322 comments

[ 11.3 ms ] story [ 298 ms ] thread
By the numbers, around $34 million in funds is affected, mostly Ethereum. They say in the press release that they prevented most of the unauthorized withdrawals and reimbursed the remainder, but it’s unclear how much they had to pay for reimbursements.

For context, this is the startup that has been using Matt Damon as it’s face.

Presumably they mostly stole ETH because tornado cash is the best mixer around to launder stolen funds
I assume they stole just anything they got.

I'd assume any attacker would at least transfer everything to a BTC/whatever address generated offline, then figure out later how to launder it.

I'd love to read more about these money laundering operations like Tornado Cash. Are they just straight up 100% fraud companies? Do they have any pretense of a legitimate use case or does everyone just understand they're used for criminal activity? Are they regulated at all? I assume you have to trust your magic beans to them at some point; do the money launderers sometimes just steal them? What do they charge for their service?
tornado.cash is a legitimate service, that happens to be used by hackers that steal ethereum.

Check out their code on github.

That's a pretty funny definition of "legitimate". By that standard, all of this malware is legitimate too! https://github.com/ytisf/theZoo
I'm sure someone can come up with some legitimate use for those. We came up with 'Linux isos' for torrents after all
How is it different from “TOR/some VPN is a legitimate service that happens to be used by some hackers to cover their tracks”?
How many legitimate uses can you name for TOR? And how many can you name for a money laundering service?
If you don't need financial privacy can you please post your bank statement here for everyone to see?
That's quite an evasion of the question. Yet more evidence that there's approximately no legitimate use.

But I'm on record as being in favor of full financial transparency for everybody. Every charge, every bank statement. Money, after all, is inherently social. And full transparency, while causing some problems, would eliminate a ton of others. So if you can get a legislator to submit a bill, I'll happy call them up to back it.

I wonder what percentage of their total volume it is that “happens” to be used by hackers.
People who are not criminals deserve transaction privacy, as well.
What would be the point of "transaction privacy"?
Odd statement. It is on par that all your bank statement should be public and easily viewable. It is on par saying that people do need digital privacy at all, as they have nothing to hide. And those are trying to hide are really 'bad people'. Monero/Zcash/Dash/Firo/etc are used by legitimate users to hide their transactions from public blockchain.
Your bank statement is not private, your bank has it. You can pay with cash, but the other customers can see you right there paying, so that's not private either. I understand the need for private communications, but private transactions don't seem to make a lot of sense.
Tornado Cash is a smart contract system that allows you to send fixed denominations of Ethereum, and receive a cryptographic "note" that allows someone who knows the note to withdraw the same amount of Ethereum from the smart contract.

Since zero-knowledge cryptography is used to ensure the generated note cannot be linked to the depositing transaction, it can be used to send money to yourself or another person without revealing the identity of the sender. There are criminal and non-criminal reasons to do this.

Because it is a smart contract system, you do not have to trust a person or organization with the money. You do have to trust the smart contracts defining the system are correct. The smart contracts are publicly available to read and have been reviewed by many people, including software audit organizations.

Interesting! I’m surprised the regulated exchanges don’t blacklist coins connected to that smartcontract because of the ease of facilitating laundering.
Since all crypto on smart contract platforms tumbles around in defi and the various decentralized exchanges all the time, this would effectively prevent anyone from depositing their crypto to those exchanges, which would make the exchange unusable.

To expand on that, say someone withdraws ETH from Tornado cash and purchases an NFT with it. The seller of the NFT then swaps their ETH for USDC on a decentralized exchange (the ETH then goes into a pool). Later, a liquidity provider to the ETH/USDC pool withdraws liquidity from that pool, and sends their ETH to an exchange, let's say Binance. If Binance blocked such deposits (and especially if they did so without refunding the user on-chain), no one would use Binance, and they'd also be the target of a lot of lawsuits.

It requires users to pay gas fees when making deposits, as well as for the services that "obfuscate" the withdrawals. Thats the payment. You trust that the nodes will obfuscate the transactions to receive the fees. The rest is basic smart contracts execution.

The compliance topic is tricky and deceptive. Only the user with a "Note" is able to link deposit and withdrawal. With this note the user can generate a proof of origin. This makes tornado cash compliant enough.

E.G. If the withdrawal address is under Money laundry suspicion, it may be urged to provide the origin of the transaction. That is possible [1] but there is no way of a 3rd party to Tag an account as "suspicious" based on the Tornado chain information (due to the obfuscation done by the Nodes that are getting the fees).

As far as I understand there is no accountability. The regulators would have to persecute all the nodes for helping out with the laundry. But there is no way for the nodes to know they're participating in laundry. So they cant be persecuted. Regulations needs to be invented for this kind of schema.

Please someone correct me if I said anything wrong. Im not an expert is just my conclusion based on some reading.

[1]: https://tornadocash.eth.link/compliance/

> For context, this is the startup that has been using Matt Damon as it’s face.

They're also notable lately for getting the naming rights to the (former) Staples Center.

> https://en.wikipedia.org/wiki/Crypto.com_Arena

I wouldn't call it a startup, it paid 700mil$ to rename an arena!
Technically, they agreed to pay $700M over 20 years for arena naming rights -- no idea what the deal actually looks like but if you flat-line it, they're "only" paying $35M/year. Which is still a ton of money but much more reasonable in terms of cash out the door for a startup.
I hope this doesn't mean we have to endure 20 years of this name on the nba court. With all this gambling (sports betting) sponsoring of the NBA and now these crypto sponsors, it really does look like the NBA has sold out (also new trikot sponsor deals). It's a shame how much they feast on hooking impressionable men on gambling. Actually, thinking about it, there should be more ads for f2p/mobile games, would fit perfectly in this portfolio. (sorry for this rant but it really disturbs me and I hope I'm not the only one)
You'll have to endure it if you believe that Crypto.com will exist 20 years from now. I'd bet even money they won't exist in 5 years and the court is renamed in ~3 years.

I mostly agree on the gambling front too - gambling was bad enough when you had to lure people to a casino but at least that gave them the excuse of "It's my form of entertainment, it's like going to a nightclub."

"The best minds of my generation are thinking about how to make people click ads" -- not any more! Now they're trying to find the shortest distance between users' wallets and their RSUs. On the plus side, they can use all of the targeting and persuasion techniques that have been used to make TikTok/Instagram so addictive on directly separating users from their money. Forget selling a product!

> I'd bet even money they won't exist in 5 years and the court is renamed in ~3 years.

For some historic context, Enron Field lasted two seasons and CMGI Field less than one, from what I can tell? I wonder who holds the record.

