange's customers. On Monday, Billy Markus, one of the founders of Dogecoin, said he noticed strange behavior on an Ethereum wallet on Crypto.com, noting an unusual pattern of transactions moving to recipient wallets.
While speaking on the Crypto.com hack, Brian Pasfield, CTO at Fringe Finance, a DeFi protocol that intends to include all crypto assets in the DeFi economy, cited the security compromise as one of the challenges of centralized cryptocurrency exchanges.
"The Crypto.com incident is the latest example of a centralized cryptocurrency exchange suffering from a major hack. Several users noticed suspicious activity on their accounts before Crypto.com confirmed the vulnerability. It assured its users that all funds were safe, but the attack highlights the risks associated with using centralized services. Exchanges frequently suffer from attacks because they often use hot wallets to store funds; last year, millions of dollars were lost in similar hot wallet attacks. While exchanges may compensate affected users following an attack, there's also a risk that they will not be able to repay users if they are not insured. To deal with yesterday's incident, Crypto.com halted withdrawals for all users, which clearly defies the principles of self-sovereign money and decentralization. While using DeFi has its own set of risks associated with smart contracts, it gives a way for people to be their own bank without having their funds frozen. Centralized exchange hacks serve as an important reminder for the popular crypto mantra: not your keys, not your coins," said Brian Pasfield.
Stolen Funds laundered through Tornado Cash
The hackers discovered a technique to get beyond Crypto.com's 2FA (two-factor authentication) security procedures, and according to Peckshield, they stole around $15 million worth of Ether. Tornado Cash, an Ethereum Mixer mixer, is currently being used to launder the stolen funds in batches of 100 ether.
"The @cryptocom loss is about $15M with at least 4.6K ETHs and half of them are currently being washed via @TornadoCash," said Peckshield in a Twitter post.
Launched in 2020, Tornado Cash is an ETH mixer that breaks the on-chain link between source and destination addresses to improve transaction privacy.
Crypto.com maintains that no user funds were lost as a result of the attack and has subsequently lifted the restrictions it imposed on deposits and withdrawals.
"Update: Withdrawal services have been restored. All funds are safe. It will take time to clear the backlogs. We appreciate your patience," said the exchange in a Twitter post.
Many users continue to complain about login troubles and request that the exchange refund their lost monies.