BingX Massive Hot Wallet Breach
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
BingX is a large exchange which promote4s itself through a sponsorship of the Chelsea Football Club in Fulham, West London. The exchange boast "100% Proof-of-Reserves with top cybersecurity organizations as partners". On September 19th, 2024, the exchange found that their assets were rapidly draining from their hot wallets, confirming publicly roughly an hour after reports by multiple industry sources had noted the drainage. The exchange quickly promised to cover all user assets on the platform and over the course of the next week began enabling withdrawals again.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About BingX
"Founded in 2018, BingX is a leading crypto exchange offering spot, derivatives, copy trading, and asset management. Experience a trustworthy platform that empowers you with innovative tools to elevate your trading game."
"BingX" "OFFICIAL CRYPTO EXCHANGE PARTNER OF CHELSEA FC"
"A global digital services financial institution with branch offices in Canada, the EU, and Australia Regulated business and services in countries where it operates"
"Robust identity verification, compliance and Know Your Customer (KYC) with Sumsub as a partner Auto-detection of cybercrime-related risks with advanced AI technology"
"100% Proof-of-Reserves with top cybersecurity organizations as partners Security audit approved by the leading security-focused ranking platform CertiK"
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
On September 19th, BingX learned a costly lesson in the dangers of hot wallet management and the persistence of sophisticated hacking groups.
| Date | Event | Description |
|---|---|---|
| September 19th, 2024 4:05:23 PM MDT | USDC Withdrawal Transaction | The first withdrawal transaction transfers 32.5k worth of USDC. |
| September 19th, 2024 4:09:11 PM MDT | Ethereum Withdrawal Transaction | Blockchain transaction transfers 13.394989549463115896 ETH to the first exploiter address. |
| September 19th, 2024 6:11:00 PM MDT | Tayvano Tweet | Tayvano tweets some of the addresses involved in the attack, starting a thread where further information will be posted. |
| September 19th, 2024 6:37:00 PM MDT | PeckShield Tweet | PeckShield tweets to notify BingX that they want to notice since they are observing significant outflows of funds from the exchange. |
| September 19th, 2024 7:20:00 PM MDT | Temporary Maintenance Mode | BingX announces that their wallets have been placed in a temporary maintenance mode. |
| September 19th, 2024 8:47:00 PM MDT | Vivien Announces Full Compensation | Vivien Lin announces that "BingX will fully compensate for the loss with our own capital" and calls the loss "minimal and manageable". "Withdrawals and deposits are temporarily delayed and are expected to be restored within 24 hours at the latest." |
| September 19th, 2024 11:44:00 PM MDT | Cyvers Loss Estimation | According to Cyvers, "Estimated losses have now exceeded $52M, with most of the stolen assets currently being swapped. Affected chains include #ETH, #BNB, #BASE, #OP, #POLYGON, #ARB, and #Avalanche." |
| September 20th, 2024 3:43:00 AM MDT | Blacklist Policy Support | Vivien Lin discusses the exchange's support of blacklisting known attack addresses and calls for the industry to come together to secure against known bad actors who are moving illicit funds. |
| September 20th, 2024 8:21:00 AM MDT | Swapping Is Completed | Tayvano announces that the attackers appear to be finally done swapping their cryptocurrency. She provides a summary screenshot with the time of the wallet movements, and an analysis of the breaks which the attacking team has taken. |
| September 23rd, 2024 3:42:00 AM MDT | Withdrawals Reopening | Main chain withdrawals are reopened for Tron, BSC, and ETH chains. Other chains and smaller altcoins will be reopened gradually. |
Technical Details
Wallet addresses from Tayvano:
0xf7e8033366166f92eb477b7b38e0d47d47b43326 0xb0146aec3593410c8307b570af69adf4d74678b3 0x940362b46faf7df48af1c8989d809f50466b5fca 0x1Dd7dAf089C16856155FeFd7e2170966bb6b3AEE
Total Amount Lost
According to Cyvers, "Estimated losses have now exceeded $52M, with most of the stolen assets currently being swapped. Affected chains include #ETH, #BNB, #BASE, #OP, #POLYGON, #ARB, and #Avalanche."
The total amount lost has been estimated at $44,061,000 USD.
Immediate Reactions
"[Temporary Wallet Maintenance Notice]
Schedule: ~24 hours When maintenance is done, we will announce it through a notice.
We sincerely apologize for any inconvenience this may cause and appreciate your patience."
"At around 4am 20 Sep Singapore time, our technical team detected abnormal network access, suspecting a hacker attack on BingX's hot wallet. We immediately started our emergency plan, including the urgent transfer of assets and withdraw suspension. There has been minor asset loss, but the amount is small and still being calculated.
To protect user assets, we use a layered management system, with the majority of assets stored in cold wallets and only a minimal stored in hot wallets for withdrawals. To ensure security, withdrawals have been temporarily suspended while we conduct an emergency inspection and strengthen wallet services. We sincerely apologize for the inconvenience. Withdrawals will be restored within 24 hours at the latest.
BingX and the development team apologize for the disruption. Our mission to provide a seamless and trusted trading environment remains firm. We are working on a compensation plan, which will be announced soon. Thank you for your understanding and continued support."
"While the loss is still under calculation, we confirm the following:
1) BingX will fully compensate for the loss with our own capital.
2) The total loss is minimal and manageable. This incident will not affect our ongoing business operations. Trading services continue as usual. Withdrawals and deposits are temporarily delayed and are expected to be restored within 24 hours at the latest.
3) Users' assets are safe and well-protected under our layered asset management architecture.
Thank you for your understanding and continued support. We will keep you posted."
According to Cyvers, "Estimated losses have now exceeded $52M, with most of the stolen assets currently being swapped. Affected chains include #ETH, #BNB, #BASE, #OP, #POLYGON, #ARB, and #Avalanche."
Ultimate Outcome
"Our deposit and withdrawal services are gradually reopening. This incident has allowed us to feel an unprecedented level of trust and support from our users, project teams, and institutional partners.
Withdrawals were restored earlier than deposits because we fully understand the urgency users feel to protect their assets during uncertain times. The delay in reopening deposits was due to our need to ensure the wallet services were secure enough to avoid any further damage. During the first few hours, I was constantly monitoring the numbers. On the one hand, I worried about the system's capacity to handle a potential rush of withdrawals, but my greater concern was how we would rebuild our hard-earned brand image.
However, over the past 24 hours, both the number of users withdrawing and the amount withdrawn were far lower than expected. At this moment, our hearts are filled with gratitude. We deeply thank all our users and partner institutions for your trust!"
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - BingX - Rekt (Accessed Sep 23, 2024)
- ↑ @tayvano_ Twitter (Accessed Sep 23, 2024)
- ↑ @BingXOfficial Twitter (Accessed Sep 23, 2024)
- ↑ @Vivien_BingX Twitter (Accessed Sep 23, 2024)
- ↑ @CyversAlerts Twitter (Accessed Sep 23, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
- ↑ https://bingx.com/en/ (Accessed Sep 23, 2024)
- ↑ https://bingx.com/en/sponsorship/ (Accessed Sep 23, 2024)
- ↑ - YouTube (Accessed Sep 23, 2024)
- ↑ @Vivien_BingX Twitter (Accessed Sep 23, 2024)
- ↑ Arkham (Accessed Sep 23, 2024)
- ↑ Arkham (Accessed Sep 23, 2024)
- ↑ @tayvano_ Twitter (Accessed Sep 23, 2024)
- ↑ @peckshield Twitter (Accessed Sep 23, 2024)
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Sep 23, 2024)