company of the week: crypto.com

Crypto.com runs a public bug bounty on HackerOne, which puts their public web surface in scope for outside research. neobotnet mapped crypto.com — explore the full index in /urls.

Most people think of crypto.com as "the exchange." From outside, it looks like a holding company.

what's reachable

449 hostnames resolve under crypto.com's bounty scope — 408 under *.crypto.com, 41 under mona.co (the NFT marketplace, which most readers won't recognize as theirs). Only 66 return HTTP 200 with a title and tech stack. The other 85% exist in DNS but don't serve HTTP — internal-leaning infrastructure leaking names into the public zone.

Those 66 hosts ship just 42 distinct page titles. Many subdomains share frontends across teams — the five wallet-* properties serve one title between them; the auth family shares another. Read top-down, the live surface looks like this:

crypto.com
├── auth.* (×3)             consumer auth
├── auth.custody.*          institutional custody (Okta-gated)
├── merchant.* / pay.*      Crypto.com Pay (B2B)
├── deriv-api.* + siblings  derivatives
├── wallet.* (×6)           wallet
├── api.nft.* + mona.co     NFT marketplace
├── institutions.*          institutional onboarding
├── travel.*                travel booking (dev + stg exposed)
├── tax.*                   Crypto.com Tax
├── top-up.*                fiat on-ramp
├── experiences.*           experiences
└── ai-agent-sdk-docs.*     AI agent SDK

The product portfolio is readable by DNS resolve.

what's running

Across the 66 alive hosts, neobotnet sees a coherent stack with two or three surprises:

• Edge. Cloudflare on 47/66 (71%), Cloudflare's enterprise-tier Bot Management on 44/66, Amazon CloudFront on 22/66.
• Cloud. AWS visible on 24 hosts, Azure Front Door on 5 — multi-cloud, not single-vendor.
• Frontend. React, Node.js, Webpack, Next.js dominant across consumer surfaces. One Gatsby 5.13.4 surface; one Vercel host; one Framer Sites host. Two jQuery versions in production — 3.7.1 and 3.5.1 (the 3.5.1 build dates to 2020).
• Identity / gateway. Okta 7.44.3 on the custody surface; Kong 3.4.2 on api.nft.crypto.com — exact version exposed in response headers.
• Bot mitigation. GeeTest on the merchant dashboard, reCAPTCHA on one host, Cloudflare Bot Management everywhere else — three different vendors across one estate.
• Payments. Stripe publishable keys (pk_live_*) appear in the checkout JS, which is correct — public keys are designed to ship in the frontend.

Then the source maps. Crypto.com publishes 119 .js.map files across the live surface. Source maps are sidecars to compiled JS bundles — when published, they let anyone reconstruct the original file tree, library imports, and (when sourcesContent is included) the actual source code.

Two uses. As a fingerprint, the paths name the libraries each team picked — Next.js on consumer, Mantine on markets, an internal Chakra fork — no guessing required. As a read, anyone who fetches the map gets the unminified source. The map turns "reverse-engineer the bundle" into "open the file."

what the URL corpus shows

neobotnet has 45,352 URLs indexed under crypto.com across 477 domains and 42,837 unique paths. The corpus reads as a recon-grade map of how the product is built.

• Magic-link auth across two brands. A parameter called magic_action appears with values login, web_login, and web_sign_up on crypto.com/signup/phone-enter, crypto.com/login/phone-verify, and mona.co/magic/<token>. Same parameter across both apexes — unified magic-link auth across crypto.com and mona.co, visible from URL params alone.

  see the magic_action URLs →

  

• Mobile attribution stack, named. _branch_referrer + _branch_match_id (Branch.io for deep-linking) and af_xp + deep_link_value (AppsFlyer for mobile attribution) appear in 200+ URLs. The mobile-app vendor stack is observable without ever installing the app.

• Cross-domain URL parameters. neobotnet flagged 108 URLs that pass a url= parameter with a cross-domain value — the shape that classically resembles an open-redirect candidate. 107 resolve to *-files.gitbook.io (GitBook's image-proxy for crypto.com's documentation site); the 108th points at integrations.gitbook.com via redirect_uri.

  • A vendor's hosting infrastructure, not exploitable redirects.
  • A separate but same-shaped signal also fired: 7 same-domain redirect with path hits — more interesting, mostly OAuth callbacks (/fe-ex-api/oauth_redirect, /proof-of-reserves/audit/exchange-redirect, custody.crypto.com/callback). The auth flow architecture is partly described by redirect_uri values in URL params.

  see all cross-domain signals in /urls →

  

what's worth a closer look

A few hosts say more than their hostnames do:

• incident.crypto.com and itsupport.crypto.com — both Atlassian Jira Service Management portals. The login pages themselves are gated, but the hostnames disclose two things: incident-response and IT-support workflows both ride on Atlassian (single-vendor concentration), and the URL convention is predictable. That combination — known helpdesk vendor plus guessable hostname pattern — is exactly the recon detail that powers helpdesk-impersonation phishing.
• send.crypto.com — title reads mcointernal - Sign In. Crypto.com was founded as Monaco Technology; the rebrand was 2018. Eight years later, "mcointernal" is still printed in a <title> tag on a live host. Rebrands leak through HTML long after the press release.
• itops.mona.co runs Zoho Accounts, not Atlassian — the NFT side has a different IT stack than the main co. Typical post-acquisition vendor drift.
• auth.dev.travel.crypto.com and auth.stg.travel.crypto.com — dev and staging auth hosts of the travel product, publicly resolvable. Anyone with dig finds them; whether they're intended to be is the operator's call.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.