Crypto.com Says All Funds Are Safe After Hackers Allegedly Pilfered $15M In Ethereum
To the casual observer, the world of cryptocurrency may seem like the modern version of the Wild West. It definitely doesn't help the optics when hackers infiltrate one of the leading cryptocurrency exchanges, Crypto.com, and swipe $15 million worth of Ethereum, as a blockchain security and data analytics company claims happened this week.
According to a tweet posted by security firm Peck Shield, the popular crypto exchange lost at least 4,600 Eth, which at the time of the supposed theft was worth around $15 million (today it's worth around $14.3 million). The firm also posted evidence indicating the hackers are attempting to launder the stolen Eth through Tornado Cash.
Tornado Cash is what's known as an Ethereum "mixer" protocol that makes it more difficult to track transactions. The pitch is that it improves "privacy by breaking the on-chain link between source and destination addresses."
"It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. To preserve privacy a relayer can be used to withdraw to an address with no ETH balance. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy," Tornado Cash explains.
Crypto.com has not confirmed the hack, though earlier this week it did acknowledge a "small number of users reporting suspicious activity on their accounts." This prompted the exchange to temporarily pause withdrawals while ensuring "all funds are safe."
In a separate tweet, Crypto.com co-founder and CEO Kris Marszalek said the downtime lasted around 14 hours, and that no customer funds had been lost. He also noted that as a result of whatever happened, the service's team took measures to harden the infrastructure, lending credence to the claim that a hack occurred.
"We will share a full post mortem after the internal investigation is completed," Marszalek added. He said in a follow-up post, "I'm particularly happy with two things: the support we received from the community both publicly and in DMs, and the opportunity this incident gave us to further strengthen our setup. We learn, we improve, we move forward undeterred."
One thing to note is that saying no customer funds were lost does not necessarily mean a theft didn't happen. It is entirely possible—likely, even—the Crypto.com has either managed to recover any stolen funds, and/or is covering the theft. It's in the company's best interest to do so, given its high profile relationships and sponsorship deals that include actor Matt Damon, NBA franchise Philadelphia 76ers, Formula One, and others. Crypto.com also recently purchased the naming rights to the Staples Centers in Los Angeles, now known as the Crypto.com arena, for $700 million.