TLDR:
- Over $22 million was illicitly taken from the Indonesian crypto platform Indodax.
- The theft involved various cryptocurrencies like Ethereum (ETH), Tron (TRX), Bitcoin (BTC), and Polygon (MATIC)
- Indodax has stopped all functions and is actively investigating the security breach.
- There might also be unauthorized access to the exchange's social media channels.
- The cybercriminals have started offloading the stolen digital wealth into Ethereum and utilizing mixing services.
An Indonesian platform for digital currencies Indodax became the target of a security invasion on September 11, 2024, leading to a loss of more than $22 million in different digital currencies.
The attack, which focused on their easily accessible wallets, forced Indodax to temporarily stop all platform functions while they delve into the matter.
Indodax, which launched in 2014, is a key player in Indonesia’s crypto scene, primarily serving the local community with trade options against the Indonesian currency. Before this breach, their daily trading activity was around $11 million.
Tech watchdogs like Slowmist and CertiK were first to flag the breach on social channels. Reports indicate stolen assets include over $14 million in Ethereum (ETH), $2.4 million in Tron (TRX), $1.4 million in Bitcoin (BTC), and $2.5 million in Polygon (MATIC), and more.
🚨SlowMist Security Alert🚨
Indonesian crypto exchange @indodax An attack occurred just hours back, enabling the hacker to swipe various coins from active wallets. The overall loss tallies to approximately $22 million💸. Below are the specifics of what's missing⬇️ pic.twitter.com/r4i0rBbctJ
— SlowMist (@SlowMist_Team) September 11, 2024
The platform publicly acknowledged the security issue on their official X account (formerly known as Twitter), mentioning that operations had been put on hold for 'maintenance.'
Nonetheless, users couldn't see their wallet balances anymore, sparking anxiety over how extensive the breach might be.
While how the attack was carried out remains unknown, some cybersecurity pros theorize a breach of Indodax’s withdrawal system could be the culprit, enabling unauthorized access to funds in their active wallet, which usually holds part of user funds for immediate use.
Despite this sizable setback, it's important to note that the stolen amount is still just a portion of Indodax’s overall reserves.
Blockchain analytics firm Arkham highlighted that Indodax still manages about $400 million worth of various digital assets in their wallets.
Indodax responded to the intrusion by suspending both their mobile and web entries. They have reassured patrons that assets, including both digital coins and the local currency, are secure, although it’s advised users remain vigilant for official notifications.
Complicating matters further, there are clues suggesting that the attacker also breached Indodax’s social profiles.
A suspicious 'giveaway' surfaced on the exchange’s Instagram following the hack, indicating the breach could extend beyond only the exchange’s active wallets.
Blockchain analysts note the cyber perpetrator swiftly began shifting the illicitly gained tokens into Ethereum.
There are worries that the criminal may be employing coin-mixing services such as Tornado Cash to hide the stolen funds' tracks, complicating the pursuit and retrieval process for officials.
