Indonesian Crypto Exchange Indodax falls victim to $20 million hack

2024-09-11 by Ndaman Olayinka 3 minutes read

The first and largest crypto exchange for buying and selling crypto assets in Indonesia, Indodax, has suffered severe losses of about $22 million in various cryptocurrencies as a result of a security breach.

A number of blockchain research companies, such as PeckShield, Cyvers, LookonChain, SpotonChain, and SlowMist, issued alerts on September 11 regarding a potential attack on Indodax's hot wallets.

Web3 security firm Cyvers on X said it detected “suspicious transactions" involving Indonesia Bitcoin and Crypto Exchange Indodax hot wallets.

An independent investigation by SlowMist revealed that the hacker was able to take money out of the exchange's hot wallet due to a security flaw in Indodax's withdrawal system. Cyvers, however, thought that other systems—like the signature machine—were under attack.

Over $1.42 million in Bitcoin, $2.4 million in Tron blockchain tokens, over $14.6 million in different ERC-20 tokens, $2.58 million in POL, and $0.9 million in ETH from the Optimism blockchain were all taken by the hacker.

According to blockchain security company SpotonChain, there were significant cryptocurrency withdrawals from the exchange's platform.

Indodax(@indodax) was hacked for $22M 10 hours ago, including:
6.14M $USDT;
1,047 $ETH($2.48M);
25 $BTC ($1.41M);
2.2M $MATIC($849K);
1.4M $ARB($749.6K);
2M $ENA($465K);
...

The hacker has converted most of the stolen assets into native tokens and currently holds:
5584… pic.twitter.com/mX2wmj75k7
— Lookonchain (@lookonchain) September 11, 2024

The majority of the stolen assets have been converted into native tokens by the hacker, who now possesses the following: 25 $BTC ($1.41M); 16.74 million $TRX ($2.56M); 6.84 million $POL ($2.55M); and 5584 $ETH ($13M), according to Lookonchain.

PeckShield reported on X that it had discovered significant cryptocurrency withdrawals from Indoda. The leading blockchain security company reports that approximately 380 ETH on Optimism, 6.8 million POL on Polygon, and 5,204 ETH were parked at an address on Ethereum. In addition to other tokens, the hacker took considerable quantities of Bitcoin, Tron, Ether, Polygon, and Shiba Inu.

Over 150 suspicious transactions were found by Cyvers across several networks, and the security firm reported that the hacker had begun converting the tokens to ether.

Indodax stated in a post on X that its security team found possible security issues on its platform in response to the reported security incidents. The exchange said that in order to make sure the entire system is operating properly, maintenance is being done right now. The Indodax web platform and application will be temporarily unavailable during the maintenance period.

The funds of its customers were "100% safe" in both rupiah and cryptocurrency, the post added.

According to on-chain security company Cyvers, the largest cryptocurrency exchange in India, WazirX, was the victim of an exploit on July 18, 2024, that was worth over $230 million.

"Multiple suspicious transactions" involving WazirX's Safe Multisig wallet on Ethereum were reported by the security firm. Cyvers stated that the $234.9 million that was transferred to a new address was provided by TornadoCash and that the exploiter transferred the funds to a different address and exchanged them for Ethereum (ETH).

Disclaimer: This information should not be considered financial advice by any means. Please do your own research before making any investment decisions. The views in the articles are personal opinions only. Whale Insider is not responsible for any financial losses incurred.

Press releases