Sports business has always loved sports betting. What you are seeing now is relaxed regulation and new tech that routes around existing regulation.
Venture capital used to be about placing small, diverse bets on a lot promising startups - everybody in the process was trying to make the world a better place

Since about 2018, VC game changed - now it's about brazenly placing massive bets on a small set of startups of increasingly questionable utility, using the funds and clout to ram their way through into monopoly positions. Not a speck of morality involved anymore - and nobody is even trying to pretend otherwise

Public image hasn't yet caught up with this reality

It feels like a bubble to me. When I see Matt Damon shilling crypto, it reminds me of pets.com Superbowl ads. I think reality will catch up sooner or later.
I owned shares in a teak plantation in the late 1990s. We make mistakes when blinded by greed.
>everybody in the process was trying to make the world a better place

I think "everybody" here is a pretty substantial overstatement. Plenty of folks were just trying to make money, without much regard for whether it made the world better or worse.

CryptoPets.com incoming!
> everybody in the process was trying to make the world a better place

have you actually met any VCs?

I laughed out loud when I read that statement. Holy moly the delusion is strong.
we don’t know if CDC funding is VC
It's irrelevant what the funding comes from or how you define it. VC, PE and Hedge funds all have fairly loose definitions. But, someone is funding it because it sure ain't coming from profits.
Having been around on the first dotcom boom, renaming an arena is an extremely startup thing to do if you've raised a huge amount of money.
They took out huge ads in Vegas for re:invent. Personally that set my alarm bells off pretty badly.
Yeah, seeing huge marketing spend by an organisation that's not a massive brand with deep pockets always makes me wonder where the money is coming from
they are already making a huge amount from spread etc.
So does that make Crypto.com the equivalent of Teddy "KGB" and the $34 million a lot more stacks of high society?
(comment deleted)
MATT DAMON HOW COULD YOU DO THIS TO ME
It's funny how many comments are about Matt Damon. That must be a pretty sticky ad campaign. It's also bizarre that I never heard of them before this marketing blitz although they seemingly have enough cash to hire Matt Damon and buy naming rights to an NFL stadium. I guess all their budget went to marketing instead of hardening their platform.
The ad campaign is notable because, much like most Perfume ads, it's downright bizarre. The ad sells a concept extremely well and then makes the leap of a lifetime for the subject that is a crazy let down.

Edit: the funny thing for me is that if the ad ended with the SpaceX (or Boeing, or Northrop, or USAF) logo and gave the SpaceX employment site at the end, I'm sure it would be seen as one of the best ads of the last few years. The leap is what kills it.

I think you just described crypto currency;)

The community ethos and ideas seem pretty disconnected from what actually happens.

Sick and tired of the big banks? Why not put your money with people who are just as unethical, but also less competent?
It plays before every single movie in my local theatres. And every time there's at least several people booing it. It's kind of funny.
To be fair, a more honest ad wouldn't be as compelling: "Exchange your real money for online scrip because reasons!"
Exchange your real money for IOUs of online scrips

Remember, not your keys, not your coins!

>I guess all their budget went to marketing instead of hardening their platform.

That's par for the course in the cryptocurrency space. Why develop good technology with well-defined valuable use cases when you can hype your rocketship to the moon?

After Interstellar it is pretty clear that you shouldn't trust Matt Damon ;-)
Is Matt Damon the signal of Peak Crypto?
I guess fortune doesn't always favor the brave.
It does, there's just usually someone braver out there.
Brave enough to manage their own keys in this case
That depends on whether or not you consider stealing cryptocurrency to be brave.
That's the crypto.com marketing slogan which is spewed by Matt Damon in their commercials.
Exchanged are the weakest link in crypto. If anything can kill crypto, it will be due to the exchangers, from hacking to over regulation, etc.
Maybe, but I think you can make a case for the opposite too. Without exchanges, there'd be no crypto. Exchanges are the only reason 99% of people who have crypto can figure out how.
Especially with mobile devices taking over. An increasing number of people don't even have a laptop or desktop to hold a whole blockchain on. Even an iPhone 13 Pro with 1TB of storage would lose 10-20% of its space to that. That isn't going to improve. The more popular it gets, the faster it grows, and it would compete with all the other storage needs that also grow.

Get someone to load up and maintain a whole blockchain on their 1TB phone, and you lose them the moment they need more room for photos or offline synced music and files.

not sure about how big the ETH blockchain is, but the bitcoin blockchain fits in under 6GB if you enable prune mode. I still wouldn't run a full node on my phone, but disk space isn't the limiting factor.
Not everyone needs a full copy of the blockchain to run a node.

A pruned full node downloads and validated all blocks, then discard everything not relevant to its own wallet.

A variety of “light clients” are also available for most chains, which fetch transaction data from peers as needed (usually using something like bloom filters to increase privacy).

Most ethereum apps just go through Infura. That’s a horrible centralized single point of failure that I’m not advocating, but the point is there are many ways a wallet app can connect to a remote full node.

Agreed. And even if the storage issue isn't the main blocker, there's also energy usage, bandwidth, security and usability issues when it comes to phones.
It has been painfully admitted.

But you know what I am going to say if you're storing your crypto life-savings or JPEGs on an exchange:

   Not your keys, Not your coins and certainly not your NFTs.
I love hove cryptocurrency people are also discovering what we anti-cloud people have been shouting from the rooftops for years.
how do you think it was done. said 2fa was bypassed for some accounts. maybe some sort of client side exploit.
Seems really unlikely, but maybe someone guessed or discovered the keys? Would likely only happen if Crypto.com somehow was generating them insecurely or if someone had inside access to their systems or something. Maybe a leak?

Since it is across multiple currencies, I think it is unlikely it has to do with generation. Maybe could still be a leak or something.

If they had access to the private keys they wouldn't have to go through the crypto.com platform at all.

They'd just pop it in any wallet and sign withdrawal transactions.

There's no 2FA or whitelisted withdrawal addresses (for most tokens) or emails on-chain.

This, they don't say, maybe they don't even know, since:

> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect.

In practice, there’s often so much complexity that finding a path isn’t all that hard. Some examples:

- abuse the logic flow and simply don’t submit the 2FA step

- submit an empty 2FA token (I’ve seen it work)

- get a signed transaction from a legitimate transfer and replay it in a compromised account

- find the admin API that their help desk uses that doesn’t require 2FA

- brute force 2FA code. If you get 3x attempts at a 6-digit pin you have a 1/333,333 chance. Multiply by a few thousand accounts you can find reused creds for

- Find an API to abuse to disable 2FA (maybe via CSRF?)

- move the money into an account that doesn’t require 2FA (some kind of whitelisted arbitrage account maybe?) then cash out from there

- keep transfers under a 2FA threshold but then either script up the transfer to repeat or change the transfer amount after the threshold check has occurred

I could riff on for ages. Some more plausible than others. Some I’ve definitely seen (and used in legal testing)

> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect. We have mandatory 2FA policies on both the frontend and backend to protect users during this revocation phase, as outflows such as withdrawals have a requirement to setup and use 2FA in order to withdraw.

