Updated with an official statement from the company.
CEO Kris Marszalek said 400 customer accounts were compromised yet he did not provide details on the hack method.
Kris Marszalek, the CEO of the world's fourth-largest crypto exchange, Crypto.com, told Bloomberg that his security experts confirmed the company was breached, resulting in unauthorized transactions from user accounts.
"In this particular incident, some of these [security] layers were breached, which resulted in about 400 accounts having unauthorized transactions," Marszalek explained.
It took the company several days to shed some light on what was going on, although Crypto.com started complaining about lost funds last week.
On Monday, the company posted a message on Twitter, claiming that a small number of users experienced 'unauthorized activity while simultaneously saying that 'all funds are safe.'
On Tuesday, the company first shut down withdrawals, pointing to 'suspicious activity,' although no confirmation of a breach was put forward. However, Marszalek told Bloomberg that the company fixed the issues' very quickly.'
"We were back online after 13-14 hours. And during the same day, all accounts that were affected were fully reimbursed. So there was no loss of customer funds," Marszalek explained.
Cryptocurrency news site Block reported that threat actors withdrew around $33 million, although Marszalek did not confirm the value.
However, Marszalek did not confirm the value of the stolen funds adding that Crypto.com is still trying to determine the exact amount, saying the company will post the findings on their blog.
The hack comes amidst Crypto.com's push to enter the US market. Recently, the company paid a whopping $700 million for the rights to Staples Center in Los Angeles.
The venue, home of the Los Angeles Lakers basketball team, was renamed Crypto.com Arena for 20 years on 25 December 2021.
2FA authentication issues
According to a security report by Crypto.com, the incident affected 483 Crypto.com users and unauthorized withdrawals totalled 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies.
Crypto.com's security monitoring system detected unauthorized activity on 17 January were transactions were being approved without 2FA authentication control being inputted by the users.
"Crypto.com revoked all customer 2FA tokens, and added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur," reads the statement.
The company responded by revoking 2FA tokens for all users worldwide. A mandatory 24-hour delay between registration of a new whitelisted withdrawal address, and first withdrawal was also introduced as a result of the hack.
More from CyberNews:
Subscribe to our newsletter