Crypto.com at the center of scandal over 2023 data leak
A storm is brewing for Crypto.com after a 2023 personal data leak resurfaced, traced to a phishing attack on an employee. The exchange assures that funds were not affected, but questions about the scale and timely notification remain open.
The uproar began after Bloomberg published a major piece last Friday about teenage hacker Noah Urban from the Scattered Spider group. Readers were shocked to learn that over two years ago, the attackers tricked an employee into granting access to an internal account, which exposed the personal data of some clients.
Within a few hours, the story spread across industry media and social networks, fueling outrage. The breach did not affect wallets; instead, it exposed names, phone numbers, contacts, and other sensitive user data.
Amid the backlash, on-chain researcher ZachXBT revived his earlier criticisms of the exchange and accused it of a cover-up.
Such accusations carry weight, especially after a summer of phishing attacks and leaked databases across the industry. As a result, many opinion leaders joined the scandal, blaming not only the exchange but also the KYC system, calling it "the biggest f*cking scam of them all."
Crypto.com has pushed back with a very different account. The company says the incident occurred long ago, was quickly contained, affected “very few” users, and did not compromise client funds. It also claims regulators in the U.S. and other jurisdictions were immediately notified through the NMLS system (Nationwide Multistate Licensing System).
CEO Kris Marszalek took to X to urge against spreading myths and stated that Crypto. com "has the most security certifications of any company in the industry."
Another detail in the scandal has emerged: it turns out that in March 2025, the SEC closed its investigation into the exchange without any enforcement action. This may not be directly tied to the leak, but it feeds into the broader question of trust.
In the end, there is still no public evidence that affected users were notified promptly and directly. The number of accounts at risk also remains unclear. These gaps continue to fuel debate — with the company insisting “we reported it properly,” while critics ask, “why are we only hearing about this now?”
The uproar is unlikely to end here. More media investigations, formal disclosures, and clarification of the leak’s scale are likely to follow.
For the market, this is yet another reminder: even if the money is safe, reputational damage is far harder to repair. Exchanges will need to communicate more openly, or risk having others do it for them.
Recommended