How is this supposed to work? They revoked all of their 2FA for all accounts? Doesn't this just open them up to credential stuffing attacks? This is a really, really odd response to me. I can understand migrating to a new 2FA system, but they'd have to re-establish the chain-of-trust somehow. Are they just hoping that users don't have compromised email/SMS accounts in order to enable the new 2FA system?

I'm wondering if it's a badly-worded way of saying "anyone in the system gets kicked out and has to re-2FA".

If they literally removed 2FA from everyone, that's insane.

Pretty sure that's what they meant. They said "tokens."
yes, they literally logged everyone out, removed 2FA, and on the new login, users had to re-add 2FA
Wouldn't this also allow an attacker to add his own 2FA?
This is hilarious. This company is literally at the apex of the crypto industry and this is the kind of mistake they make. Yeah, immutable smart contracts written by their fellow proponents will also save the world lol
Calling crypto.com anything near "apex of the cryptocurrency industry" is a very broad lie. Crypto.com is for people who just "wanna invest in crypto and get rich", others who are actually involved in the space (developers, companies and others) are nowhere near crypto.com as they have proven time and time again they are not serious about anything, even the basics like security.
Aren't they one of the largest exchanges?

EDIT: They're #3 (bigger than Coinbase). Only OKX and Binance are bigger[1].

1. https://www.coingecko.com/en/exchanges

No!

Coinbase is a large exchange...

I don’t think that’s true..bigger than Binance? By what metric?
Coinbase doesn't have to be bigger than Binance to be "a large exchange" - we're not talking about "largest exchange" if you read the message.

It's definitely more established than crypto.com though.

Do you think crypto.com is larger than Binance?

Sorry completely misread, I thought you were saying it's the biggest
I would argue that by you giving the torch to crypto.com as the company that caters to casual users that "just wanna invest and get rich", it is indeed one of the apexes of the industry. A product successfully marketing a fringe and specialized technology to the average consumer is just that.
Is it? I'm not sure of numbers of total accounts but anyone who knows anything about crypto is suspicious of crypto.com as a platform and I don't know anyone who uses it when things like coinbase are available. They just bought an expensive URL and spammed a bunch of ads. If that makes them the apex of the industry I guess CALL THE GENERAL AND SAVE SOME TIME is the apex of the car insurance industry.
This is a common play in several industries. Art of Shaving markets itself well to casual people interested in traditional shaving products but they take regular products, mark them up by a lot, rebrand and then upsell. Nobody claims Art of Shaving is the apex of shaving. Best Buy does similar marketing in regard to electronics, but Best Buy certainly isn't the apex of electronics retailers. What makes you think cryptocurrency companies would be any different?
I would say Best Buy is an apex electronics retailer. Why wouldn't you?
Yes, but not the apex of the "electronics industry".
But that's not the industry he said.
I have an ex colleague working there as lead dev: knowing him, no, they re not at the apex lol
I'd say Coinbase is the company at the apex of the US cryptocurrency industry.

crypto.com is a two bit player in comparison.

Isn't this equivalent to saying the entire health industry is fake and untrustworthy because of Theranos? I don't it looks kind of same to me, and sounds absurd.
Crypto bros versus banks that have been doing this for a 100 years.
> This company is literally at the apex of the crypto industry

Cryptocurrency was not even supposed to have these pseudobanks called exchanges leading this space. It wasn't even supposed to be an "industry".

People were supposed to mine cryptocurrency on their own commodity hardware and use that to transact amongst themselves.

Almost like its core mission statement was only led by the voluntary virtuosity of its participants - and wasn't as novel as previously thought. Huh.
It's basically a digital gold standard and the gold standard hasn't lead to an enlightened society either.

"Insanity is doing the same thing over and over again and expecting different results."

For me there are really only two alternatives. Negative interest on cash or competition among currencies (free banking). All those people shouting that Bitcoin should become the global reserve currency don't actually understand that a global reserve currency is a terrible idea and are only in it for the money.

Doesn’t really matter if your 2FA keygen algo got completely compromised.
Of course it matters. Even if we assume someone figured out how to own the 2FA system, that knowledge doesn't magically make its way into the brain of every script kiddy capable of credential stuffing a login form. They're two totally different vectors with different surface area.
My thought is that it’s not really 2FA, and 2FA means temporary tokens, and there’s a method to gain entry with just login+token, e.g. via password reset.
You can just make up whatever factors.

If you want to deliver security then MFA is an interesting strategy that needs careful consideration and planning, you might end up building things like Security Keys so as to solve real threats. You might fix real problems (Google eliminated phishing) at your organisation.

But if your goal is to bamboozle fools into giving you their real money in exchange for Itchy and Scratchy money that you may or may not then "lose" then you don't need all that hard work. Take whatever nonsense you cobbled together and say it's "Two factor" because that means "good" to people who don't know any better.

> users had to re-add 2FA

And you are not asked to do this while logging in again. It is assumed you know why you have to reauthenticate and that you have to re-add 2FA in your app settings…

(comment deleted)
crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.

But basically in this case, you didn't even need a password to log back in, it was just an email to click a link, then FaceId/PIN and logged in and prompt to re-add 2fa. The app must store the password itself somehow and auto use it.

Anyone know how the do auth on the app?

For users in the US there is no way to change the password, because the webapp (which might have that feature) is not allowed to be used from US.

Once I asked how to change password and support said I can change the PIN on phone and dont worry your funds are safe.

> crypto.com is a little mysterious when it comes to authentication honestly. I still have not understood it.

If you're speaking from experience as a user of their service, I strongly suggest that you use a different exchange. Gemini + Coinbase both have very easy-to-understand authentication systems. If you don't understand the authentication system, that's a good red-flag that you should take as a reason to move to a more trustable platform.

(Just my two cents, as someone who works on authentication system architecture design.)

Agreed. As someone who has integrated with dozens of crypto bank APIs, I can tell you Gemini's authentication and security is top notch (second only to Fireblocks)
(comment deleted)
Good point. Overall the user experience of crypto.com is really nice though.

I mean the app is tons better then Coinbase and I think a big reason that crypto.com is growing tremendously. Users like it.

From my experience as a user, you don't have a password. They log you in via an email link, you have a PIN, and you have 2FA.
> it was just an email to click a link,

An e-mail with a link to actually click? Does anyone else see those flashing red lights and hear that alarm klaxon? Please do me a favor and drop those assholes like a bad habit. They are going to cost you whatever assets of yours they have in their control.

The fight to teach users to not click links in emails had been lost, IME. And if forgot passwords can be resolved via an emailed one-time secret then email is effectively a skeleton key anyway.
Based on them saying they migrated to a new 2FA system, I think it's the latter - they disabled the current 2FA option and required everyone to register a new 2FA method.

> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

What are the odds they migrated to a new 2FA system in a few days without introducing new, serious bugs?
I use crypto.com and they removed 2FA from me earlier in the week, asking me to set it up again. It was worrying as I wasn't sure if it was a scam, there was no reasoning behind it.
That was exactly my question when I read this. How do they establish trust, when 2FA is revoked? How they prevent that the bad guy enables now 2FA and the god guy is locked out of his account?

