Indodax Hacked
Having experienced a major security breach, resulting in scammers making off with around $22 million worth of a variety of cryptocurrencies, the Indonesian exchange Indodax has temporarily shut down shop.
It led to the hack of hot wallets on the platform, which included coins such as Bitcoin (BTC); Ether (ETH); Tron (TRX); Polygon (Matic) and Optimism (OP) tokens. Significantly more notable assets were affected than simply TRC20-USDT.
INDODAX Hack and Stolen Assets
The INDODAX breach was initially discovered on September 11 as a result of warnings from multiple blockchain research companies: PeckShield, Cyvers, and SlowMist, warning of suspicious operations in Indodax’s hot wallets. Indodax’s stolen assets, as a part of which are over $1.42 million in Bitcoin (BTC), $2.4 million in Tron (TRX), $14.6 million in various ERC-20 tokens, $2.58 million in Polygon (MATIC), and $900,000 worth of Ethereum from the Optimism (OP) blockchain, prove the wide range of the total value of the theft, further indicating the highly professional nature of the actions of the hackers.
The warning happened after the hackers conducted over 150 suspicious transactions on a wide range of networks and flash-swapped the stolen funds into Ether, which is likely to be laundered through crypto mixing services like ‘Tornado Cash’. These platforms are known for their capacity to hide the source of the assets, making it nearly impossible to ensure their further tracking.
Breakdown of Indodax’s Stolen Assets
The hacker was able to steal multiple types of cryptocurrencies, which are worth about $22 million. Details of the Indodax stolen assets are as follows:
- Bitcoin (BTC): Over $1.42 Million
- Tron (TRX) and related tokens: $2.4 Million
- ERC-20 tokens: Over $14.6 Million
- Polygon (POL): $2.58 Million
- Ethereum (ETH) via the Optimism blockchain: Approximately $900,000 USD
Cyvers identified more than 150 suspicious transactions on a large number of networks. Fortunately, the hacker soon after started offloading a significant portion of his newfound tokens to Ethereum (a popular first-move choice for cybercriminals). After being swapped, the stolen funds were laundered by using crypto mixing services like Tornado Cash that hide transaction histories and essentially clean any links back to their individual origins.
Theories Surrounding the Indodax Breach
It is unclear exactly how the Indodax breach happened as there are conflicting views. According to SlowMist’s investigation, the hacker got access through a vulnerability in chance of withdrawal by Indodax exchange and performed hacking hot wallets. However, Cyvers noted that there were flaws discovered elsewhere in the Indodax platform — such as a type of vulnerability called an SSRF affecting its signature machine—that may have been used during this attack.
That position aside, the nature of the Indodax cyber attack has left many questions about Indodax’s security practices and for good reason: it appears that hot wallets — online wallets always connected to the internet and thus more vulnerable to attacks — were used. Day-to-day transactions are generally made in hot wallets, while cold wallets — which store holdings offline and thus more securely—tend to hold larger or longer-term investments.
Indodax temporarily stops services for investigation
After the incident, Indodax paused its activity as a whole, including mobile and browser websites, to check further details about this issue. The company issued a statement to users saying that their assets were not at risk and said it was doing whatever possible to prevent similar events.
We are in the process of full maintenance at this time, which aims to check that everything works as it should. As part of the process, both our web platform and apps remain in a temporary unavailability state,” wrote INDODAX. Indodax has promised to keep users updated, but the exchange has yet to provide any timeline for when services could be expected.
Indodax Hack’s Aftermath
Immediately after the attack, Indodax acknowledged it and commenced an all-out suspension of their services as they looked to investigate what went wrong.
The company released an announcement saying that users’ assets were safe, reminding them it was undergoing “complete maintenance” on Indodax to reboot the system. The exchange has temporarily ceased all website and mobile app functionality as its internal evaluation continues.
Using ‘Crypto Mixers’ to Cover One’s Tracks
Among the moves to hide where thousands of members had their assets stolen on Saturday was a startup that said (apparently without proof) that our hacker wanted to turn cryptocurrencies into ethereum.
In order to obfuscate the trail of transactions, this ETH is being sent through a Tornado Cash and blockchain noising service. This strategy is beyond frustrating for law enforcement in hunting down and getting back the stolen cash.
Another Wake-Up Call for Crypto Exchanges
The Indodax failure is a chilling reminder of the risk that cryptocurrency exchanges — especially those dependent on hot wallets are exposed to. For one, hot wallets are linked to the internet and cold ones are not, making them easier targets for attackers.
The Indodax breach fits into a trend seen in the cryptocurrency market, where cybercriminals target vulnerabilities with exchanges and defraud funds. Such stolen assets might be further obfuscated through the use of mixing services such as Tornado Cash, which makes attempting to recover anything even more challenging for exchanges that reduce many risks associated with targeted cyberattacks.
What the Future Holds Indodax and Crypto Comunity?
While Indodax reportedly runs forensic analysis to understand what happened and figures out how to recourse its operations, the case brings into fresh light security practices in crypto. More such hacks indicate that regulators and investors will likely press for tougher rules, more security features in the cryptocurrency market.
The event will also stand as a significant learning moment for exchanges that excel in convenience at the expense of security. All over, the requirement for rigid multi-layered defenses only gets more pronounced when it comes to holding any sort of user funds.
As for now, Indodax users will have to wait until the conclusion of the investigation and see what measures are going to be taken from their side.
How Indodax handles this crisis, whether it be by compensating the users that were affected or rolling out different security measures, will more than likely determine its fate.
