Data Leak? Crypto.com Fires Back At ‘Unfounded’ Allegations

According to Bloomberg and several other news outlets, Crypto.com has pushed back against a report that a 2023 breach exposed user details and was kept from authorities.

The story centers on a hacking group known as Scattered Spider and a young suspect who, according to reports, used phishing and social engineering to access an employee account. Crypto.com says the claims that it hid the incident are “unfounded.”

Company Statement And Regulators

Crypto.com’s leadership has said the incident was reported to regulators at the time. CEO Kris Marszalek and company spokespeople told reporters that the breach affected a “very small number of individuals,” involved limited personally identifiable information (PII), and did not put customer funds at risk.

Based on reports, the firm says it notified US regulators and relevant jurisdictional authorities about the matter in 2023. The company called any suggestion of a cover-up misinformation.

I want to directly and clearly address some misinformation spreading from uninformed sources… Any suggestion that we did not report or disclose a security incident is completely unfounded – as we reported in a NMLS Notice of Data Security incident filing and in additional…

— Kris | Crypto.com (@kris) September 22, 2025

Crypto.com: What Reporters Found About The Hack

Bloomberg’s investigation names Scattered Spider and one alleged member, 18-year-old Noah Urban, as central to the operation. Reports say the attackers used social engineering and phishing to trick an employee into giving access, and that the intrusion happened sometime before early 2023.

Multiple outlets repeated Bloomberg’s account, while some pieces added details about the group’s past campaigns against major companies. Crypto.com confirmed a limited breach but disputed claims that the company intentionally withheld the event from regulators.

On-chain investigator ZachXBT publicly criticized Crypto.com after the reporting, arguing the exchange should have made the incident public and notified affected users directly.

Bad news: Your team covered up a breach that impacted the personal information of your users pic.twitter.com/1xqmJyqm5i

— ZachXBT (@zachxbt) September 21, 2025

Other security watchers said the crypto industry needs clearer standards about when exchanges must disclose breaches to the public versus regulators. Reports have disclosed conflicting timelines about when regulators were told and when any affected customers were informed, leaving several questions unsettled.

They’ve been breached several times https://t.co/ptAHq1ZTOG

— ZachXBT (@zachxbt) September 21, 2025

The number of users affected remains unknown, and the exact data fields involved — passport scans, phone numbers, or email addresses — have not been detailed in public documents.

Crypto.com maintains that no funds were taken. No independent forensic reports or full third-party audits confirming the scope have been made public.

That lack of clarity has prompted calls from the community for greater transparency and formal confirmation from outside experts.

Featured image from Woden Valley Plumbing, chart from TradingView