Indonesian cryptocurrency exchange Indodax has suffered a significant security breach, resulting in the loss of over $22 million in digital assets. The hack, which occurred on Wednesday, 11 September 2024, raises concerns about the vulnerabilities of centralised crypto platforms. The breach was first detected by CyVers, which posted the initial findings on X, revealing the extent of the damage.
Indodax Hack: A Snapshot of the Breach
The hack targeted Indodax’s hot wallets, a common attack vector for cryptocurrency exchanges. Unlike cold wallets, which remain offline and offer greater security, hot wallets are internet-connected and more susceptible to compromise. In this instance, hackers exploited this vulnerability to siphon off a range of assets from Indodax’s reserves, totalling approximately $22 million.
The stolen funds included various cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Tron (TRX), and Polygon (POL), as well as numerous ERC-20 tokens like Shiba Inu (SHIB) and Arbitrum (ARB). According to blockchain forensics firm Cyvers, the hackers executed a total of 160 suspicious transactions across several blockchain networks, making off with substantial sums from Indodax’s hot wallets.
The breach has alarmed the crypto community, especially given Indodax’s prominent position as Indonesia’s largest cryptocurrency exchange with over 4.3 million registered users. The attack highlights the persistent threat of cybercrime in the cryptocurrency sector, despite ongoing efforts by exchanges to strengthen their security measures.
A Breakdown of the Stolen Assets
The hackers managed to secure the following:
- Bitcoin (BTC): 25.01 BTC, worth $1.4 million.
- Ethereum (ETH): 666.55 ETH, valued at approximately $1.58 million.
- Tether (USDT): 6.14 million USDT across different chains.
- Polygon (POL): 6.84 million POL, amounting to $2.58 million.
- Arbitrum (ARB): 1.4 million ARB tokens, worth approximately $749,000.
Additional assets included TRON, UNI, SHIBA INU, and other tokens, further expanding the scope of the loss. Notably, Cyvers reported that the hackers had already begun converting many of these stolen assets into Ethereum, which could be a move to obscure the trail and use cryptocurrency mixing services to further evade detection.
Security Firms Sound the Alarm
The Indodax hack was first flagged by Cyvers, a blockchain security firm specialising in real-time monitoring of suspicious transactions. Yosi Hammer, Head of AI at Cyvers, explained that the breach began with an initial transfer of 660 ETH from Indodax’s wallets. This triggered over 150 additional transactions across multiple blockchains, drawing attention to the severity of the breach.
PeckShield, Certik and SlowMist, two other well-regarded blockchain security firms, soon corroborated the findings. They confirmed a major outflow of over $16 million in assets across Ethereum, Polygon, and Optimism. In particular, CertiK’s analysis highlighted that a significant portion of the stolen funds had already been parked in an Ethereum wallet.
Indodax’s Response
In the immediate aftermath of the attack, Indodax issued a statement via their official social media accounts, confirming that they were aware of the breach. The exchange announced that both its web and mobile platforms had been taken offline temporarily for maintenance as a precaution. Indodax assured users that their balances, both in cryptocurrency and Indonesian rupiah, were secure, despite the breach affecting a large portion of the platform’s hot wallets.
“We can assure you that your balance remains 100% safe both in crypto and rupiah,” the exchange stated on X (formerly Twitter), addressing user concerns over their remaining assets. However, the hack represents a significant reputational blow to Indodax, raising questions about the robustness of their security measures.
The Growing Threat to Crypto Exchanges
The Indodax hack is the latest in a series of high-profile breaches targeting cryptocurrency exchanges. As centralised exchanges continue to attract large volumes of assets, they become prime targets for sophisticated hacking groups, many of which are suspected to have ties to state-sponsored actors. In fact, some reports have suggested that North Korea’s notorious Lazarus Group could be behind the Indodax attack, given the scale and tactics employed in the breach.
The vulnerability of hot wallets remains a significant concern for exchanges like Indodax, despite efforts to bolster security. Cold wallets, which are kept offline and away from internet exposure, are still seen as the safest way to store digital assets. However, the convenience of hot wallets for day-to-day trading and liquidity makes them a necessary risk for many platforms.
Final Thoughts
The Indodax hack highlights the persistent and evolving threat of cybercrime in the cryptocurrency industry. With $22 million in digital assets lost, this breach serves as a stark reminder that even well-established exchanges are not immune to attacks. As the global crypto ecosystem continues to grow, it is essential that exchanges adopt stronger security measures and, where possible, minimise the use of hot wallets to protect their users’ assets.
For investors, this incident emphasises the importance of choosing exchanges with the highest security standards, as well as adopting personal security practices like using hardware wallets for storing long-term assets. Indodax will need to work quickly to restore trust and implement safeguards to prevent future breaches.