- Indodax has gone offline following a $22 million hack
- The exchange has paused web and app access for thorough system maintenance
- The company has assured users that their funds remain secure
Indonesian cryptocurrency exchange Indodax has temporarily suspended its operations following the loss of $22 million in a hack. The loss was revealed yesterday, prompting “thorough maintenance” on the platform. Users have been warned that they will not be able to access the platform during this period, but the exchange has reassured them that their assets are safe.
Indodax Warned of “Potential Security” Issue
Users were alerted to the loss through a tweet from Indodax, which described the issue as a “potential security” issue:
Halo Member INDODAX,
Kami ingin menginformasikan bahwa team security kami menemukan potensi indikasi keamanan pada platform kami.
Saat ini, kami sedang melakukan pemeliharaan menyeluruh untuk memastikan seluruh sistem beroperasi dengan baik. Selama proses pemeliharaan ini,… pic.twitter.com/kYAc6ilERF
— indodax (@indodax) September 11, 2024
Security firm Slowmist expanded on the hack, offering firm details on what was taken:
🚨SlowMist Security Alert🚨
Indonesian crypto exchange @indodax suffered an attack a few hours ago, with the hacker stealing various tokens from hot wallets. The total loss is approximately $22 million💸. Below are the details of the losses⬇️ pic.twitter.com/r4i0rBbctJ
— SlowMist (@SlowMist_Team) September 11, 2024
Slowmist then offered a more detailed take on the hack following further analysis ruling out a hot wallet breach and suggesting that the hack was down to manipulation of the withdrawal mechanism:
1⃣ Based on our analysis🔎, we can rule out the possibility that the hot wallet has been compromised. It is possible that the withdrawal system has been hacked.
🤔Let’s dive into it.
Here are the hacked bitcoin transactions. The stolen funds were withdrawn from the Indodax… https://t.co/hQb0o4ljW8 pic.twitter.com/YCHYX1kg2y
— SlowMist (@SlowMist_Team) September 11, 2024
The hacker stole over $1.42 million in Bitcoin, $2.4 million in Tron’s TRX and over $14.6 million in various ERC-20 tokens, with fellow security firm Cyvers detecting more than 150 suspicious transactions over multiple networks and reporting that the hacker had started swapping the tokens to ETH. This is likely the first stage in the process of exfiltrating the coins through a mixing service.
Indodax has stated that it will update customers once it has more information but that any losses will be reimbursed.