Crypto.com suffered a data breach executed by the Scattered Spider hacking group, led by teenage cybercriminals including Noah Urban (18, Florida), who specialized in SIM-swapping and social engineering. The attack exposed personal information of users, though the company claimed only a 'very small number of individuals' were affected and no customer funds were stolen. However, Crypto.com never publicly disclosed the breach to impacted users, raising transparency concerns. The incident was uncovered by a Bloomberg investigation and blockchain investigator ZachXBT, who accused the company of a cover-up. Despite the breach, Crypto.com reported $1.5B in revenue and $1B in gross profit (2023), with CEO Kris Marszalek pushing for an IPO and partnerships (e.g., Trump Media). The attackers, originating from Minecraft gaming communities, exploited telecom employee deception to hijack phone numbers, escalating into high-profile cybercrime targeting MGM Resorts and other corporations.
Source: https://finance.yahoo.com/news/crypto-com-suffered-unreported-data-113413260.html
TPRM report: https://www.rankiteo.com/company/cryptocom
"id": "cry0132901092125",
"linkid": "cryptocom",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['A Very Small Number of '
'Individuals (Exact Count '
'Undisclosed)'],
'industry': 'Financial Services (Cryptocurrency)',
'location': 'Global (Headquartered in Singapore)',
'name': 'Crypto.com',
'type': 'Cryptocurrency Exchange'}],
'attack_vector': ['Social Engineering',
'SIM-Swapping',
'Impersonation of IT Security Personnel'],
'customer_advisories': ['No Public Disclosure to Affected Users'],
'data_breach': {'data_exfiltration': ['Confirmed'],
'number_of_records_exposed': ['A Very Small Number (Exact '
'Count Undisclosed)'],
'personally_identifiable_information': ['Confirmed (Type '
'Undisclosed)'],
'sensitivity_of_data': ['High (Personal Identifiable '
'Information)'],
'type_of_data_compromised': ['Personal Information']},
'description': 'Crypto.com suffered a previously unreported data breach by '
'the Scattered Spider hacking group, exposing personal '
'information of users. The attack was carried out by teenage '
'hackers, including Noah Urban, an 18-year-old from Florida. '
"The company confirmed the breach affected 'a very small "
"number of individuals' but did not disclose it publicly. No "
'customer funds were accessed, though personal data was '
'compromised. The breach was uncovered by a Bloomberg '
'investigation and publicly called out by blockchain '
'investigator ZachXBT.',
'impact': {'brand_reputation_impact': ['Negative Publicity',
'Accusations of Cover-Up',
'Loss of Trust'],
'data_compromised': ['Personal Information of Users'],
'identity_theft_risk': ['High (Due to Compromised Personal '
'Information)'],
'payment_information_risk': ['None (No Customer Funds Accessed)']},
'initial_access_broker': {'entry_point': ['SIM-Swapping via '
'Telecommunications Employee '
'Deception'],
'high_value_targets': ['Crypto.com User Personal '
'Data']},
'investigation_status': ['Uncovered by Bloomberg',
'Publicly Called Out by ZachXBT'],
'motivation': ['Financial Gain', 'Criminal Enterprise'],
'post_incident_analysis': {'root_causes': ['Social Engineering '
'Vulnerabilities',
'Insufficient MFA Enforcement',
'Lack of Transparent Disclosure '
'Policies']},
'references': [{'source': 'Bloomberg Investigation'},
{'source': 'ZachXBT (Blockchain Investigator)'},
{'source': 'TG/Investigations by ZachXBT'}],
'response': {'communication_strategy': ['No Public Disclosure to Affected '
'Users',
'Statement Confirming Limited '
'Impact']},
'threat_actor': ['Scattered Spider', 'Noah Urban (18-year-old from Florida)'],
'title': 'Crypto.com Data Breach by Scattered Spider Hacking Group',
'type': ['Data Breach', 'Social Engineering', 'SIM-Swapping'],
'vulnerability_exploited': ['Human Error (Telecommunications Employee '
'Deception)',
'Lack of Multi-Factor Authentication (MFA) '
'Enforcement']}