Major Hack Hits Indonesian Crypto Exchange Indodax: Over $22 Million Stolen

TLDR:

• Indonesian crypto exchange Indodax was hacked for over $22 million
• Various tokens were stolen including ETH, TRX, BTC, and MATIC
• Indodax paused operations and is conducting a security investigation
• The exchange’s social media may also be compromised
• Hackers began converting stolen funds to ETH and using mixing services

Indonesian cryptocurrency exchange Indodax fell victim to a security breach on September 11, 2024, resulting in the theft of over $22 million worth of various digital tokens.

The attack, which targeted the exchange’s hot wallets, has forced Indodax to temporarily suspend all platform operations while they investigate the incident.

Indodax, established in 2014, is one of Indonesia’s largest cryptocurrency exchanges. It caters primarily to the local market, offering trading pairs against the Indonesian rupiah. Before the hack, the exchange reported a 24-hour trading volume of approximately $11 million.

Security researchers from firms such as Slowmist and CertiK first raised the alarm about the breach on social media. According to their findings, the stolen funds included more than $14 million in Ethereum (ETH), $2.4 million in Tron (TRX), $1.4 million in Bitcoin (BTC), and $2.5 million in Polygon (MATIC), among other tokens.

🚨SlowMist Security Alert🚨

Indonesian crypto exchange @indodax suffered an attack a few hours ago, with the hacker stealing various tokens from hot wallets. The total loss is approximately $22 million💸. Below are the details of the losses⬇️ pic.twitter.com/r4i0rBbctJ

— SlowMist (@SlowMist_Team) September 11, 2024

The exchange confirmed the security incident on its official X (formerly Twitter) account, stating that platform operations were paused due to “maintenance” activities.

However, users reported that they could no longer view their wallet balances, raising concerns about the extent of the breach.

While the exact mechanism of the attack remains unknown, some security experts suspect it may have involved a compromise of Indodax’s withdrawal system. This potentially allowed the hacker to drain funds from the exchange’s hot wallet, which typically holds a portion of user funds for immediate transactions.

Despite the significant loss, it’s worth noting that the stolen amount represents only a fraction of Indodax’s total holdings.

Blockchain analytics firm Arkham reported that the exchange’s wallets still contain over $400 million worth of various tokens.

In response to the breach, Indodax has taken action by disabling both its mobile and web applications. The exchange assured users that their assets, including both cryptocurrencies and Indonesian rupiah, remain safe. However, the situation is still developing, and users are advised to stay alert for official updates from Indodax.

Adding to the complexity of the situation, there are indications that the attacker may have gained access to Indodax’s social media accounts.

A suspicious “giveaway” promotion appeared on the exchange’s Instagram page following the hack, suggesting that the breach may extend beyond just the exchange’s hot wallets.

Blockchain investigation firms have reported that the hacker quickly began converting the stolen tokens to Ethereum.

There are concerns that the attacker may be using cryptocurrency mixing services like Tornado Cash to obscure the trail of the stolen funds, making it more challenging for authorities to track and recover the assets.