Indonesian cryptocurrency exchange Indodax experienced a significant security breach resulting in the loss of approximately $22 million in various cryptocurrencies, prompting the shutdown of its mobile and web platforms for an in-depth investigation. On September 11, blockchain investigation firms PeckShield, Cyvers, and SlowMist detected unusual activity suggesting an attack on Indodax’s hot wallets, where substantial amounts of Bitcoin, Tron, Ether, Polygon, and Shiba Inu tokens were stolen.
SlowMist’s preliminary analysis indicated a vulnerability in Indodax’s withdrawal system, which allowed the hackers to siphon funds from the exchange’s hot wallet. Cyvers pointed to additional compromised elements, including the signature machine used by the exchange. The stolen assets included over $1.42 million in Bitcoin, $2.4 million in Tron tokens, more than $14.6 million in various ERC-20 tokens, $2.58 million in Polygon, and $0.9 million in Ether from the Optimism blockchain.
Following the breach, Cyvers identified over 150 suspicious transactions across multiple networks, noting that the hacker began converting the stolen assets to Ether. The culprits then reportedly used crypto mixing services like Tornado Cash to launder the funds, making it difficult to trace the stolen assets.
In response to the security incident, Indodax took immediate action by halting all operations and issuing a statement to its users: “Currently, we are conducting a complete maintenance to ensure the entire system is operating properly. During this maintenance process, the INDODAX web platform and application are temporarily inaccessible.”
Amid the investigation, there is speculation about the perpetrators’ identity. Yosi Hammer, head of AI at Cyvers, suggested a link to North Korea’s notorious Lazarus Group, known for its sophisticated cyberattacks on financial institutions. He observed, “The pattern and the characteristics of the (Indodax) attack highly resemble those of North Korea’s Lazarus Group.”
Despite the significant financial impact of the hack, Indodax, with a reserve balance of $369 million as reported by CoinMarketCap, reassured investors of the safety of their assets, hinting at potential measures to compensate for the losses.