Crypto.com and the alleged data breach: timeline, notifications, what’s missing

Crypto.com dismisses the hypothesis of a hidden breach: according to the company, in 2023 there was a social engineering campaign targeting an employee, contained within a few hours and with limited impact on personal data. Doubts remain about documents, timelines, and officially communicated numbers.

What Happened: Accusations and Denials Compared

A member of the Scattered Spider group, cited by Bloomberg, claims to have gained access to an internal account of Crypto.com between the end of 2022 and the beginning of 2023.

On-chain investigator ZachXBT then echoed the allegations on X, stating that Crypto.com allegedly covered up a personal data leak, adding that the company had been “breached several times.”

Crypto.com categorically denies having concealed the incident. In a statement, a spokesperson confirmed that the company detected a social engineering episode on an employee in 2023, contained within a few hours, and issued a “Notice of Data Security Incident” through the reporting system of the Nationwide Multistate Licensing System (NMLS) and to other relevant authorities in the United States.

According to data collected by industry analysts who have examined public timelines and on-chain posts, temporal discrepancies emerge between the claims of the accusers and the regulatory filings reported by the company.

Analysts also note that, in the absence of verifiable links to the filings, it is impossible to confirm the exact number of people affected by the potential exposure.

What is confirmed (company)

• Vector: targeted social engineering attack on an employee (2023).
• Containment: incident neutralized within a few hours of detection.
• Impact: exposure of personal data “limited” to a very small number of individuals.
• Funds: no access or risk to clients’ funds.
• Notifications: submission of reports through the appropriate regulatory channels, including filing in the NMLS system.

What is contested (accusations)

• Scope of access: alleged accusations of a broader and repeated intrusion.
• Transparency: hypothesized deficit in communication towards the public and clients.
• Numbers: lack of official figures regarding the number of individuals and the types of data involved.

Timeline: from social engineering to regulatory filings

1. End of 2022 / beginning of 2023 — According to the allegations, access to an internal account occurred during this period.
2. 2023 — Crypto.com detects the social engineering incident and contains it within a few hours, with no impact on customer funds.
3. 2023 — The company files a “Notice of Data Security Incident” in the NMLS system and communicates it to other relevant authorities.
4. 2025 — The case returns to public attention after being shared on X and receiving new media coverage, reigniting the debate on transparency.

Impact: which data would have been exposed

Crypto.com speaks of a “limited” exposure of PII (personally identifiable information) for a very small number of individuals, without providing precise details on the categories of data affected (e.g., email, phone numbers, addresses, or documents).

In the absence of official numbers and a detailed list of the data involved, criticisms about communication are fueled. Analysts point out that the definition of “few” users can vary significantly: for a company with millions of customers, even hundreds of accounts involved represent a significant case.

Where are the documents: sources, posts, and statements

• Bloomberg — Reported statements attributed to a member of Scattered Spider.
• Cointelegraph — Published the official position of Crypto.com and the reference to the regulatory filing.
• Post on X by ZachXBT — He reiterated the accusations, raising the issue of transparency.
• Post on X by CEO Kris Marszalek — He described the accusations as “disinformation” and reiterated the sending of regulatory notifications.
• NMLS (homepage) — Crypto.com refers to a “Notice of Data Security Incident” in the Nationwide Multistate Licensing System; the direct link to the filing is not publicly available.

Why Transparency is Being Discussed

In the US financial sector, state laws on data breach notification and regulatory requirements mandate timely communication of security incidents.

In this context, without accessible documents and a complete incident report, customer trust relies primarily on the company’s statements and independent verification of the facts.

Social engineering cases are among the most frequent: the Data Breach Investigations Report (DBIR) by Verizon highlights how the human factor is involved in the majority of incidents (in recent reports, the indicated percentage is around 68%) Verizon DBIR.

Guidelines for incident management and regulatory notifications recommend documented processes and clear reporting times, as indicated in the best practices published by the NIST SP 800-61.

The incident highlights a particularly sensitive issue for exchanges: how to communicate a limited impact incident without causing alarm, especially when timing and numbers are not yet fully defined?

What is recommended for users

1. Multi-factor authentication: enable and verify the TOTP app; avoid relying solely on SMS.
2. Password: change it if not updated since 2023; use a password manager and unique credentials.
3. Phishing alert: be wary of suspicious emails or links that request data submission; always check the domain and message headers.
4. Account monitoring: regularly check logins and authorized devices.
5. Notifications: check your inbox and the app for any official communications regarding the incident.

FAQ

Did the company hide the incident?

Crypto.com claims otherwise, reiterating that it has filed the “Notice of Data Security Incident” in the NMLS system and reported the incident to the relevant authorities. The accusations argue the opposite, demanding greater transparency and the publication of additional documents.

How many users are involved and what data?

A precise number has not been disclosed. The company mentions a limited impact with PII exposure for “few” users, without providing a detailed list of the categories of data affected.

Were the clients’ funds at risk?

According to the official version of Crypto.com, no access to customer funds has ever occurred nor were they at risk.

Why is there no link to the NMLS filing?

Some regulatory filings, such as those related to the NMLS, are not public or appear on portals with limited access, so a direct verifiable link is not available at the moment.

The overview, in summary

The case unfolds between accusations of a more extensive internal breach and the official denials from Crypto.com. Without access to complete public documents and verifiable figures, the debate remains open. Transparency on the timing and impact of the incident will be crucial in defining the matter.

Source note: a publicly verifiable link to the alleged “Notice of Data Security Incident” on NMLS is not available; the indications are based on company statements and coverage by Bloomberg.