Bilaxy Hot Wallet Breach
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Bilaxy is a cryptocurrency exchange platform based in Seychelles. On August 29th, 2021, their ERC20 hot wallet was breached. Other funds remained safe. The exchange ultimately reopened withdrawals a month later on September 23rd, however it's unclear if the affected ERC20 tokens will ever be available for users.
This exchange or platform is based in Seychelles, or the incident targeted people primarily in Seychelles. [1][2][3][4][5][6][7][8][9][10][11]
About Bilaxy
"BILAXY-The World's Leading Crypto Asset Trading Platform."
"Bilaxy is a centralized cryptocurrency exchange platform that was registered in the Republic of Seychelles and went on the market at the beginning of 2018. It has managed to get more than hundreds of thousands of users distributed in 80 countries. This platform focuses very well on liquidating the new tokens for those people who are used to trading with cryptocurrencies worldwide."
"Bilaxy has a little over 150 pairs of cryptocurrencies. Its main objective is, like Binance, the establishment of an international platform that is a pioneer in providing different tokens to those who trade, always based on a transparent, reliable business, with optimal quality and excellent customer service."
"The Bilaxy exchange tweeted that the hot wallet was hacked and lost approximately 296 tokens (including ETH). Users, please do not send any more funds to the Bilaxy account."
"Pls note Bilaxy Hot wallet was hacked. [Please] DON't send any funds to your bilaxy accounts again. We are racing with the time to checking and fixing. Pls wait for further Notice."
"Hot wallet suffered a serious hack, about 295 ERC20 tokens were hacked and transferred by the hacker."
"The hacked incident involved only part of erc20 tokens holding in hot wallet. Other coins/tokens such as BTC, ETH were not affected."
"It appears the only erc-20 coin that can be declared safe from Bilaxy hack is @pinblockchain PIN coin. Thankfully the Devs @JosephFiscella took action quickly. All 227k coins safe."
"Thanks for your [patience], the past week was really a tough week for us and users. In response to the hacking incident, in the past week, we have made an all-out efforts to stop the loss and investigate the hack thoroughly."
"At present, we are working closely with third-party security auditing companies and have made initial progress. The time it will take to resume the platform depends on the progress of our work and it will take."
"Bilaxy expects to resume part tokens' withdrawal at 11:00 (UTC) on Sep. 23rd. In order to further enhance website security, you are required to reset the [security] password after logging into the bilaxy account. Otherwise you can't make [a] withdrawal or [trade]."
"From Sep 23rd, Bilaxy will gradually restore part of tokens' withdrawals." "For the non-affected tokens during the hacking incident, withdrawals will be opened one after another gradually." "For part of the affected tokens during the hacking incident, the withdrawal plan for each token will be available after its withdrawal restored. You could check the details of the withdrawal plan on its withdrawal page one its withdrawal [is] restored."
"For [security] reason and strict withdrawal approval process, the withdrawals may be slow. We will try our best to approve for you within 24 hours. [Please] wait patiently."
This exchange or platform is based in Seychelles, or the incident targeted people primarily in Seychelles.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| August 29th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $21,709,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
The fundamental problem was a failure to securely store the ERC20 tokens. Tokens should be stored in a multi-signature wallet held by independent operators, with all keys stored offline.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
- ↑ https://www.bilaxy.com/ (Dec 6, 2021)
- ↑ Bilaxy Exchange: Register and Features (Dec 6, 2021)
- ↑ @Bilaxy_exchange Twitter (Dec 6, 2021)
- ↑ @Bilaxy_exchange Twitter (Dec 6, 2021)
- ↑ @Bilaxy_exchange Twitter (Dec 6, 2021)
- ↑ @Bilaxy_exchange Twitter (Dec 6, 2021)
- ↑ Account 0xa14d5da3c6bf2d9304fe6d4bc6942395b4de048b - etherchain.org - 2021 (Dec 6, 2021)
- ↑ @G4000Sean Twitter (Dec 6, 2021)
- ↑ @Bilaxy_exchange Twitter (Dec 6, 2021)
- ↑ https://bilaxy.zendesk.com/hc/en-us/articles/360020457811-KYC-FAQs (Dec 6, 2021)