The cryptocurrency exchange Crypto.com failed to disclose a breach in which hackers accessed an employee’s account, according to Bloomberg.
The attack was orchestrated by teenager Noah Urban from the Scattered Spider group and his accomplice. They employed phishing techniques to obtain login credentials for the exchange employee’s account.
A representative from Crypto.com stated that the breach affected the personal data of “a very small number of individuals.” He assured that customer funds were not compromised.
The attack occurred in 2023. During a search, the FBI seized $4 million in cryptocurrency, cash, and jewellery from Urban. In January 2024, he was arrested on charges of hacking 13 companies. The hacker was later sentenced to 10 years in prison.
On-chain investigator ZachXBT criticized Crypto.com for concealing the data theft. He also noted that the exchange “has been breached several times.”
They’ve been breached several times https://t.co/ptAHq1ZTOG
— ZachXBT (@zachxbt) September 21, 2025
A platform representative told Cointelegraph that the company filed a notice of the incident with the U.S. licensing system NMLS and informed other regulators.
Crypto.com CEO Kris Marszalek described reports of concealing the breach as “misinformation from uninformed sources.”
I want to directly and clearly address some misinformation spreading from uninformed sources…
Any suggestion that we did not report or disclose a security incident is completely unfounded — as we reported in a NMLS Notice of Data Security incident filing and in additional…— Kris | Crypto.com (@kris) September 22, 2025
He confirmed that the company reported to U.S. and other relevant regulators.
In May, ZachXBT reported that within a week, attackers stole $45 million from Coinbase users using social engineering methods.
Later, the exchange announced that as a result of a data leak in December 2024, attackers obtained data from 69,461 customers.