In practice, there’s often so much complexity that finding a path isn’t all that hard. Some examples:

- abuse the logic flow and simply don’t submit the 2FA step

- submit an empty 2FA token (I’ve seen it work)

- get a signed transaction from a legitimate transfer and replay it in a compromised account

- find the admin API that their help desk uses that doesn’t require 2FA

- brute force 2FA code. If you get 3x attempts at a 6-digit pin you have a 1/333,333 chance. Multiply by a few thousand accounts you can find reused creds for

- Find an API to abuse to disable 2FA (maybe via CSRF?)

- move the money into an account that doesn’t require 2FA (some kind of whitelisted arbitrage account maybe?) then cash out from there

- keep transfers under a 2FA threshold but then either script up the transfer to repeat or change the transfer amount after the threshold check has occurred

I could riff on for ages. Some more plausible than others. Some I’ve definitely seen (and used in legal testing)

Seems really unlikely, but maybe someone guessed or discovered the keys? Would likely only happen if Crypto.com somehow was generating them insecurely or if someone had inside access to their systems or something. Maybe a leak?

Since it is across multiple currencies, I think it is unlikely it has to do with generation. Maybe could still be a leak or something.

If they had access to the private keys they wouldn't have to go through the crypto.com platform at all.

They'd just pop it in any wallet and sign withdrawal transactions.

There's no 2FA or whitelisted withdrawal addresses (for most tokens) or emails on-chain.

This, they don't say, maybe they don't even know, since:

> In an abundance of caution, we revamped and migrated to a completely new 2FA infrastructure.

> 2FA tokens for all users worldwide were subsequently revoked to ensure the new infrastructure was in effect.