SUMMARY
- Indodax was hacked, with over $22 million in tokens stolen, prompting the exchange to pause operations for “maintenance.”
- Signs of further security issues appeared, including a suspicious Instagram giveaway, hinting at compromised social media accounts.
Indonesia-based cryptocurrency exchange Indodax encountered a critical security breach early Tuesday, with hackers stealing over $22 million in tokens from the exchange’s hot wallets. Security researchers, including firms Slowmist and CertiK, detailed that the stolen assets included over $14 million in different tokens, $2.4 million in Tron’s TRX, $1.4 million in bitcoin (BTC), and $2.5 million in Polygon’s MATIC. Despite the theft, Indodax’s wallets still hold over $400 million worth of tokens, according to Arkham information.
The exchange, which has been operating since 2014, serves the Indonesian market and traded over $11 million worth of cryptocurrencies in the 24 hours preceding the hack. In reaction to the attack, Indodax paused platform operations under the pretense of “maintenance,” but users on platforms like X and Telegram reported missing wallet balances. Further doubts were raised when a giveaway for the Indonesian rupiah showed up on Indodax’s Instagram page, suggesting a potential social media account compromise.
The exact details of how the attack happened are still under investigation, despite SlowMist suggested a breach in Indodax’s withdrawal framework that permitted the hacker to drain funds from the hot wallet. Cyvers, another security firm, theorized that the exchange’s signature machine may have been targeted, resulting to over 150 suspicious transactions over numerous networks.
As the hacker stole over $1.42 million in Bitcoin and huge sums from other blockchains, they started converting the stolen tokens into Ether (ETH). Cyvers reported that after swapping the funds, the hacker utilized crypto mixing services such as Tornado Cash, which permitted them to launder the assets anonymously.
This occurrence has highlighted noteworthy vulnerabilities in Indodax’s security framework, influencing both its hot wallet and possibly its social media channels. The exchange’s affirmation of the breach and ensuing platform shutdown suggest a concerted effort to constrain further damage, but the true extent of the hack remains unclear as investigations proceed. The use of mixing services to obfuscate the stolen resources further complicates recovery endeavors, making it a challenging case for investigators to trace the funds.
In the wake of the attack, the occurrence underscores the continuous risks of centralized exchanges and the challenges of securing large volumes of cryptocurrency in hot wallets. Investors and users alike stay attentive of further developments.