According to Bloomberg, members of the group impersonated the exchange’s internal IT staff and convinced several workers to share their login details.
The attackers allegedly attempted to escalate their access with those credentials by targeting senior accounts.
The report argued that Crypto.com did not adequately disclose the incident, raising criticisms from security experts about the transparency at one of the industry’s largest exchanges.
“We are a regulated business and are required to report all incidents to our respective regulators which is exactly what we did. Bloomberg knew this and omitted it from the story, as it didn’t serve their narrative.”
According to him, the firm had filed a Notice of Data Security under the Nationwide Multistate Licensing System and submitted additional reports to regulators in relevant jurisdictions.
Marszalek explained that the incident stemmed from a phishing campaign aimed at one employee and was neutralized within hours. He said no customer funds were exposed, and the only compromise involved partial personally identifiable information belonging to a limited number of users.
He added:
“Our systems are battle tested and continuously improving – we’re proud of our security-first culture and having the most security certifications of any company in our industry.”
