- Crypto.com denies hiding a 2023 phishing breach, says it filed reports with regulators.
- Bloomberg and ZachXBT raised concerns about disclosure, fueling debate over transparency.
- Global breach laws differ, leaving exchanges balancing compliance, risk, and public trust.
Concerns about cybersecurity and disclosure have resurfaced after reports of the Crypto.com breach. The exchange is facing questions about a 2023 phishing attack that allegedly exposed user data. Reports from Bloomberg and blockchain investigator ZachXBT suggest the incident raises broader concerns about disclosure, regulation, and user trust in crypto exchanges. The exchange has denied hiding the breach, insisting it filed reports with regulators. However, the lack of clarity on user notification has sparked debate.
Report and Exchange Response
According to Bloomberg, one of the members of Scattered Spider, a phishing attack hacking group, hacked an employee account at Crypto.com in 2023. The breach reportedly leaked personal data of a few users. The report quickly spread online. ZachXBT claimed the company had “covered up” the breach and suggested this was not an isolated event.
Crypto.com responded by rejecting the claims. CEO Kris Marszalek called the allegations “misinformation from uninformed sources” in a public statement. He said the company made a “Notice of Data Security Incident filing” through the Nationwide Multistate Licensing System in the United States. He also said additional reports were filed with relevant regulators in other jurisdictions.
The company confirmed the attack but said it was limited. It described the incident as a phishing campaign targeting an employee. Partial personally identifiable information of a small number of individuals was exposed. No customer funds were accessed. The incident, according to the company, was contained within hours.
Questions About Disclosure Standards
The controversy is less about the phishing attack itself and more about how the exchange. Crypto.com insisted that it had met legal obligations by reporting to regulators, but has not confirmed whether affected users were directly notified.
This disparity indicates the differences in global disclosure requirements. In the U.S., breach-reporting regulations are state-specific. In the European Union, the General Data Protection Regulation (GDPR) requires companies to notify government officials within 72 hours, while the Asian jurisdictions have varied reporting standards.
Security experts claim that this patchwork of regulations gives space for exchanges to comply legally without necessarily being disclosed publicly. Companies may consider reputational risk and market stability before making decisions concerning the extent of information to disclose.
ZachXBT and other critics argue that this undermines user trust. They believe transparency is essential, particularly when personal data is involved. The situation recalls concerns earlier this year when Coinbase disclosed a major customer data breach.
Industry researchers warn that withholding details may also create risks of secondary attacks. If users remain unaware of exposure, they cannot take steps to protect themselves.
Related: UK’s FCA Seeks Flexible Regulations for Crypto Firms
Broader Context and Industry Pressure
According to the report, dozens of jurisdictions and states are enacting more powerful cybersecurity regulations, and regulators are focusing more on the disclosure of breaches by the exchanges.
Market expectations also put pressure on exchanges. When systems are compromised, investors and users expect fast and transparent communication. Not doing so may destroy credibility, even when the funds are lost.
Security researchers say Know Your Customer (KYC) databases are especially vulnerable. Passports, IDs, and addresses are stored in these systems, making them attractive targets for hackers. Once revealed, this information can hardly be replaced or secured.
This case shows the challenge in the balancing of legal compliance, reputation protection, and the necessity to be transparent. With the increase in cybersecurity regulation, exchanges may require more proactive disclosure practices to keep the user trust.
For now, Crypto.com insists its “security-first culture” remains intact, strengthening industry certifications and resilience. But the debate over disclosure standards is unlikely to fade, especially as regulators worldwide press for stronger consumer protection.
