A recent report has revealed a previously unreported breach at Crypto.com, one of the leading cryptocurrency platforms, attributed to the hacker collective known as Scattered Spider. According to information uncovered by Bloomberg, the incident affected a limited number of users but did not result in any loss of funds. The breach involved social-engineering tactics employed by an individual named Noah Urban, who gained unauthorized access to users’ financial information.
Shān Zhang, the chief information security officer at the blockchain security firm Slowmist, which conducted an audit of Crypto.com’s smart contracts and modules back in 2020, characterized the incident as a “small, internally controllable issue.” In a statement to Decrypt, Zhang asserted that the situation was resolved effectively a considerable time ago. Crypto.com CEO Kris Marszalek echoed this sentiment, stating that any allegations regarding the company’s failure to report the incident are “completely unfounded.” Marszalek highlighted that a phishing campaign targeting an employee was recorded and disclosed through a Notice of Data Security incident filing and further reports to relevant regulatory bodies.
A spokesperson for Crypto.com later confirmed that the breach led to the exposure of limited personally identifiable information (PII) affecting only a small number of individuals. The company added that the breach was contained within hours of detection, emphasizing that no customer funds had been accessed or compromised.
Investigators traced the breach to Urban, a 20-year-old resident of Florida, who acted as a “caller” within Scattered Spider. He manipulated employees into divulging their credentials by impersonating others and exploiting stolen personal data, including details from a United Parcel Service database. With this access, Urban and his accomplices acquired sensitive user information. This breach was part of a larger scheme where Scattered Spider infiltrated over 200 businesses using varied tactics, including SIM-swapping and phishing campaigns targeting telecom providers, gaming studios, and retailers.
Urban was indicted in November 2023, along with four others, and subsequently pled guilty to charges of wire fraud and aggravated identity theft in April 2024. Legal proceedings resulted in authorities seizing approximately $4.8 million in cryptocurrency from Urban’s devices, with estimated losses stretching up to $25 million. The court ordered Urban to pay $13 million in restitution to over 30 victims. Recently, a U.S. District Judge handed down a 10-year prison sentence to Urban, along with additional supervised release following his incarceration.
