Wemix Network Breach by Nile Authentication Key Compromise
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
WEMIX3.0, developed by WEMADE, introduces a robust, EVM-compatible blockchain platform that supports decentralized applications, games, DAOs, DeFi, and NFTs. It operates on a Stake-based Proof of Authority (SPoA) consensus, offering up to 4,000 transactions per second and incorporates WEMIX$, a stablecoin backed by USDC, to reduce token price volatility. However, a breach occurred when an authentication key for the NILE NFT platform was stolen after being exposed by a developer in a public repository. Over two months, the attacker successfully withdrew 8.65 million WEMIX tokens, valued at 6.22 million USD, which were sold on crypto exchanges. WEMIX responded by shutting down affected servers, launching a forensic investigation, and reporting the incident to authorities. They are working on integrating Chainlink’s CCIP for a more secure bridge and stabilizing the ecosystem. Ongoing efforts include addressing the market volatility, continuing the investigation, and improving communication with the community.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30]
About Wemix Network
WEMIX3.0, developed by WEMADE, marks a significant evolution in blockchain technology by offering a robust, EVM-compatible public chain based on a Stake-based Proof of Authority (SPoA) consensus. Backed by 40 trusted node partners and delivering up to 4,000 transactions per second, the platform supports decentralized applications, games, DAOs, DeFi, and NFTs. WEMIX3.0 introduces WEMIX$—a stablecoin collateralized by USDC—to reduce token price volatility, enhancing ecosystem stability. Core services include WEMIX PLAY (gaming), NILE (DAO), and decentralized finance, while its Ethereum-derived infrastructure ensures high compatibility and developer freedom.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
In February, gaming platform WEMIX was hacked, resulting in a $6.22 million loss.
| Date | Event | Description |
|---|---|---|
| February 28th, 2025 | Authentication Key Compromised | On February 28, the hacker stole the authentication key of the NFT platform "Nile" and attacked the Play Bridge Vault system. |
| March 12th, 2025 6:03:00 AM MDT | Partial Resume Of Play Bridge | An announcement on Twitter that the Play Bridge is resumed partially now. |
| March 13th, 2025 4:15:00 AM MDT | BuyBack Plan Announcement | WeMix announces a token buyback plan to rebuild trust after the Play Bridge incident. |
| March 14th, 2025 10:40:00 PM MDT | Wemix Stablecoin Depegging | Wemix Network reports that the WEMIX team has issued an update regarding the recent WEMIX$ depegging incident, acknowledging delays in communication and outlining key measures to resolve the issue. Central to the solution is the integration of Chainlink’s Cross-Chain Interoperability Protocol (CCIP) to securely bridge USDC to the WEMIX 3.0 mainnet, addressing vulnerabilities stemming from the previous external bridge service. While most preparatory steps are now complete, a few development procedures remain before full implementation. The team has committed to improving transparency and aims to release detailed recovery plans soon, cautioning users about potential market volatility in the meantime. |
| March 16th, 2025 8:33:15 PM MDT | Yonhap News Agency Article | Yonhap News Agency reports that WEMIX, the blockchain subsidiary of WeMade, suffered a major hacking incident on February 28, 2025, resulting in the theft of approximately 8.65 million WEMIX coins (worth around 9 billion KRW). CEO Kim Seok-hwan apologized publicly, explaining that the delayed disclosure was due to concerns about further attacks and market panic. The breach occurred through a stolen authentication key, likely exposed via a public repository, and was carried out by a professional hacker over a two-month period. The company has launched a buyback plan, is migrating its infrastructure, and is cooperating with authorities to pursue the attacker while working to regain investor trust. |
| April 22nd, 2025 3:51:00 AM MDT | First Token Buyback Happening | "We’ve successfully purchased KRW 10 billion worth of WEMIX to address the recent WEMIX PLAY Bridge incident." |
Technical Details
The WEMIX breach occurred due to the theft of an authentication key used in the service monitoring system of the NFT platform NILE, which is connected to the WEMIX ecosystem.
