A Bloomberg investigation reveals that Crypto.com, one of the leading cryptocurrency exchanges globally, endured a security breach that was never publicly acknowledged.
The report associates the incident with Scattered Spider, a hacking group known for employing social engineering tactics to target businesses. This group primarily consists of teenagers skilled in deceiving employees into revealing their credentials.
Sponsored
Sponsored
As reported by Bloomberg, the attackers masqueraded as IT personnel and convinced unnamed Crypto.com employees to provide login credentials. After gaining access, they aimed to escalate their privileges by targeting accounts of senior staff members.
In response, Crypto.com stated to Bloomberg that only “a very small number of individuals” were affected and reassured that customer funds were not compromised.
As of the publication date, the firm has not provided any further details regarding the incident.
Security experts have voiced concerns that the exchange’s failure to disclose the breach undermines trust in its security protocols.
They contend that not sharing information on the incident leaves users uncertain about the exposure level and susceptible to potential follow-up attacks.
This concern is amplified by the fact that Coinbase previously experienced a similar breach, resulting in over $300 million in customer losses annually.
On-chain investigator ZachXBT accused Crypto.com of intentionally concealing the breach and highlighted that this is not the first time the platform has been associated with undisclosed security issues.
Sponsored
Sponsored
His remarks reflect a broader industry frustration toward exchanges that downplay breaches to protect their reputations.
The incident has also reignited criticism regarding the industry’s dependency on Know Your Customer (KYC) protocols.
Pseudonymous security researcher Pcaversaccio sharply criticized the situation, arguing that KYC mandates create significant data targets for hackers.
“You can change a password easily, but _not_ your passport and they f#cking know it well. We’re basically the collateral in their surveillance racket,” the researcher stated.
This sentiment resonates with growing skepticism in the industry regarding regulatory systems.
Earlier this year, Coinbase CEO Brian Armstrong criticized the Bank Secrecy Act and current anti-money laundering regulations as outdated and ineffective.
He articulated that companies are compelled to gather sensitive information against their wishes, asserting that these requirements do little to deter crime despite the burden they impose on both companies and customers.
“We don’t want to collect it, and our customers hate it. We are being forced to collect it against our will. And it’s not even effective at stopping crime, if you look at the data behind it,” Armstrong said.
