Crypto.com CEO Denies Undisclosed 2023 Cyberattack Allegations

A Bloomberg investigation alleged that Crypto.com quietly endured a cyberattack in 2023 linked to Scattered Spider, a hacking group known for sophisticated social engineering tactics. According to the report, members of the group impersonated the exchange’s internal IT staff, successfully tricking several employees into surrendering their login credentials. The attackers then allegedly attempted to use these credentials to gain escalated access to senior accounts, raising significant concerns about the platform’s internal security protocols. The report’s core criticism centered on a perceived lack of transparency, suggesting that one of the industry’s largest exchanges had not adequately disclosed the incident to its users or the public.

In a sharp rebuttal posted on social media platform X on September 22, CEO Kris Marszalek categorically rejected these claims. “Any suggestion that we did not report or disclose a security incident is completely unfounded,” Marszalek stated. He positioned the company as a fully regulated entity, emphasizing its obligation to report all incidents to relevant authorities. Marszalek accused Bloomberg of omitting this key fact from its story, claiming it “didn’t serve their narrative.” He detailed that the firm had filed a formal Notice of Data Security under the Nationwide Multistate Licensing System (NMLS) and submitted additional reports to regulators in all relevant jurisdictions, asserting full compliance with legal requirements.

Marszalek provided specific details to downplay the severity of the event, characterizing it as a limited phishing campaign targeted at a single employee. He asserted that the threat was identified and neutralized within hours of its discovery. Crucially, he stated that no customer funds were exposed during the incident, a primary concern for any financial platform. The only compromise, according to the CEO, involved “partial personally identifiable information” belonging to a “limited number of users.” This framing was clearly intended to reassure the market and users that the breach was contained and did not represent a systemic failure.

Beyond addressing the immediate allegations, Marszalek used the opportunity to champion Crypto.com’s overall security infrastructure. He described the company’s systems as “battle tested and continuously improving,” pointing to a “security-first culture.” A key part of his defense was the claim that Crypto.com holds “the most security certifications of any company in our industry,” a statement aimed at bolstering confidence among investors and users who prioritize safety in the often-unregulated crypto landscape. This defensive posture underscores the critical importance of trust and reputation for exchanges operating with customer assets.

The controversy emerged alongside significant volatility in the broader cryptocurrency market. Data from CryptoSlate indicated that Crypto.com’s Cronos (CRO) token dropped approximately 10% in the 24 hours following the news, falling to around $0.20. This decline occurred as major cryptocurrencies like Bitcoin (BTC) and Ethereum (ETH) also experienced substantial tumbles, leading to roughly $1.7 billion in liquidations across various exchanges. While the CRO token’s drop mirrored the wider market weakness, the timing of the security allegations likely contributed to amplified selling pressure, demonstrating how negative news can exacerbate existing market downturns.

The incident places a renewed spotlight on the persistent cybersecurity threats facing cryptocurrency exchanges. Groups like Scattered Spider specialize in phishing and social engineering, exploiting human vulnerabilities rather than complex technical flaws. For regulated entities like Crypto.com, the episode also highlights the challenging balance between regulatory compliance, which may involve private reporting to authorities, and public transparency expectations. The conflicting narratives between the Bloomberg report and Marszalek’s response illustrate the ongoing tension between journalistic scrutiny and corporate crisis management in the rapidly evolving digital asset industry.