May the god guy didn't get the message that Crypto.com had an issue, because s/he is unavailable.

My thought is maybe they didn’t really do 2FA, but exploited a password reset mechanism that only required 2FA?

IE: single factor resets, so a compromised “2FA” was actually keys to the kingdom?

But you’d think the attacker would need access to a user’s email or some such then.

Given that apparently their previous system simply allowed login/payments without the configured mandatory 2FA, per their statements about the root cause of the issue, this may have been a move of desperation...
Is anyone else getting the feeling from this press release that it seems they actually don't (yet?) know how their previous 2FA system was circumvented by the attackers?
yeah, the PR is totally unclear about how they got hacked, or if they even know
My exact thoughts, umm where is the root cause and explanation of the breach? They just reset 2FA as a reactionary measure. The attackers have compromised more than 2FA to be able to initiate withdrawals. This doesn’t add up.
If they knew, they'd share and talk about how they fixed it.

As a communications person, reading between the lines tell me they've got no idea what happened. Comforting!

Time to play the classic crypto exchange game: hack or exit scam? Disabling 2FA in this scenario is dumb enough to raise the question of malfeasance of the part of this theft.
Somehow I doubt a fraudulent company on the verge of an exit scam would spend $700 million to rename an arena right before pulling the plug. Incompetent? Probably. Fraudulent? Unlikely.

https://www.latimes.com/business/story/2021-11-16/crypto-sta...

The Houston Astros played at Enron Field until Enron was revealed to be a criminal enterprise and several of its leaders went to prison. The world has a short memory, it seems.
What OP was referring to was a take-the-money-and-run plan where the company knows ahead of time that the whole thing is going to explode and causes it to on purpose.

My understanding is that Enron's leaders were caught in fraud and that led to the collapse of the company—they weren't planning on it collapsing, so the investment actually made sense in that case.

No, that's normal pyramid scam behavior. I would say it was more likely that they were fraudulent if they were escalating their meaningless promo gestures to keep anybody from cracking as their scam gets too big to keep together. The bigger the risk, the bigger the colorful gesture.

I'm imagining it as '$700 million IN CRYPTO, which is of course better than money'. For a name: which could easily be restored if it turns out the payment is worthless. But that's just my fantasy of how this might have gone on.

If it's $700 million in real money that only underscores how desperate they are to make some colorful gesture.

Even your basic Ponzi schemes often involved generous and public philanthropic gifts even as the scheme was falling apart behind the scenes, just to maintain the public image.
Or rather, the scheme was being what it naturally was. Falling apart implies that there's a together for it to be, behind the scenes.

When it's designed from the start to be an expanding shell powered by new belief coming in, the philanthropy and big gestures are core to the nature of what it is.

Back in the day I read an old book by Harvey Mackay (iirc), one of those business-guy self-help books, and he had a chapter called never buy anything big in a room where there is a chandelier. :D The point being, it's normal for scamsters to influence people by making their pitch in a place all decked out to look like the most wealthy, influential place you could imagine, and there'd be a chandelier because it would look like everybody was rich. And so, never buy anything big in a room with a chandelier, because it probably meant you were being ripped off.

All this predates crypto by a loooooong way. There's nothing really new. Maybe back in the days of travelling traders on camels it was, never buy a camel in a room with a carpet that's bigger than the camel is :)

Crypto.com is built on a huge marketing facade. Keeping that facade up until the moment the rug is pulled is the main part of the scam.
Maybe one employee decided to schedule an earlier exit without informing their co-conspirators.
Not quite the same scale but the whole Color World 76ers thing is kind of in the same bucket?
From the article:

> No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed.

Reminder that cliches are cliche for a reason: not your keys, not your crypto
Its cliche, but it doesn’t really mean that crypto.com or any other crypto exchange isn’t on the hook for stolen funds.

Crypto doesn’t mean regulation doesn’t apply or that companies are free from liability.

Obviously you can’t squeeze blood from a stone if someone were to steal most of the funds from a crypto exchange (Mt. Gox comes to mind)

But in the real world, if you use a crypto exchange in a reasonable location (e.g. US exchange adhering to US laws) then small thefts like this are going to be reimbursed one way or another.

Now if the entire exchange and their cold wallets were stolen somehow, it would be game over.

So in the real world when using a regulated crypto exchange, what's the point of a blockchain other than asset speculation (which can also be done through traditional trading instruments at this point)?
You could argue that it allows people to send funds in ways that are faster than some other current options.

But that’s about it. It’s basically another game to play with new financial assets printed out of thin air.

When you think about it, liquidity is the source of speculation.

This is because liquidity is the ability to quickly trade your thing for other things. Lending money via a certificate of deposit reduces liquidity because you are locking up your funds. Lending via demand deposits increases liquidity because the original deposit and the loan are both available to be spent immediately. Spending money on physical things is very time consuming. First you must pick what you want to buy among billions of product choices that are available to you. Even if you buy something, it takes time to drive to the store or for it to be delivered. The real world is quite illiquid which means that fiat currency is less volatile and has greater stability than Bitcoin.

Now there are two exceptions. Trading money vs financial assets and money vs other money. In the financial sector you are trading liquidity for liquidity. Buying an iPhone and selling it takes time. Buying Bitcoin and selling it does not. It can happen as quickly as technology allows it. This inevitably leads to speculation because it is possible to instantly react to any other transaction. Someone buys Bitcoin? Buy more! Someone sells Bitcoin? Sell!

To be more specific, the problem isn't liquidity itself but excessive amounts of liquidity that go way beyond what the real economy needs. This is a huge problem with fiat currency but it's also a problem with Bitcoin because the "Bitcoin economy" is absolutely tiny.

Good question. I only wanna add that traditional trading instruments suck and are not fun to scale. Highly centralized points of failure with truly mind numbing consequences that are difficult to predict and respond to. I've worked on forex systems and when the feeds get iffy things get real uncomfortable, real fast.

Blockchains could, maybe, provide an interesting global platform for fintech to migrate cross-border stuff to. That stuff is not reliable, the engineers are just hella talented

It similar to what SWIFT is to banking system.
You need to send money to the hackers who ransomware'd your network. They don't accept SWIFT.
They also said they've reimbursed all funds. So if you were hacked personally, you would be out money here, vs keeping it on their exchange where you would be made whole again.
That's not a fair comparison though. An exchange is a fat, juicy target. I am not
Yes, and apparently this allowed all those attacked not to lose a single penny.
And thank god for that. Very happy to be a luddite with have exposure to the rise in crypto prices without the risk of getting it stolen.
How did they check if a withdrawal was unauthorized (real) or not? What if I did a withdrawal, say it was unauthorized, and claim the money (and also have the crypto in a different wallet)?
I'm guessing any withdrawal that was done while using an exploit to bypass 2FA could be called unauthorized in this case
I guess they know which accounts circumvented their previous 2FA implementation.
I'm not sure but I suggest they use some sort of distributed crypto solution to resolve such issues.
This is why CRO requires 24 hours whitelist before you can transact withdrawals...
Understandable yet totally absurd. Can you imagine if your bank had the same requirement?
Depends on my bank.

