Crypto.com, one of the world's largest cryptocurrency exchanges, reportedly suffered a security breach that it never disclosed to the public. According to a Bloomberg investigation, the attack was linked to Scattered Spider, a hacking group composed mainly of teenagers known for using social engineering tactics. The attackers posed as IT staff and convinced Crypto.com employees to surrender their login credentials.
Once inside the system, the hackers attempted to escalate their access by targeting senior staff accounts. Crypto.com confirmed the attack but claimed it only affected "a very small number of individuals" and emphasized that customer funds remained safe and untouched. The exchange has not revealed specific details about how the attack unfolded or its full scope.
Security experts and on-chain investigator ZachXBT have criticized Crypto.com for deliberately concealing the breach, noting this isn't the first time the platform has been linked to undisclosed security incidents. ZachXBT accused the exchange of covering up the breach to protect its reputation, reflecting wider industry frustration about exchanges that downplay security lapses.
The incident has reignited debates about exchange transparency and the risks associated with Know Your Customer (KYC) systems. Pseudonymous security researcher Pcaversaccio argued that KYC requirements create massive data honeypots for hackers, stating: "You can change a password easily, but not your passport." The concerns align with broader industry skepticism about regulatory frameworks, with Coinbase CEO Brian Armstrong having previously criticized outdated anti-money laundering rules that force companies to collect sensitive data against their will.