Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 075Phishing / Social Engineering

Crypto.com 2FA Bypass

2FA-bypass exploit drained $34M from 483 Crypto.com accounts; attackers authorised transactions without the second factor ever prompting the user.

Date
Victim
Crypto.com
Chain(s)
BitcoinEthereum
Status
Recovered

On January 17, 2022, Crypto.com detected suspicious withdrawals across 483 customer accounts. Total losses settled at approximately $34 million — roughly $15M in ETH, $19M in BTC, and the remainder in other assets. The attack was unusual in that it bypassed two-factor authentication on a large exchange without the user being prompted.

What happened

Crypto.com initially declined to share technical details — its early statements characterised the event as "unauthorised activity" without confirming a breach. After several days of community pressure and analyses from third parties, the company confirmed that transactions on the affected accounts had been approved by Crypto.com's systems without the corresponding 2FA challenge ever being shown to users.

The exact mechanism was never publicly disclosed — possibilities included compromised internal API endpoints, session-token theft followed by privilege escalation, or a backend bug that let certain transaction types skip the 2FA gate. What was clear from the on-chain evidence was that the attacker:

  • Did not need user credentials or 2FA tokens for the 483 victim accounts.
  • Drained both hot ETH and BTC balances through Crypto.com's normal withdrawal interface, with the platform's own systems treating the transactions as authorised.

Aftermath

  • Crypto.com revoked all customer 2FA tokens, forced re-enrolment, and added a mandatory 24-hour delay before first withdrawal to a newly-registered address.
  • All affected accounts were reimbursed from corporate reserves.
  • The CFO and security teams publicly committed to a $750K worldwide cyber insurance program and other public-relations remediation steps.

Why it matters

Crypto.com showed that 2FA is only as good as the server that enforces it. The user-side cryptographic verification is meaningless if the backend skips the check — and the failure mode is silent: users see no prompt, see no withdrawal in their session, only discover the loss when checking balances.

The incident accelerated industry adoption of:

  • Mandatory cooling-off periods for new withdrawal addresses (Crypto.com's own 24-hour delay, now common across exchanges).
  • Out-of-band withdrawal confirmation (email + push notification + 2FA), so an attacker compromising the 2FA path alone is not enough.
  • Per-IP and per-device anomaly detection that fires on the kind of mass-withdrawal pattern Crypto.com saw across 483 accounts simultaneously.

Sources & on-chain evidence

  1. [01]techcrunch.comhttps://techcrunch.com/2022/01/20/2fa-compromise-led-to-34m-crypto-com-hack/
  2. [02]halborn.comhttps://www.halborn.com/blog/post/explained-the-crypto-com-hack-january-2022
  3. [03]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cryptocom-confirms-483-accounts-hacked-34-million-withdrawn/

Related filings