I’ve got long term investment accounts that I hardly touch … I would have no problem with such a rule/ extra validation of any moves of money.

Granted crypto.com might not be / want to operate like that.

I would actually love such a feature, especially in a brokerage context.
At least one US investment banks I've used require a waiting period before transacting with a newly added account/routing number for wires/ACH. I've even got calls from customer service manually confirming transfers/withdrawals if it's a new account or one that's been unused for a long period of time.

That said, there is no waiting period on me withdrawing from my checking account.

Maybe it shouldn't be mandatory, but it might be a nice (default) option to have.
They certainly have similar requirements. ACH transfers take days, wire transfers require you to jump through verification hoops, ATMs have low daily limits.
That happens if you let startups operate like a big bank without all the SecOps
So is starting a crypto exchange how many large crypto holders plan to cash out?
Thank goodness it's decentralized and there are no single points of failure.
I'm guessing this is sarcasm? crypto.com is very very far from a single point of failure.
They might be alluding to the removal of centralized authorities that would have otherwise been able to get that money back.
The allude from my naive point of view is that n_time thinks we're lucky the network is decentralized and that users are spread out over various wallet software and services, so the impact of the issue was only related to a sub-section of the network as a whole. But I might just misunderstand the sarcasm or something.
Well, traditional banking is much more decentralized in this sense, as there are many more banks than crypto exchanges, and the vast majority offer payment apps etc.
I assumed it's sarcastic, the point is even if the network is decentralized in practice people use centralized services.
How is this a single point of failure? The issue was limited to a subset of users keeping funds in a Crypto.com wallet.

Unless by "it" you mean crypto.com and not Ethereum. Crypto.com is not decentralized.

It is the implementation.

I believe in bitcoin, works well and I don't blame the consumer for the producer's problems when it comes to power.

But exchanges have become a key part of the implementation.

That's not the real issue though. The issue is the _need_ for exchanges. They provide a host of services, mostly all of which are antithetical to the loftier ideals espoused by bitcoin.

Too many crypto fans waltz passed this glaringly obvious issue and these kinds of stories will never go away as a result.

If banks get hacked, nobody blames the internet. "a small sub section of the system" applies as aptly to the blockchain as it does the global financial system, and I'm pretty confident being a locally popular trading commodity amongst edge communities is not the central goal for bitcoin

> and I'm pretty confident being a locally popular trading commodity amongst edge communities is not the central goal for bitcoin

Given the transaction fees needed for a distributed-enough network, and the bureaucracy needed when trading, it is not very useful as a currency, at least not for small payments, excluding Lightning.

So it's a commodity.

Excluding lightning and layer 2 solutions like rollups. Why would you make those exclusions though?
The reason is they are not yet accepted in many places, though in fairness, they seem to grow a lot.
And I think that's exactly the point. Cryptocurrency promoters endlessly talk up how it's part of a decentralized wave of the future. But in practice it's quite centralized, and the incentives point in that direction for the future. That's one of the points made very well recently by Moxie Marlinspike: https://moxie.org/2022/01/07/web3-first-impressions.html
It’s not centralized though, crypto.com is one of many exchanges. Anybody can create an exchange, and a failure in one exchange doesn’t propagate to the rest of the network.

Do you consider a website breaking a single point of failure for the internet?

The original vision of Bitcoin was "a peer-to-peer electronic cash system" "allowing any two willing parties to transact directly with each other without the need for a trusted third party". So yes, something like crypto.com represents significant centralization.
Crypto.com and its customers are willing parties who can transact with each other using this system, I'm not sure what your point is. The problem here is that one party trusted another party to hold on to their funds, and the holding party lost the funds. How is that an indictment of the protocol itself?

Or put another way, how does Crypto.com and other centralized systems prevent me from using Bitcoin the "right" way?

It’s not an indictment of the protocol, so much as it is saying that the protocol is too low-level for average users and therefore centralized players (like Coinbase) tend to step in and provide the desired service.
I'm not sure, is the x86 instruction set too low level? Yes if you expect users to interact with it directly, but not for user facing products to be built on top of.

You can point to centralized products built on top of blockchain, but also decentralized ones.

Yet the popular ones are centralized, no?
Uniswap is one of the biggest exchanges and is fully decentralized. Things are trending that way.
Trending? Really?
Yes. A few years ago decentralized exchanges did not exist, now one of the largest exchanges is fully decentralized..Obviously simple payments could always be made in a decentralized way but creating actual applications wasn't possible until recently.
An important difference being that nobody ever expected users to use the x86 instruction set directly. Whereas the very clear initial expectation for Bitcoin was that it was an actual currency used for transactions by end users.
On what part of the stack exactly? Are they crafting RPC requests to a BTC node manually? Using wallet software? Using more advanced wallet software with social recovery features and named addresses?

I think you may be forgetting, earlier users of computers were using punchcards..

Are you... asking me to explain what the Bitcoin folks were thinking when they claimed they were creating a viable peer-to-peer electronic cash system? Sorry, you'll have to ask them that. About 80% of what cryptocurrency advocates claim to believe seems unrealistic to me. But given that they published that paper in 2008, I suspect punch cards were not what they had in mind.
Did you read the Marlinspike post? I think he's pretty clear on the issues.

But in brief my point is that as with internet itself, a protocol that allows for decentralization is not sufficient for something to be truly decentralized. Despite the vast amounts of hype about the decentralization of cryptocurrency and "web3", in practice we are seeing that it's tending toward centralization. Which personally I don't care about except the extent to which I still have to listen to the hype that has less and less connection to the practical reality.

It’s not centralized though, chase.com is one of many banks. Anybody can create a bank, and a failure in one bank doesn’t propagate to the rest of the market.
Yup, in that sense banks are decentralized in a way..although there is a bank called the "central bank" that creates the base monetary supply, so not sure I totally agree with the comparison..

But yes, I would agree that banks are about as decentralized as crypto exchanges. But that's kind of the point, you shouldn't conflate exchanges (or banks) with the currency itself.

But crypto is decentralized? This Crypto.com security issue is wholly unrelated to how blockchain technology works...
It’s objectively dumb to look at a service provider and conflate that with what the proponents are talking about.

Have you considered that you are in the wrong decade? Its year .. 13..? Its time to be up to speed on this.

If you run into a proponent that is also conflating these things you should simply correct them about the difference between onchain activities and third party centralized service providers, which means educating yourself first.

