Skip to content
Close up shot of Bitcoin and alt coins cryptocurrency on black background.
What Crypto.com Could Have Done Differently

Crypto.com Thieves Bypass 2FA Draining Accounts of Millions

While two-factor authentication remains the most popular and widely adopted security measure for most companies, it is not infallible. The recent bypass of 2FA which allowed thieves to drain millions across 483 Crypto.com accounts reminds us that while 2FA is an important piece in an overall security posture, traditional 2FA is often not enough.

On Thursday, Jan 16th Crypto.com tweeted regarding reports that a small number of users were experiencing suspicious activity on their accounts, stating that they were going to be pausing all withdrawals and investigating the matter further. It also originally stated that “All funds are safe.” On the following Thursday, Crypto acknowledged that a breach did occur, resulting in a loss of well over $300 million dollars, far exceeding the initially estimated number of $34.65 million–  but that all customers who were affected had been reimbursed.


Threatpost was able to confirm that before Crypto.com suspended withdrawals it lost 836.26 ETH and 443.93 BTC, which equaled around $15.54 million and $19.04 million, respectively, as of Thursday afternoon. The exchange reported that it lost $66,200 worth of other currencies, as well.

How did this crypto heist go down? Crypto.com said that the thieves attempted to bypass the exchange’s 2FA system. It was Monday, 3 days before the initial Thursday statement that the breach occurred, when the exchange’s risk monitoring system picked up on the unauthorized transactions. They also shared that “in an abundance of caution” Crypto decided to eliminate its current 2FA and migrate to a “completely new 2FA infrastructure.”

Crypto.com immediately suspended withdrawals on its platform for about 14 hours while they investigated. “2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect,” the exchange said. “We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to set up and use 2FA in order to withdraw.”

The exchange plans to release additional end-user security features as it moves away from 2FA and on to what it called “true” multifactor authentication (MFA).

What Crypto.com Could Have Done Differently


The problem with multifactor authentication is that any process with human users inevitably exposes itself to human error.  As the recent Biden Administration Executive Order shows, the cybersecurity industry is moving towards phishing-resistant multifactor authentication like Twosense. Twosense MFA confirms user identity via behavioral biometrics without any user participation, removing the threat of accidental approvals while also removing interruptions from the user’s day.

More from the Blog

November 1, 2021

The Importance Of "Flow" and How To Give Your Employees More Of It

Have you ever experienced a complete sense of fluidity between your body and mind? A period of time where you...
January 18, 2022

2FA Phishing Toolkits Are Easier To Find Than Ever

As 2FA increased in popularity as the default security feature for most organizations, websites, and applications, so...

Sign Up for our Blog

We will never share your email address with third parties.