Indodax - Rekt



In the high-stakes game of crypto exchanges, Indodax just crapped out.

Over $25 million vanished faster than you can say rupiah in the latest episode of "Centralized Exchange Calamities: Southeast Asian Edition."

On September 10th, Indodax, Indonesia's largest crypto exchange, learned a costly lesson in the dangers of wallet management and the persistence of sophisticated hacking groups.

As alerts of the exploit spread, observers watched in fascination as the hackers performed their dark magic, siphoning funds across multiple chains with the finesse of a digital David Copperfield.

In the world of centralized exchanges, "not your keys, not your crypto" isn't just a catchy slogan, it's a warning that keeps ringing true.

In the wake of this Indonesian crypto tsunami, will Indodax's reputation be as leaky as its security protocols?

Credit: Cyvers, Lookonchain, SlowMist, William Sutanto, Arkham Intel, Bein Crypto

The first signs of trouble came when Cyvers raised the alarm on Twitter: "Our system has detected multiple suspicious transactions involving your wallets on different networks."

It didn't take long for the blockchain sleuths to mobilize.

Within hours, a clearer picture emerged of the devastation:

6.14M USDT

1,047 ETH ($2.48M)

25 BTC ($1.41M)

2.2M MATIC ($849K)

1.4M ARB ($749.6K)

2M ENA ($465K)

...and the list goes on totaling roughly $25.22 million.

As the crypto sleuths pieced together the digital breadcrumbs, a familiar pattern began to emerge.

Yosi Hammer, Head of AI at Cyvers, provided some intriguing insights:

"While it is premature to confirm the involvement of any specific group, the attack's speed and complexity, the pattern and the characteristics of the attack highly resembles those of North Korea's Lazarus Group."

Hammer, however, emphasized that it’s too early to confirm the attackers’ identity.

SlowMist's analysis ruled out a simple hot wallet compromise, suggesting a more insidious breach of the withdrawal system itself.

In a move that would make Ocean's Eleven blush, the hackers managed to initiate withdrawals that looked legitimate, complete with change addresses depositing back into Indodax.

Compromised Indodax hot wallets:

Eth/Polygon: 0x3C02290922a3618A4646E3BbCa65853eA45FE7C6

Tron: TWe5pEnPDetzxgJS4uN26VFg15wWtdcTXc

BTC: 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d

As onlookers held their collective breath, Indodax finally broke their silence, announcing a "complete maintenance" to ensure system integrity.

In a move that surely instilled confidence, Indodax co-founder William Sutanto assured users that their funds were "100% safe both in crypto and rupiah."

Because nothing says "everything's fine" like completely shutting down your platform.

The hackers, meanwhile, weren't content with their initial haul.

Like kids in a crypto candy store, they proceeded to swap their ill-gotten gain and moved their stolen loot here:

Ethereum ($12.37m): 0x59101E532bc728599a2d373fCdC7aFf58cB48Df8

Misc erc-20 tokens on Ethereum ($1.2m): 0xB0A2e43D3E0dc4C71346A71484aC6a2627bbCbeD

Optimism ($900k): 0x3B8F1131a20e131c195bdA6FDd6e9bE38935eB6d

Polygon ($6.8m): 0x90fffbc09e9a5f6d035e92d25d67e244ef5e904f

Tron ($2.55m): TBooefeY6FvGuyKfvp5yE1HmzhzvXnvA1P

BTC ($1.4m): bc1q5uqpn0ha5llrvhcvkq3nfalp8fj7qe3rydcvmf

In this game of cat and mouse, it seems the attackers have once again proven they're the Garfield of the crypto world- fat, sassy, and always getting the lasagna.

With Cyvers reporting over 150 transactions in this digital heist, untangling this crypto yarn promises to be more complex than decoding a teenager's TikTok feed.

One thing's for sure: when the post-mortem drops, it'll be a page-turner that'd make even the most hardened crypto-detective's head spin.

Grab your popcorn, folks, this blockchain whodunit is far from over.

The stolen stash was a relatively small amount as the exchange’s wallets continue to hold over $400 million worth of various tokens, as Arkham data shows.

Back in June 2023, Indonesian cops nabbed a duo of digital doppelgangers who were masquerading as Indodax on social media.

These crafty con artists were peddling fool's gold to unsuspecting marks, managing to pilfer a cool 625 million Indonesian Rupiah (about $40,500) before the law caught up with them.

Indodax's misfortune serves as a stark reminder that in the wild east of crypto exchanges, even the biggest fish can get caught in a net.

When exchanges are playing whack-a-mole with threats ranging from two-bit hustlers to sophisticated hackers wielding nation-state level techniques, is "not your keys, not your crypto" less of a mantra and more of a survival guide?

It's a tale as old as Bitcoin, in the rush to provide liquidity, security sometimes takes a back seat.

As the crypto space continues to grapple with the reality of highly sophisticated hacking groups, it's clear that even more rigorous security measures are needed.

But in a world where exchanges are locked in an arms race with some of the most skilled hackers on the planet, can we really expect them to keep up?

Is it too much to ask exchanges that hold millions in user funds to better secure their hot wallets, implement stricter withdrawal controls, and maybe hire a security guard named Brutus?

In this case, it appears so.

For now, Indodax joins the ever-growing list of exchanges that have fallen victim to high-profile digital heists.

As hackers continue to target crypto exchanges with increasing sophistication, one has to wonder: Is your favorite exchange next on their hit list or have they already paid their "security debt"?


share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.