The only reason the hacker gets to keep the funds and have no civil or criminal liability is because of them using the actual decentralized rails and uncensorable contracts such as Tornado.cash

I agree. Imagine if a centralized system was compromised and every single account holder was at risk. Instead there is only a small sub-section of accounts that were vulnerable, thank goodness for that.
Why shouldn't I work for Crypto.com ? That’s a tough one but I'll take a shot. -- Will from Good Will Hunting
"How do you like them apples?" will be the Crypto.com response to anyone that lost their money.
I assume they have SMS as a 2FA option and that was the weak link?
> SMS as a 2FA option

I hope not, if that is true.

The year is 2022 and companies managing >$100B in assets are STILL using SMS 2FA for protecting their life savings, despite SIM hijacking and SIM swapping still about.

Quite pathetic really.

These companies want more cash heavy users. Like those older than 50.

There is absolutely no way my parents could figure out 2fa in any way other than phone call/sms. They would be cutting out the less technical crowd, which is exactly who they're trying to convince to buy in

It's one thing to offer SMS in addition to other 2FA options. It's completely another when SMS is the only 2FA option at these institutions. See also: Canadian banks (at least the ones that even support 2FA of any kind).
> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

That isn't the technical solution I was looking for...

I am a cyber security consultant for startups. The first thing that I communicate is that just by not being in crypto you have drastically lowered your risk profile.

Attackers care a lot about what they can get to if they are able to breach your security.

How many startups do you talk to that are "on the fence" with somehow using crypto in their product? Seems pretty core to what the company would be doing.
I dunno, I've seen a lot of mentions of different companies trying to stuff crypto/blockchain in to seem trendy and marketable when it's clear that there's absolutely nothing crypto/blockchain brings to that use case.

(In fact, I have yet to see a single genuine use case for cryptocurrencies or blockchain that aren't served at least as well by more proven technologies, aside from "separating money from fools" and "making libertarians/anarchocapitalists squee".)

Eh, yes of course, what are you saying really? Is there some deeper point I miss?

Just like finance companies have a different risk profile than companies generating bingo cards, crypto companies have different risk profiles than other non-financial ones. Are people arguing that this is not true or something?

People generally don't understand how vast the difference is. The pro crypto narrative has pushed the idea that "Blockchain is more secure" because "it cannot be edited" when in reality that feature makes it much more of a target for attackers because once they transfer the coins the transfer cannot be edited. In comparison if an attacker gets a credit card that card could be disabled and or have transactions cancelled.
> In comparison if an attacker gets a credit card that card could be disabled and or have transactions cancelled.

That's why attackers never go after credit card numbers, right?

I think non-revertible payments do not really make a big difference to attackers, it just makes value extraction more efficient. Some percentage of fraudulent transactions will always make it through. So long as the funds accessible to the attacker are sufficiently large, it's still a juicy target. 10% of 200 megadollars is still 20 megadollars.

I agree with @capableweb2. They're an attractive target because they are a financial company with control over lots of value, not because of anything to do with cryptocurrencies in particular.

No they go after crypto bros because hacking banks is actually hard unlike these shady clowns based in Dubai or whatever.
Crypto companies have a different risk profile than most finance companies.

For most finance companies, if they have a whoopsie and lose money to a software boo-boo, they'll just reverse the transaction. Times when such a transaction cannot be reversed (https://www.bloomberg.com/news/articles/2021-03-19/citigroup...) are the extremely rare exception, and are adjudicated by a civil court.

Whereas if a crypto company has their wallets breached, it's almost certainly immediately irreversible.

I do a bit of the same and this seems to be a silly thing to communicate as part of a security audit. Ok, step 1 SMB insurance company paying me to audit - by not being in Afghanistan, you have a severely reduced risk of business invasion and extortion. Seems like a really wonky way to communicate a risk profile and first-exposure to security professionals by a SMB. Plenty of SMBs with janky POS systems get pretty nasty PII attacks.
I'm advising people at the executive level. They do not care about the details of hashing PII, they want to know how likely it is that they will be targeted and how likely that attack is to succeed. And the fact is that an insurance company gets targeted far less often than crypto companies.
Is that true? Are there metrics of how many attacks are completed on an SMB that does and does not have crypto? And how is it known that those with crypto are suddenly easier targets than those without it?

Edit: For the downvotes, if this is such an obvious question then be proactive and share the metrics - I'm skeptical this is the case but happy to be proved wrong.

It's a good question. Crypto companies aren't a monolith, but using crypto as a comparison to an SMB, and in this case sounds like SMB==startup, then requires some nuance if you want facts behind that claim.

SMB vs. web3/Defi, 30 person teams, no security engineers? The web3 company probably is a lot more vulnerable.

SMB/startup vs. generic crypto exchange like Poloniex? This gets harder to parse. Poloniex gets the malicious traffic and has a pretty small security team I think. But, they and companies similar are a tech company in the cloud and with a solid infra engineering team and leveraging AWS tooling, it's not like they're totally exposed. The SMB/startup has none of this, so arguably they are a similar risk profile in surprising ways, or maybe even more exposed than the exchange.

SMB/startup vs. a Tier 1 exchange like Coinbase? Very silly comparison, CB has a pretty large security team, knows their stuff, etc. etc, very good track record until very recently, and as a industry group the Tier 1 exchanges do well on the security front.

Compare this to the SMB instances of malware sitting on a Point-of-sale system for months/years until it gets discovered? Family dentists getting ransomwared fairly consistently? The retail/SMB space is a bit of a security nightmare. For someone building a product here and is able to sell the "so what" of it to a dentist, there's opportunity. If SMB == startup, well that's likely a startup with 10 hires, extremely product focused, especially with fintech integrations, and presumably a lot of PII as an insurance fintech? If a consultant isn't explaining the fairly large inherent risks there for the SMB/startup and using crypto as a comparison of something worse, that's wonky to me.

That must be my mistake... I only ever advise companies on the parking level.
You can probably trust startup executives with digesting nuanced security advice; again I do similar consulting. It's also a fact that insurance companies are targeted less than <a lot of things>.

If you're auditing startup insurance fintechs in that case, the PII they have and platform exposure to all the APIs they are pulling from or pushing too (a) looks a lot like a crypto company spanning web2/web3, and (b) puts them square in the target of software supply chain hacks. An attacker cares about <insurance startup>, but they do care about attacking the Equifax API that the insurance startup has an integration with. Excluding the crypto companies that do their own custody or run their own smart contracts, their risk profile and why ends up looking a lot like the fintech insurance startup haha.

and then you follow that with “If you care about non-dilutive capital and making a ton of money for yourself you should pivot your startup to crypto”
So their backend allowed withdrawal transactions without 2FA control. Not a good sign for a system that should thrive on secure transactions.

Ethereum seems to be the token most prized during a breach, most likely to be used on tornado.cash.

Cheers

It's almost like we need a centralized authority that can undo these withdrawals and a know your customer paper trail.
Funny that, ain't it? Perhaps we could Automate it. It'd be like.. a house for clearing transactions.

