Crypto.com, a major crypto platform, was reportedly breached by members of a hacker collective called Scattered Spider.
The incident, however, was allegedly “previously unreported,” per a Bloomberg report on Sunday.
What happened was “a small, internally controllable issue,” Shān Zhang, chief information security officer at blockchain security firm Slowmist, which audited the crypto platform’s smart contracts and modules in 2020, told Decrypt, adding that it “was properly resolved a long time ago,” pointing to Crypto.com CEO Kris Marszalek’s statement issued Sunday evening.
“Any suggestion that we did not report or disclose a security incident is completely unfounded,” Marszalek stated on X. “We reported in a NMLS Notice of Data Security incident filing and in additional reports with the relevant jurisdictional regulators, we detected a phishing campaign that targeted one of our employees in 2023.”
Responding separately to Decrypt, a Crypto.com spokesperson added via email that the incident “included exposure of limited PII (Personally Identifiable Information) data affecting a very small number of individuals,” with the breach “contained within hours of detection, and no customer funds were accessed or ever at risk.”
Investigation into the incident traced the breach to Noah Urban, a Florida teenager who acted as a “caller” inside Scattered Spider, persuading employees to hand over credentials that unlocked internal systems.
Urban and his accomplices reportedly gained access to Crypto.com by impersonating staff and leveraging stolen personal data, including records pulled from a United Parcel Service database.
Once inside, the group was able to gather sensitive user information. The episode was part of a broader spree that saw Scattered Spider infiltrate more than 200 companies, with tactics ranging from SIM-swapping to phishing campaigns that compromised telecom providers, gaming studios, and retailers.
Urban, now 20, was indicted alongside four others in November last year. He pled guilty in April this year to wire fraud and aggravated identity theft, court documents confirm.
Authorities later seized some $4.8 million in crypto from Urban’s devices, with estimated losses of up to $25 million, and ordered $13 million in restitution to more than 30 out of at least 59 victims across the U.S.
Last month, a U.S. District Judge sentenced Urban to 10 years in prison, with additional supervised release.
