Crypto.com was hacked, and users' funds were stolen. The crypto exchange believes hackers bypassed the users' password and two-factor authentication (2FA), then withdrew assets from users' accounts. The Crypto.com dev team responded by freezing all crypto deposits and withdrawals across most of the company's product line until they fix the security issue.
It's unclear when Crypto.com was breached, but an influx of users began to complain of unauthorized withdrawals from their accounts last night. Crypto.com minimized the issue on Twitter:
"We have a small number of users reporting suspicious activity on their accounts. We will be pausing withdrawals shortly, as our team is investigating. All funds are safe."
Officially, only a small number of users were affected by the hack, but Reddit and Twitter exploded with users claiming their Bitcoin and Ethereum had been stolen.
According to Crypto.com, a fix is now being released worldwide. The exact timeline for the outage is unclear, but it seems like crypto deposits and withdrawals will have been disabled for 8 to 12 hours.
In order to withdraw funds, users will be required to reset their 2FA settings. Some users are reporting problems resetting their 2FA, and Crypto.com’s reset process may not operate well if every user needs to reset their 2FA at the same time.
Reddit user Grunblau claims to have received these instructions from Crypto.com for resetting 2FA:
To reset 2FA Authenticator, please contact our customer support and provide us with a short video of yourself saying the following:
Date of request
Please make sure that your face and the upper part of your torso are clearly visible in the video. The size of the video has to be no larger than 40MB.
** Resetting your Authenticator settings will disable your 2FA protection on both your Exchange account and the Crypto.com App account.
Crypto.com customers may have their funds locked for a long time if their initial 2FA resets don't go well. The company has suggested that users’ stolen funds will be refunded, but they have not given a timeline.