Nah... Probably never catch on.

> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

Can someone setup, test and rollout a _completely new_ authentication system in 3 days?

Unless they were working on this already for other reasons, I imagine a lot of corners were cut to make it happen so quickly. We might be hearing from crypto.com again soon.
It seems to me that while banning crypto by western governments is politically untenable, a better way would be to have their security services keep hacking it to make it unattractive
(comment deleted)
Why would they not be doing both, if getting replaced as a money standard by an anarchist cybercurrency was an existential threat to these western governments?
(comment deleted)
...It's totally politically tenable if it's nigh impossible to wrangle necks to wring to hold service providers accountable. What? Do you think Principles of System Architecture are completely absent in the public space?

Why do you think everything tends to centralize? To keep things localizable.

...Until that backfires anyway. Thank you 2008.

(comment deleted)
> On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user. This triggered an immediate response from multiple teams to assess the impact.

I sometimes find it hard to believe these statements, but I guess I can only take them at face value.

Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".

Responding to escalations from customer support is a risk monitoring system, just not a very good one.
Worse, many companies can't even do that reliably.
(comment deleted)
> Which seems more likely, that these "risk monitoring systems" actually caught this, or that they were inundated by sudden urgent calls from the 483 users saying "DUDE WTF WHERE'S MY MONEY?".

For better or for worse, a lot of insight can be gained from a sudden influx of tickets from normally-quiet users, all with the same general story. This is definitely how many critical bugs in production are caught, because even a small number of disparate users that suddenly write in about the same issue is a huge red flag.

But, most likely, they have metrics on average withdrawal amounts, deposit amounts, etc., hooked up to something like datadog, with an off-the-shelf anomaly detection monitor.

> But, most likely, they have metrics on average withdrawal amounts, deposit amounts, etc., hooked up to something like datadog, with an off-the-shelf anomaly detection monitor.

How are we estimating the likelihood here? I agree that would be desirable. I agree a very together company might have something like that. But given the average level of competence and professionalism in the cryptocurrency sector [1], I would not bet against EMM_386's theory in this case.

[1] See, e.g., https://web3isgoinggreat.com/ or https://bravenewcoin.com/insights/36-bitcoin-exchanges-that-...

Massive uptick in customer support tickets is technically a monitoring system. Just a highly reactionary one.
> detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user.

How am I supposed to read it: is it a 2FA compromise (attacker replaced 2FA codes with their own) or 2FA bypass (attacker found a way to conduct a transaction bypassing a need for 2FA)? These are two very different scenarios.

> sudden urgent calls from the 483 users

This may be their only risk monitoring system. I’ve seen many DR plans that had this kind of detail written up in “consultant speak” with a straight face. Where they would detect server crashes by users calling them and their systematic method to failover was to manually rebuild.

(comment deleted)
If it's true, there's this funny situation where the exchange/banking software didn't require 2FA to withdraw funds, BUT their monitoring noticed this situation.

So their monitoring is smarter than their main application? Wow, just wow.

What is the robbery of a CEX compared to the founding of a CEX?
The Worldwide Account Protection Program seems to be a way for Crypto.com to limit their exposure, while marketing it as "protection" for the customers.

Around $34million stolen, 483 users affected. If the funds were spread evenly, then each user would have lost about $71k. But the funds won't be evenly spread (average). It's likely some users will have lost much more, and some much less.

From the announcement, it looks like Crypto.com is making the users whole again;

> No customers experienced a loss of funds.

This means that (in some cases) Crypto.com was on the hook for much more than $71k / user. The WAPP appears to put a series of conditions on the user, and introduce an upper limit to the amount that Crypto.com will return in the future.

> WAPP restores funds up to USD$250,000 for qualified users; terms & conditions apply.

> Enable Multi-Factor Authentication (MFA) on all transaction types where MFA is currently available,

> Set up an anti-phishing code at least 21 days prior to the reported unauthorized transaction,

> Not be using jailbroken devices,

> File a police report and provide a copy of it to Crypto.com; and

> Complete a questionnaire to support a forensic investigation.

This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.

And so what are we going to do as a society with these stolen funds? Playing a wallet mixing tracking game is a rat race and a waste of energy, otherwise we need a centralized system [on an immutable blockchain] to keep track of stolen funds, to then cross-reference every transaction with at point of sale/transfer - to then prevent it, no?

If not a centralized solution like above then what? We just allow stolen funds to be used now or any point in the future, rewarding criminal behaviour?

There's no centralized system to track stolen dollars (at least not in the sense you're talking about), so I don't know why crypto would necessarily need one.
Doesn't the USD have a unique serial number associated with each bill? I'm sure when banks make in-transport transfers between entities, they know exactly which series they are transporting, and if a robbery happen, they share those series that got stolen with the police. If the police makes some unrelated arrest and find a bunch of bills, they can probably trivially look up if that money have been involved in anything before that.
Doesn't some federal law enforcement agency track serial numbers of stolen cash? Or have I been watching too many crime dramas?
Look up "anti-money laundering".
Didn't they say that 443 BTC was stolen? Isn't that around $200MM all by itself? Or did I miss a part of this?
$20MM
That's what I get for doing math in my head quickly.
I think you’re right, mostly. As a user I’d like to know explicitly what my risk factor is.

Any exchange or custodian has a non zero chance of getting hacked or inside-jobbed; unlike fiat currencies there is no judicial process that is going to maybe let me claw my stuff back.

A sort of fdic insurance for custodian crypto accounts, is an inevitable market solution.

>From the announcement, it looks like Crypto.com is making the users whole again;

>> No customers experienced a loss of funds.

Let's believe that when we hear someone other than the company saying it.

> File a police report and provide a copy of it to Crypto.com

Yeah, I'm sure tons of crypto holders will get right on that.

> This looks more like a mechanism to limit Crypto.com's exposure to future events than it does a policy to protect users.

That's fine. It lays out the risk exposure in concrete terms and defining their market offering. If you use a jailbroken device, or have more than $250K in funds, or are holding crypto for illegal purposes, don't put it in Crypto.com. Same as FDIC insured savings accounts that are limited to $250K.

> No customers experienced a loss of funds.

I mean, there's still plenty of money in other people's accounts they can use to cover the losses.

Does anybody know whether the regulatory regime they operate under is sound? If a US bank lost this kind of customer money in a theft, I'd have some confidence that the the FDIC and the Federal Reserve would make sure they actually had all the money they were claiming they had. But personally I'd hate to bank purely on the internal controls of a Singaporean subsidiary of a Maltese company.

Please explain how they can use the money from other people account to cover the losses. If i had a account there, i wouldn't allow them to use my money to cover this.
Easy: imagine one of the poor sobs decides to withdraw, hop a bit of creative accounting and your money is borrowed to pay for the withdrawal.

