Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Several users of a major cryptocurrency exchange endorsed by Matt Damon in a notorious viral ad complained over the weekend that their funds on the platform had been stolen. Confusion has reigned since then, as the company said no customer funds were stolen in what it vaguely referred to as an “incident” in communications.
On Sunday, Crypto.com wrote on Twitter that “a small number of users [are] reporting suspicious activity on their accounts,” but that “all funds are safe.” On Monday, the company’s CEO Kris Marszalek reiterated in a tweet that “no customer funds were lost.”
But blockchain security and analytics company Peckshield said on Twitter that Crypto.com lost about $15 million, roughly the equivalent of 4,600 ETH. Half of those funds, the company said, were being laundered through Tornado Cash, a tumbling and mixer service that obscures cryptocurrency transactions with the goal of making them harder to be tracked.
A spokesperson for Crypto.com declined to comment and referred instead to what was posted on the company’s CEOs and its main Twitter account. In that tweet, in addition to emphasizing that user funds were “safe,” Marszalek said that the Crypto.com team “has hardened the infrastructure in response to the incident.”
Peckshield did not immediately respond to a request for comment.
It’s unclear exactly what happened, but something seemingly did happen, and experts told Motherboard that it’s possible Crypto.com is being very careful in its wording.
“Movements of funds are visible on the blockchain, but it’s difficult to distinguish between regular withdrawals and theft,” Tom Robinson, the co-founder and chief scientist of blockchain analysis firm Elliptic, told Motherboard in an email.
“As far as I’ve seen, Crypto.com haven’t said that no funds were lost, but that ‘no customer funds were lost.’ This could mean that the funds belonged to the company themselves rather than customers, or that any customer losses will be covered by the business. But that’s just me speculating based on what I see on social media.”
Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
In addition to outcry over the alleged hack and Crypto.com’s communication, there are unconfirmed reports on social media of some users receiving refunds for the stolen cryptocurrency.
Crypto.com is the world’s fourth largest cryptocurrency exchange in the world, according to crypto market analysis firm CoinGecko. The company is known for having hired Matt Damon to star in an over-the-top video that compares the company to historic inventors like the Wright brothers, as well as astronauts. The company also made headlines recently for buying the naming rights to the Los Angeles Clippers and Lakers arena for $700 million.
In response to the incident, Crypto.com announced that it would require all users to sign back into their accounts and reset their two-factor authentication.