Indonesia-based cryptocurrency exchange Indodax is the latest victim of an attack with speculations emerging that it might have been orchestrated by the North Korean Lazarus group.
Flagged by cyber security platform Cyvers, and confirmed by other platforms like PeckShield and SlowMist.
The attack targeted Indodax’s hot wallet and managed to siphon off roughly $22 million worth of various cryptocurrencies including Bitcoin, Ether, Polygon, and Tron alongside other tokens.
Cyvers states the theft was carried out over 150 transactions and the attacker immediately started swapping the funds for Ether, a tactic commonly used by criminals to prevent the stolen assets from being blacklisted.
Ethereum does not support the modification of address permissions. In contrast, other ERC-20 tokens can implement a mapping function within their smart contracts to maintain a blacklist of addresses.
With the stolen funds converted to ETH, the attackers tend to launder the spoils via cryptocurrency mixers like Tornado Cash.
Details of the attack
In this case, the heist involved over $1.42 million in Bitcoin, approximately $2.4 million in Tron-based tokens, more than $14.6 million in various ERC-20 tokens, around $2.58 million in POL, and an additional $900,000 in ETH from the Optimism blockchain.
According to Cyvers, the attack originated from a leak of the hot wallet’s private key, possibly due to a breach in Indodax’s signature machine — the device used to sign and approve transactions.
However, SlowMist estimated that the exploit resulted from a vulnerability in the exchange’s withdrawal system which allowed the attacker to siphon the funds from the hot wallets.
Meanwhile, Indodax suspended all services on its platform after acknowledging the breach and its website was also down at the time of publication.
In an X post, the platform said it was “conducting a complete maintenance” and assured users that their funds were safe.
In a subsequent post, the exchange also warned users to avoid any entities pretending to be Indodax and offering fund recovery services.
This is a common scam tactic where fraudsters trick victims of security breaches into sending money, falsely promising to help recover their lost funds.
To provide some relief to its users during the ongoing maintenance, the exchange has announced a giveaway, offering 3 million rupiah (roughly $200) every hour to three winners. A move that is not typical in a situation like this.
However, with a reserve balance of $369 million, according to CoinMarketCap data, Indodax has a sizeable cushion that could be used to help compensate affected investors.
Lazarus group suspected
In the meantime, Yosi Hammer, Head of AI at Cyvers, has suggested that the attack bears similarities to previous hacks carried out by North Korea’s Lazarus Group — notorious for its sophisticated crypto heists.
The Lazarus group was also speculated to have been behind the July 18 attack on the Indian crypto exchange WazirX. In a similar vein, $230 million worth of assets were stolen from the exchange’s hot wallets and laundered via Tornado Cash.
The severity of the attack led to a complete shutdown of the platform which is now pursuing a Singapore Scheme of Arrangement.
As previously reported by Invezz, the North Korean state-backed hacking group has been involved in more than 25 hacks across various blockchains from August 2020 to October 2023.
The post Indodax hacked for $22 million, Lazarus Group suspected appeared first on Invezz