It s not each of the user individually seeing their balance go down, it s the company lying even more about its ability to liquidate all accounts.

Your number on their html page they graciously present to you will go unchanged. It s not a new phenomenon, every bank does it, except crypto.com does it to pay losses for a theft while banks would do it to lend to a baker buying a bakery on mortgage. If said baker screws up and cant repay, and many more others as well, clients cant all withdraw the pretty number.

Another interesting difference is that a bank pays you for lending to them with your savings account, at market rate (very low these days), while I dont think crypto ponzis do because you re suppose to just wait and moon.

Also, banks are insured by the government (FDIC) and heavily regulated to reduce the risk of failure. Crypto exchanges are not, which is why they seem to fail about as often as a 19th century bank would.
Being insured by the gov for up to a certain amount will not solve the default issue (this is what crypto.com is pretending with their eerily similar worldwide protection thing), it was made to save poor people from complete ruin, not protect your savings.

If you re retiring and expect the bank to be good on a million $ worth of some sort of instrument, you're fucked minus 250k.

And this is totally fine: you re compensated for a low risk of default when you lend to your "savings account" and must accept this could happen. There s no way to make money waiting doing nothing risklessly. Creeptards know that well, they all in on wind, there s no worse risk.

Banks pay out losses from the profits generated by other account holders all the time. Just gotta hope their losses never exceed their profits.
That's touchingly innocent.

As an example, take Bernie Madoff. He took in people's cash and then sent them regular statements about how much money they had. But they were just statements doctored to look good. When some people withdrew money, he just gave them money that was handy. At some point, the difference between the numbers on the statements and the actual assets was over $50 billion. More details here: https://en.wikipedia.org/wiki/Madoff_investment_scandal

None of the Madoff investors "allowed" it. I don't know anything about Crypto.com, but the same thing is surely happening with other "crypto" companies. It doesn't even have to be malice; often a failure starts out with some event like a sudden loss to theft. Insiders believe they can make the money back, so they just keep on operating and hope nobody notices.

This opportunity for divergence between reported and actual funds is one of the big reasons US banks are highly regulated. The FDIC is on the hook for large sums in the event of failures, so they're quite vigorous in making making sure that doesn't happen too often.

Like tether swears All the money is in their accounts..
Ever heard of Mt. Gox?
This is exactly what Bitfinex did back in 2016. They were 'hacked' for $72M, or about 36% of their assets at the time. They logged in, and removed 36% of everyone's account balances and replaced them with IOU tokens. [1] In fact it was believed that Coinbase was a Bitfinex customer at that time - and that they were one of the few accounts not actually given a haircut because I assume their lawyers mumbled something about 'fraudulent conversion.' [2]

[1] https://www.reuters.com/article/us-bitfinex-hacked-hongkong/...

[2] https://definitions.uslegal.com/f/fraudulent-conversion

This... Is literally how banks work.
Banks do not work this way. Banks have insurance policies, both private and federal, that would cover the losses.
> Banks do not work this way

Yes, they do.

> Banks have insurance policies, both private and federal, that would cover the losses.

The federal insurance policy covers you if, after operating this way (or for some other reason) the bank ends up without money to cover your account (and, the regulation that comes with the insurance means that it's more likely that the Federal government will force the sale of your bank to one that does have extra money to cover your account even before that happens.)

But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)

Banks do not take money from other accounts to cover operating losses, lol, thats almost certainly several crimes. [citation needed].

> But banks still operate as described (and using some of their pool of assets to buy private insurance is functionally the same as just adjusting the balances of people it is compensating for losses and increasing risk to others by doing so, except it smooths things a bit over time at the expense of higher average cost.)

It's really not. Customer deposits are segregated from the operating accounts in accordance with applicable law. You're not suggesting they're taking payroll out of customer deposits are you?

> Banks do not take money from other accounts to cover operating losses

Banks don't keep money segregated in accounts.

Banks have reserves, and accounts basically record the right of people to draw money.

When they cover a fraud loss from one account by increasing the balance for that account to make the owner whole, they are doing exactly what crypto.com would be doing. Neither involves taking balances from others accounts, but both increase the risk of inability to cover accounts (including those of other people) as a result. Now, yes, banks provide consumers with more protection against the risk this creates, and are regulated in ways which make them less likely to do it to an extent which would create as much risk as a hype driven crypto exchange in the first place, but in terms of the basic mechanics, it is not any different than what has been suggested.

The model of money actually being held segregated in an account works for things like lawyers holding client funds and a very few other specific things, but it doesn't really capture what goes on with banks at all.

Banks might be protected under some federal legislation, but overall it doesn't really make much sense for any sizeable bank to insure themselves with some other party. For any non-rare event it's much easier to just keep some emergency money at hand. The only thing it'd make sense to insure themselves against are large scale damages that exceed the amount they can reasonably write off, but if the damages exceed the amount of funds a bank has readily available then there's little chance anyone else can cough up that amount of money other than the government.
> If i had a account there, i wouldn't allow them to use my money to cover this.

They're...not going to ask your permission?

If you have an account there, they have a large central pile of assets, and a database row saying that you are entitled to X amount of those assets. Someone else has a database row saying that they are entitled to Y amount of those assets.

If someone breaks into the other account, and makes an illicit transfer, then Y goes down and the central pile of assets goes down. If crypto.com makes the other account whole, they simply increase Y back to the original amount. But the central pile of assets hasn't gone up accordingly. They just used "your money" to cover this, and they don't ask you for permission.

When you go to them later and say: "I want to withdraw my X somewhere else", they might say: "I'm sorry, we don't have X right now". That's a run on the bank.

Fortunately, we have protections around specific institutions to prevent these kinds of situations. Capitalization requirements, FDIC, etc. Unfortunately, if you have an account with crypto.com, none of those protections exist for you. You're banking on them having the funds when you ask to withdraw them.

> Please explain how they can use the money from other people account to cover the losses.

Once it enters their hands, the money isn't really “from” a particular account in any tangible way.

> If i had a account there, i wouldn't allow them to use my money to cover this.

An account is just a record of funds to which you are entitled; there are certain types of relations where someone keeping money for you legally needs to keep it segregated from other funds of theirs, but crypto.com doesn't have that kind of relationship with account holders. If they don't provide you with your funds when you ask, you can try legal action to recover it, but you don't have a veto on whether they update the entry recording someone else's balance to make them whole after a hack, even if that increases the risk that they won't have your money when you want to withdraw it.

This was the path Mt Gox went after they were hacked. Didn't work out so well for them in the end.
You're aware your bank (not crypto bank, just Bank of America or whatever competitor) uses your money to invest and doesn't just keep in into a vault, right?
> Not be using jailbroken devices

So does a normal PC count as a jailbroken device? If not, what makes having root access on a phone any different?

Sure but exchanges have their own treasury, they make alotttt of money

Why lead with the ponzi assumption? There are so many more quantifiable assumptions