Crypto.com lost $35M when attackers bypassed 2FA controls and withdrew funds from approximately 483 user accounts.
Attackers bypassed Crypto.com's two-factor authentication system and gained access to approximately 483 user accounts, draining ETH and BTC. The exact bypass mechanism was not fully disclosed but involved a flaw in the authentication flow. Crypto.com initially denied any customer funds were lost before eventually confirming the incident, reimbursing all affected users.
Stolen ETH deposited into Tornado Cash. Bitcoin routed through mixing services. Crypto.com CEO Kris Marszalek confirmed the incident on Twitter days after the fact. All affected users were fully reimbursed by Crypto.com. Portions of ETH were traced to Tornado Cash deposits by Peckshield and Nansen. No attacker identified.