Another episode of "Not your keys, not your Coins"

[PX-Z]

This is all about the Crypto.com recent hacked^[1], though the news mentioned of the steps of securities added to the exchange, yet it doesn't mentions if the users that were affected are refunded/compensated. This is why "not your keys not your coins" always matter^[2].

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

[1] https://cointelegraph.com/news/crypto-com-finally-speaks-out-483-user-accounts-compromised
[2] https://notyourkeys.org/

[1715236935]

1715236935

[1715236935]

1715236935

[passwordnow]

yet it doesn't mentions if the users that were affected are refunded/compensated.

They did a refund.

The popular exchange hasn't revealed how customer funds were stolen, but it has refunded the losses.

They're a big exchange and they for sure have saved a huge fund for something like this.

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

It's always good to remind everyone especially the newbies that are saving their funds and assets into an exchange. In times that a hack happens, they never know if the exchange is going to be responsible for refunding them.

[cryptoaddictchie]

It's always good to remind everyone especially the newbies that are saving their funds and assets into an exchange. In times that a hack happens, they never know if the exchange is going to be responsible for refunding them.

Actually this ia true. But for some reason those have been compromised like binance, kucoin, and crypto.com so far refunded what was stolen that means they are pretty established to have backed up funds for incidents like these. However users must be cautious and only store amount you think you can tolerate when gone and something goes wrong on a centralized platform.

[tranthidung]

They did a refund.

Refund or compensate for users is good response. It can help them to get reputation in terms of customer service. Regarding to sercurity, they have to improve.

This hack is another reminder for people who leave their coins on centralized exchanges with belief that exchanges have good security and will protect fund of customers well enough.

Most of times, they do it well but you can not know when a hack occurs, it is a time you store your coins on it or not. You also don't know whether they will do compensation or not.

So just in case and to be safe, don't store your coins on any platform on which you don't own your private keys. To be safest, use non-custodial wallets with which only you own your private keys.

Many hacked or scam exchanges in graveyards: Exchange Graveyard

Thanks Pmalek for the correction. It's my typo.

[PX-Z]

yet it doesn't mentions if the users that were affected are refunded/compensated.

They did a refund.

Good thing if it's the case, either way, it doesn't change the fact that even as secured and as big as this exchange is still can be breached.

Having an insurance for lost funds cannot be used as excuse in the future to let them say that "We're trusted and fully funded crypto exchange, so come use our service". Decentralized exchanges should improve and be normalize in crypto space.

[Pmalek]

This hack is another reminder for people who leave their coins on decentralized exchanges with belief that exchanges have good security and will protect fund of customers well enough.

I am sure you were thinking of one thing but wrote something completely different. Just for clarity, you were probably trying to warn users against leaving their coins on centralized exchanges. 

I find this part of the announcement the most worrying:

On Monday, at around 12:46 am UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the two-factor authentication (2FA) control being entered by the user, according to the official document.

The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security-hardening measures that required everyone to relog in and reactivate their 2FA token before allowing only authorized action, as detailed in the statement.

I am not sure if this means that the hackers found a way around the 2FA system and emptied user accounts even if they had 2FA activated. That would then explain why they introduced an additional security layer. Or that only those accounts without 2FA were compromised. How did you understand it?

[PX-Z]

I find this part of the announcement the most worrying:

On Monday, at around 12:46 am UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the two-factor authentication (2FA) control being entered by the user, according to the official document.

The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security-hardening measures that required everyone to relog in and reactivate their 2FA token before allowing only authorized action, as detailed in the statement.

I am not sure if this means that the hackers found a way around the 2FA system and emptied user accounts even if they had 2FA activated. That would then explain why they introduced an additional security layer. Or that only those accounts without 2FA were compromised. How did you understand it?

There's no specifics of this, there's also no statement on their end the specifics of how attackers pulled off the breach. I only guess that it could be a flaw something on their 2fa system on how they implemented it.

I see no github issue of related to 2fa regarding this too.

[passwordnow]

Actually this ia true. But for some reason those have been compromised like binance, kucoin, and crypto.com so far refunded what was stolen that means they are pretty established to have backed up funds for incidents like these. However users must be cautious and only store amount you think you can tolerate when gone and something goes wrong on a centralized platform.

Yes, it's like part of their plan b if ever they're compromised and that's why they've handled this well but hopefully, to strengthen their security is what they should aim for. They are for sure have their budget for everything but they just can't avail to get hacked again and refund another batch of affected users if it ever happens again.

They did a refund.

Refund or compensate for users is good response. It can help them to get reputation in terms of customer service. Regarding to sercurity, they have to improve.

