Crypto.com team ‘covered up a breach’ – Scattered Spider breach, revealed!

Key Takeaways

Were Crypto.com customer funds affected?

No, Crypto.com confirmed that no customer funds were accessed or at risk. Only a very small number of users’ partial personal information was affected.

Did Crypto.com disclose the breach publicly?

No, the company did not publicly notify the impacted users, which drew criticism from blockchain investigator ZachXBT.

Crypto.com reportedly suffered a previously undisclosed data breach linked to the Scattered Spider hacking group, raising concerns over its security posture.

Details of the attack

According to a Bloomberg investigation, the attack involved teenage hackers, including 18-year-old Noah Urban from Florida, who specialized in phishing employees at telecom, tech, and cryptocurrency firms.

Urban and his collaborators accessed sensitive user information. The group previously targeted MGM Resorts and other corporations.

Crypto.com acknowledged that the breach impacted “a very small number of individuals” but emphasized that no customer funds were compromised.

Crypto.com’s response

Despite this, the company did not notify the affected users publicly.

Remarking on the same, Crypto.com CEO, Kris Marszalek, noted, 

“Any suggestion that we did not report or disclose a security incident is completely unfounded – as we reported in a NMLS Notice of Data Security incident filing and in additional reports with the relevant jurisdictional regulators, we detected a phishing campaign that targeted one of our employees in 2023.”

Marszalek stated that the incident was contained within hours, with no customer funds ever at risk, and only a very limited number of users’ partial personal information was affected.

He even emphasized the company’s “security-first” culture.

What does ZachXBT have to say about this breach?

However, blockchain investigator ZachXBT took to X to call out Crypto.com for not disclosing the data breach. He said,

“Your team covered up a breach that impacted the personal information of your users.”

He added, 

“They’ve been breached several times.”

That being said, the Crypto.com breach was part of a larger criminal campaign orchestrated by the Scattered Spider group, which had evolved from simple SIM-swapping to sophisticated corporate infiltration.

Florida native Noah Urban, then a teenager, acted as a “caller” inside the group, persuading employees to hand over credentials that unlocked internal systems.

Broader criminal campaign

The attack happened before March 2023. Urban was arrested nine months later, in January 2024, and charged with hacking 13 companies.

Authorities said the group also misused United Parcel Service data.

Following indictments of Urban and four accomplices, he pled guilty to wire fraud and aggravated identity theft.

It resulted in the seizure of $4.8 million in crypto, $13 million in restitution, and a 10-year prison sentence with additional supervised release.

All these disclosures coincided with CEO Marszalek’s predictions of a strong fourth-quarter performance and a partnership with Yorkville Acquisition Corp. and Trump Media to form Trump Media Group CRO Strategy, Inc., a digital asset treasury focused on acquiring Cronos (CRO).