Key Insights
Were Crypto.com User Funds Compromised?
No, Crypto.com assured that no customer funds were breached or in jeopardy. Only a small number of users had their partial personal data exposed.
Was the Breach Publicly Disclosed by Crypto.com?
No, the company did not publicly announce the breach to the affected users, a decision that received backlash from blockchain investigator ZachXBT.
Reports suggest that Crypto.com experienced an undisclosed data breach associated with the Scattered Spider hacking group, raising concerns about its security measures.
Attack Details
According to Bloomberg’s investigation, the breach involved teenage hackers, including 18-year-old Noah Urban from Florida, who specialized in phishing employees at telecom, tech, and cryptocurrency companies.
Urban and his associates gained access to sensitive user data, with previous targets including MGM Resorts and other major firms.
Crypto.com acknowledged that the breach affected only “a very small number of individuals,” emphasizing that no customer funds were compromised.
Response from Crypto.com
However, the company chose not to inform the impacted users publicly.
In response, Crypto.com CEO Kris Marszalek clarified,
“Any claims of us not reporting or disclosing a security incident are baseless. We reported a phishing campaign targeting one of our employees in 2023 in a NMLS Notice of Data Security incident filing and to relevant regulators.”
Marszalek assured that the incident was swiftly contained, with no threat to customer funds and only a minimal amount of users’ personal data compromised.
He emphasized the company’s commitment to a “security-first” approach.
Opinion of ZachXBT on the Breach
Nevertheless, blockchain investigator ZachXBT criticized Crypto.com for not disclosing the breach. He stated,
“Your team concealed a breach that impacted user personal information.”
He further added,
“They have experienced multiple breaches.”
The Crypto.com breach was part of a broader criminal operation orchestrated by the Scattered Spider group, transitioning from simple SIM-swapping to advanced corporate infiltration.
Florida native Noah Urban, then a teenager, played a role as a “caller” within the group, persuading employees to divulge credentials unlocking internal systems.
Extensive Criminal Campaign
The breach occurred before March 2023. Urban was arrested nine months later, in January 2024, and charged with hacking 13 companies.
Authorities mentioned that the group also misused United Parcel Service data.
Following indictments of Urban and four accomplices, he pleaded guilty to wire fraud and aggravated identity theft.
This resulted in the confiscation of $4.8 million in cryptocurrency, $13 million in restitution, a 10-year prison term, and additional supervised release.
All these revelations coincided with CEO Marszalek’s optimistic outlook for a strong fourth quarter and a collaboration with Yorkville Acquisition Corp. and Trump Media to establish Trump Media Group CRO Strategy, Inc., a digital asset treasury focusing on acquiring Cronos (CRO).