This hack is another reminder for people who leave their coins on centralized exchanges with belief that exchanges have good security and will protect fund of customers well enough.

I agree about their security, it is what it is and after experiencing a hack, they're for sure not going to compromise their exchange by not focusing of increasing their budget for it.

Good thing if it's the case, either way, it doesn't change the fact that even as secured and as big as this exchange is still can be breached.

There's always the case of updates for their security and that's why maintaining and improving it continuously is a must when you run a big business such as a crypto exchange. I'm sure they'll be hiring more people just to focus on it.

Having an insurance for lost funds cannot be used as excuse in the future to let them say that "We're trusted and fully funded crypto exchange, so come use our service". Decentralized exchanges should improve and be normalize in crypto space.

It adds confidence to the users but they just can't tell that from time to time. Prevention is still better than what we're thinking from those words.

It's always good to remind everyone especially the newbies that are saving their funds and assets into an exchange. In times that a hack happens, they never know if the exchange is going to be responsible for refunding them.

Even if the exchange refund, sometimes you'll need to perform certain procedure and wait for some time. It could be problem if you're in dire need of money.

I agree, there's the process for refunding and if you're one of the affected users, you have no choice but to wait for their assessment and full refund.

[Pmalek]

It should be the former since they bother revoked all customer 2FA token which force user to waste their time.

Hopefully, they will figure out what caused it. Being able to circumvent 2FA security isn't nice to read. Makes you question some of your own setups where 2FA is used. If it's something else than a SIM swap attack, then what could it be? 

[Darker45]

According to various sources, affected users were refunded. It seems these news are true. So far, I haven’t heard of complaints coming from the victims that they have not received refunds. And I think the damage was not that huge. Crypto.com could easily handle the amount. They are a huge exchange, after all. Moreover, failing or a delay of a refund could only increase the damage as it will surely cause a backlash of their users. A quick refund will speak of their efficiency, though. So far it seems Crypto.com has properly managed the aftermath of the incident.

However, the point is not whether the users were refunded or not. It was that there was a successful security breach which resulted to the loss of funds. Not to mention that Crypto.com is certainly not an easy target. So this is indeed another strong reminder that for as long as your money is in a centralized exchange, no amount of security measures would guarantee you 100% that your funds are safe.

[The Cryptovator]

Nothing new. It will happen and we have to use them as well. But should be careful and do not hold their unnecessary funds that haven't been used for trade. This type of hacking will never stop unless some security features couldn't be broken by hackers. But we know it's quite impossible. Due to lack of Liquidity, we can't trade on Dex and high fees as well. So by force, we need to use Cex. But the best practice is to move your assets on the non-custodial wallet. For example, currently, many people avoid trade due to the red market, so it's better to move funds from the exchange to the wallet. It would reduce the risk.

[o_e_l_e_o]

If it's something else than a SIM swap attack, then what could it be?

Faulty implementation, poor coding, buggy systems, and so forth. There is no system or piece of software in existence which is invulnerable to some form of hack or attack. Most exchanges aren't developing their own security systems, but rather using third party implementations for their back end, their password databases, their 2FA, their KYC processes, and so on, and then cobbling them all together, hoping they've implemented them all properly, and hoping they haven't introduced any critical vulnerabilities in the process. In this case they failed.

The bottom line is that we have no idea about the security of any centralized exchange, and anyone using them has to trust them completely. Even the big ones such as crypto.com have critical vulnerabilities in their code.

And in worse case, it's possible they didn't have enough reserve fund so you must be content with multiple partial refund.

Or worst case, they go bankrupt and you lose everything.

[PX-Z]

Nothing new. It will happen and we have to use them as well.

Nah, people should be very cautious and be knowledgeable time after time when such incidents happened. Crypto.com has lots of services to be used such as their card so using such platform cost a lot, I mean it needs to have some xxxx balance that you can say it's not that huge but it's enough amount.

This type of hacking will never stop unless some security features couldn't be broken by hackers. But we know it's quite impossible

Security codes/integrations/practices are designed against vulnerabilities and attacks, it just that the implementations of these are poorly implemented on their system and that's why this usually happens.

[BernyJB]

Security codes are, at best, temporary fixes in an endless battle.
Personally, I think it's lame that crypto.com denied the hack,  even when everybody knew about it, and were providing numbers as to its extent. It's great they refunded people, but in a market in which confidence is of utmost importance, I don't see the advantage of such a position.

