While renowned on-chain investigator ZachXBT claimed that Crypto.com covered up a security breach in 2023, the exchange’s CEO has denied this. What happened?
Crypto.com CEO denies ZachXBT’s allegations
On Sunday night, Kris Marszalek, CEO of Crypto.com, posted a tweet denying statements made by on-chain investigator ZachXBT, according to which the cryptocurrency exchange had sought to cover up a security incident:
Any suggestion that we failed to report or disclose a security incident is completely unfounded. As we reported in a data security incident notice to the NMLS [Nationwide Multi-State Licensing System and Registry, editor’s note] and in additional reports to the relevant regulatory authorities, we detected a phishing campaign targeting one of our employees in 2023. The incident was contained within hours, no customer funds were accessed or compromised, and it impacted an extremely limited amount of partially identifiable personal information of our users.
In this case, ZachXBT was responding ironically to a random tweet from Crypto.com, quoting a Bloomberg article published on Friday.
Also in comments under the same tweet, the on-chain investigator claims that the cryptocurrency exchange has faced security breaches “several times” in the past.
Whether or not the facts are true, Kris Marszalek’s intervention is likely to produce an effect comparable to the Streisand effect, since in this case, the Bloomberg article cited by ZachXBT only mentions “Crypto.com” twice, and both times in the same paragraph:
Together, Noah explains, they managed to access the account of an employee of Crypto.com, a crypto-trading platform. They also exploited a United Parcel Service Inc. system to collect the personal data of potential victims. (A spokesperson for Crypto.com said that the attack on its platform, which had not been reported in the media until now, involved information affecting “a very small number of people” and that there was no access to customer funds. UPS said in 2023 that it had resolved the issue; it declined to provide further details for this article.)
To understand what this is all about, the Noah in question is Noah Urban, a 20-year-old American who was sentenced to 10 years in prison on August 20 for his involvement in cybercrime with the hacker group Scattered Spider, as well as $13.4 million in compensation for his victims.
In this case, the individual, who was arrested in January 2024, was tried on charges of hacking against 13 companies, including Verizon, Riot Games, AT&T, and T-Mobile, among others. The article traces the cybercriminal career of Noah Urban, who also carried out numerous SIM swap attacks on cryptocurrency holders, without Crypto.com being mentioned anywhere other than in the above-mentioned paragraph.
