TLDR
- Crypto.com denied claims it failed to disclose a 2023 data breach where hackers accessed an employee account through phishing
- The attack was carried out by Noah Urban from hacking group Scattered Spider, who gained access to personal information of a small number of users
- No customer funds were compromised in the breach, which was contained within hours according to the company
- CEO Kris Marszalek called accusations of non-disclosure “misinformation” and said the incident was reported to US regulators
- The breach occurred before March 2023, with Urban later arrested and sentenced to 10 years in prison for hacking 13 companies
Crypto exchange Crypto.com has pushed back against allegations that it concealed a 2023 security incident from regulators. The controversy emerged after Bloomberg reported details about a previously unreported cyberattack on the platform.
The attack was carried out by Noah Urban, a teenage member of the cybercriminal group Scattered Spider. Urban specialized in phishing attacks targeting employees at telecommunications, technology, and cryptocurrency companies to gain access to sensitive data.
Working with another hacker known as “Jack,” Urban successfully compromised a Crypto.com employee’s account. This type of social engineering attack has become common in the crypto industry, where criminals target exchange staff to access customer information.
The breach occurred sometime before March 2023, when Urban was targeted in an FBI raid. Authorities seized $4 million worth of cryptocurrency, along with hundreds of thousands of dollars in cash and jewelry from the hacker.
Urban was arrested nine months later in January 2024. He was charged with involvement in attacks on 13 different companies and later pleaded guilty to the charges.
Company Response to Breach Claims
A Crypto.com spokesperson told Bloomberg that the incident affected the personal information of “a very small number of individuals.” The company emphasized that no customer funds were accessed or put at risk during the attack.
The exchange said it detected the phishing campaign targeting its employee in 2023. According to the company, the incident was contained within hours of detection.
Crypto.com maintained that it properly disclosed the breach to authorities. The spokesperson said the company filed a “Notice of Data Security incident” in the US-based Nationwide Multistate Licensing System.
The company also reported the incident to “additional reports with the relevant jurisdictional regulators.” However, it remains unclear whether affected users were directly notified about the breach.
CEO Addresses Misinformation Claims
CEO Kris Marszalek responded to the controversy on social media platform X. He called suggestions that the company failed to report the security incident “completely unfounded.”
I want to directly and clearly address some misinformation spreading from uninformed sources…
Any suggestion that we did not report or disclose a security incident is completely unfounded – as we reported in a NMLS Notice of Data Security incident filing and in additional…— Kris | Crypto.com (@kris) September 22, 2025
Marszalek said “misinformation was spreading from uninformed sources” regarding the breach disclosure. He reiterated that the company reported the incident to US regulators and other relevant authorities.
Blockchain investigator ZachXBT had criticized the exchange on X, claiming Crypto.com had “covered up a breach that impacted the personal information of your users.” ZachXBT also alleged that Crypto.com had “been breached several times.”
Bad news: Your team covered up a breach that impacted the personal information of your users pic.twitter.com/1xqmJyqm5i
— ZachXBT (@zachxbt) September 21, 2025
Exchange Volume and Partnerships
Crypto.com has experienced growth in trading volume alongside other USD-backed cryptocurrency exchanges. In August, the platform processed more volume than rival exchange Coinbase, according to data from The Block.
The company recently finalized a partnership with Trump Media & Technology Group. The agreement establishes a digital asset treasury company focused on acquiring CRO, the native token of the Cronos blockchain.
This deal represents closer ties between the cryptocurrency industry and the current US administration. Urban was ultimately sentenced to 10 years in prison for his role in the cybercriminal activities.