I do think it's great to remind everybody to keep control over their assets. But, on the other hand, if you're trading, for example, you need to keep your coins in the exchange. I'd be very wary of having a single penny in an exchange that, if something happens, chooses to bury its head in the sand and act like everything's cool.

[examplens]

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

from this, it might be inferred that decentralised platforms, where users control their keys, are safe?
I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

[PX-Z]

This is another reminder to everyone whether you're a newbie or not, that using platforms such exchanges which the users doesn't have full control of their assets always have the risk of getting robbed, either the platform refunded it, worst if not.

from this, it might be inferred that decentralised platforms, where users control their keys, are safe?
I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

As far as I remember, the etherdelta hacked was still caused of their user's actions, the hacked was comparable to phishing using the original website where users redirected to the fake website using the original.
Yes, their users have full control to their keys yet their actions cause the lost of their own funds.

Having full control of your funds has lots of responsibilities since you will stand as your own bank, by means of fully control of it, it's not just storing it on your secured device, it is paired by the user's actions.
 
Yes, storing it on secured device it means the funds were safe, not until the owner make an action like opening it on a website, addons/plugin, etc.

[sheenshane]

That's right, nothing new here and it was expected that if the exchange has been hacked, the percentage of having a refund is very small if it's the platform is a big exchange platform.  Just like Binance exchange that has a SAFU, it's possible that they will refund all their customers once they get hacked?

The "Not your key and your coins" is the golden law in crypto, we should always apply this law if we have a crypto asset and when we did trade in any exchange platform don't leave any fund to them.  It's not an ideal decision to leave your crypto in any centralized exchange platform because it's very risky. The possible hack will occur at anytime and I think that's a part of a risk in the world of crypto.

[o_e_l_e_o]

I remember etherdelta DEX exchange, where people still have control over their keys and funds, but they were still compromised and many users were left without money.

As far as I remember, the etherdelta hacked was still caused of their user's actions, the hacked was comparable to phishing using the original website where users redirected to the fake website using the original.

This is correct. You can read more here: https://www.zdnet.com/article/exclusive-talktalk-hacker-also-breached-etherdelta-cryptocurrency-exchange/

Essentially the CEO's personal details were used to gain access to EtherDelta's admin account and Cloudflare account, and then redirect all traffic to a malicious clone of the website. When users then entered their private keys (since that is the ridiculous way in which EtherDelta works), the malicious site sent them off to the attacker and their funds were stolen.

Further, EtherDelta isn't really decentralized at all. How can a decentralized exchange have a CEO? Why does it need users to enter their private keys?

[examplens]

That's right, nothing new here and it was expected that if the exchange has been hacked, the percentage of having a refund is very small if it's the platform is a big exchange platform.  Just like Binance exchange that has a SAFU, it's possible that they will refund all their customers once they get hacked?

that in theory there is a basis for such thinking, big exchange will refund his customers. But in reality, did you hear about Mt.Gox? Big exchange, safu blah blah... it is of little use to aggrieved users (I am one of them  )

This is correct. You can read more here: https://www.zdnet.com/article/exclusive-talktalk-hacker-also-breached-etherdelta-cryptocurrency-exchange/

Essentially the CEO's personal details were used to gain access to EtherDelta's admin account and Cloudflare account, and then redirect all traffic to a malicious clone of the website. When users then entered their private keys (since that is the ridiculous way in which EtherDelta works), the malicious site sent them off to the attacker and their funds were stolen.

Further, EtherDelta isn't really decentralized at all. How can a decentralized exchange have a CEO? Why does it need users to enter their private keys?

the bottom line is that it is an equally high risk, no matter if "your keys, your coins".
If we talk about dex exchanges, Isn't it necessary to send funds to the trading account so, even you hold your keys, your coins can be robbed if a hack happened.

[o_e_l_e_o]

If we talk about dex exchanges, Isn't it necessary to send funds to the trading account so, even you hold your keys, your coins can be robbed if a hack happened.

Depends on the DEX. The trouble is that there are a lot of exchanges which use the word decentralized simply as a marketing gimmick when they are actually nothing of the short (such as EtherDelta as we just discussed). Just because the exchange doesn't fulfill your orders and pairs you up with other users does not automatically mean they are decentralized, but unfortunately a lot of users don't understand this. If you have to deposit your coins to an address or wallet which the exchange controls, then that exchange is not decentralized. It's really as simple as that. If the exchange can hold complete control over your coins, then all control is centralized with them.

With a truly decentralized exchanges such as Bisq, your coins are only sent to an escrow address. The escrow address is a 2-of-2 multi-sig address between you and the person you are trading with. Bisq have no control over the address. This is a truly decentralized model.