The attacker obtained an internal system authentication key, which granted unauthorized access to critical systems. The key is believed to have been exposed when a developer uploaded sensitive materials to a public repository in mid-July 2023 for development convenience. This likely became the initial point of compromise.
Over a span of two months, the attacker meticulously planned the breach and eventually used the stolen key to forge abnormal transactions, leading to 15 withdrawal attempts, 13 of which succeeded.
Approximately 8.65 million WEMIX coins were illegally withdrawn and sold via overseas crypto exchanges.
Total Amount Lost
WEMIX lost approximately 8.65 million WEMIX tokens, which was valued at around 6.22 million USD at the time of the breach in February 2025.
The total amount lost has been estimated at $6,220,000 USD.
Immediate Reactions
In response, WEMIX immediately shut down affected servers, began a forensic investigation, and reported the attack to the Seoul Metropolitan Police's cyber unit.
WEMIX shut down the affected servers right after detecting the breach to prevent further damage and secure the system. The team launched a detailed analysis of the breach and reported the incident to the Seoul Metropolitan Police's Cyber Investigation Unit for further investigation.
Ultimate Outcome
While there was a delay in the official announcement, WEMIX eventually acknowledged the incident publicly, apologizing for the communication delays and assuring that no attempt was made to conceal the breach.
WEMIX is integrating Chainlink’s Cross-Chain Interoperability Protocol (CCIP) to enable a more secure USDC bridge and prevent similar vulnerabilities going forward.
Total Amount Recovered
The loss of 8.65 million WEMIX tokens has already affected the market, with the tokens being sold on exchanges. WEMIX is focused on addressing market volatility, and there are ongoing efforts to regain investor confidence and stabilize the token’s value.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
The breach is under investigation by the Seoul Metropolitan Police's Cyber Investigation Unit. This includes tracking down the perpetrators and understanding the full scope of the attack.
WEMIX is working on resolving the depegging issue related to WEMIX$ by integrating Chainlink’s Cross-Chain Interoperability Protocol (CCIP) to securely bridge USDC to the WEMIX 3.0 mainnet, which will help stabilize the ecosystem and prevent similar breaches in the future.
The WEMIX team has committed to better communication going forward. They have apologized for the initial delays and are working on providing more timely updates on the recovery efforts and any new developments.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Gaming Platform WEMIX Hacked in February, Losing $6.22 Million; CEO Admits Delay in Notification but Denies Intentional Cover-Up - ODaily News (Accessed Apr 29, 2025)
- ↑ WEMIX on Hacking Incident: "Announcement Delayed Due to Concerns Over Further Attacks and Market Impact" (Comprehensive) - Yonhap News Agency (Accessed Apr 29, 2025)
- ↑ Wemix Network Documents (Accessed Apr 29, 2025)
- ↑ Wemix Network Homepage (Accessed Apr 29, 2025)
- ↑ Wemix Network - CoinMarketCap (Accessed Apr 29, 2025)
- ↑ Wemix Network - "NFT network conversion resumes with enhanced security. We're committed to a full service restoration by March 21st. We apologize for the disruption and thank you for your patience." - Twitter/X (Accessed Apr 29, 2025)
- ↑ Wemix Network - "The #WEMIX team has announced a 10 billion KRW #buyback plan to rebuild trust after the PLAY Bridge incident." - Twitter/X (Accessed Apr 29, 2025)
- ↑ Partial Resume of the PLAY Bridge Service - WEMIX Communication (Accessed Apr 29, 2025)
- ↑ Wemix Network - "We’ve successfully purchased KRW 10 billion worth of WEMIX to address the recent WEMIX PLAY Bridge incident." - Twitter/X (Accessed Apr 29, 2025)
- ↑ Status Update on WEMIX$ - WEMIX Communication (Accessed Apr 29, 2025)
- ↑ Wemix Network - "The #WEMIX Team has released an update regarding the WEMIX$ incident. These measures include integrating Chainlink's CCIP for USDC bridging." - Twitter/X (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)
- ↑ @WemixNetwork Twitter (Accessed Apr 29, 2025)