Indodax Withdrawal System Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Indodax Logo/Homepage

Indodax is the largest and oldest cryptocurrency exchange in Indonesia. On September 10th, it was found that hackers were repeatedly exploiting the hot wallet withdrawal system to siphon funds from the platform. The platform was shut down for an investigation, which was able to determine the case of the exploit. Indodax has reported that they plan to cover all losses of platform users and will be relaunching after the completion of a full security audit.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About Indodax

"The Largest Bitcoin and Crypto Asset Trading Platform in Indonesia"

"First in Indonesia 200+ Coins Crypto Assets Listed 6.6 Million Registered Member" "INDODAX always giving you the best price with 24-hour nonstop market. Providing easy and secure crypto trading for everyone." "Buying and selling platform with reasonable price, earn profits without having to be afraid to start." "With a 24-hour market activity, transactions can be made non-stop anywhere and real-time." "Transactions are easier and more secure with our mobile app or website in your hand." "INDODAX is registered and directly supervised by BAPPEBTI and Kemkominfo."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"On September 10th, Indodax, Indonesia's largest crypto exchange, learned a costly lesson in the dangers of wallet management and the persistence of sophisticated hacking groups."

Key Event Timeline - Indodax Withdrawal System Exploited
Date Event Description
September 3rd, 2024 11:00:00 PM MDT Indodax Promotion Indodax release a promotion offering "a total prize of IDR 4,000,000 for the 10 winners who take part #TTS (Fun Guessing)".
September 6th, 2024 5:35:00 AM MDT Retweet of Safety Tweet Indodax retweets a tweet with various safety tips for safe investing in cryptocurrency.
September 10th, 2024 1:04:23 PM MDT First Attack Transaction The very first attack transaction takes 660 ETH from the Indodax exchange wallet Indodax 1.
September 10th, 2024 4:10:00 PM MDT Cyvers Posts Tweet The Cyvers security team posts an alert on Twitter with "multiple suspicious transactions" from the Indodax "Safe wallets on different networks". The "Suspicious address already holds 14.4 million USD and [is currently swapping] the tokens to Ether.". A screenshot of many transactions is included.
September 10th, 2024 4:35:00 PM MDT Revision of Loss Total Cyvers provides an update, noting that there are now "more than 150 transactions and total loss of $18.2 million".
September 10th, 2024 7:37:00 PM MDT Balances Remain 100% Safe Indodax tweets to let their community know that their "security team has discovered a potential security issue on [thei]r platform". "But don't worry, we can assure you that your balance remains 100% safe both in crypto and rupiah."
September 10th, 2024 8:36:00 PM MDT William Sutanto Tweet Indodax co-founder William Sutanto tweets to confirm that a security incident did occur that morning and that their "team is currently conducting a full investigation to find out the security gap that was exploited".
September 10th, 2024 9:23:00 PM MDT SlowMist Summarizing Losses SlowMist publishes a summary of the losses, which at this point total nearly $22m. It's unclear if these are based on what was taken or the assets the hacker ended up with after doing blockchain swaps/exchanges of the assets.
September 10th, 2024 10:32:00 PM MDT Phishing Attack Warning Indodax warns users to be cautious of phishing attacks which are pretending to be from Indodax and avoid giving away any personal information.
September 11th, 2024 12:14:00 AM MDT Tally Of Loss Total Lookonchain posts a tweet reposrting the hack total as "$22M" and including "6.14M $USDT; 1,047 $ETH($2.48M); 25 $BTC ($1.41M); 2.2M $MATIC($849K); 1.4M $ARB($749.6K); 2M $ENA($465K);". At this time, the "hacker has converted most of the stolen assets into native tokens and currently holds: 5584 $ETH($13M); 16.74M $TRX($2.56M); 6.84M $POL($2.55M); 25 $BTC($1.41M);".
September 11th, 2024 12:41:00 AM MDT SlowMist Analysis Of Breach SlowMist shares an analysis of the breach, which suggests that the breach targeted the withdrawal system, and that evidence does not support a direct breach of the hot wallets themselves.
September 11th, 2024 1:03:00 AM MDT Large Giveaway Promotion The exchange tweets to announce that they are giving away 3 million rupiah every hour to 3 winners while the platform is under maintenance.
September 11th, 2024 1:12:00 AM MDT William Sutanto Tweet Indodax co-founder William Sutanto posts to users that the team is "still in the process of investigating this case" and to confirm that "Indodax will cover the losses from this hacking case".
September 11th, 2024 1:53:00 PM MDT Rekt News Publishes Article Rekt News publishes their article covering over the events of the breach.
September 13th, 2024 3:20:00 AM MDT IndoDax Tweet Update Indodax provides an update to highlight that they are conducting an audit and currently have enough assets to cover all user deposits.
September 13th, 2024 7:38:00 AM MDT Security Hole Found Update Indodax posts an update to Twitter announcing that they have found the exploit used by the hacker, and are in process of an extensive full system audit to discover any other potential security holes in the system. Once that's done, they plan to bring the system back online and all assets will be the same as before the exploit.

Technical Details

"The stolen funds were withdrawn from the Indodax exchange's hot wallet by the hacker using a whole number (1 BTC or 3 BTC), and the remaining bitcoin in this transaction was withdrawn to some addresses as a change."

Total Amount Lost

The total amount lost has been estimated at $21,996,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Hey @indodax, Our system has detected multiple suspicious transactions involving your wallets on different networks. Suspicious address already holds 14.4 million USD and swapping the tokens to Ether."

"As alerts of the exploit spread, observers watched in fascination as the hackers performed their dark magic, siphoning funds across multiple chains with the finesse of a digital David Copperfield."

"We are still in the process of investigating this case. For Indodax users, there is no need to worry because Indodax will cover the losses from this hacking case. Your assets are SAFU."

Ultimate Outcome

"We would like to provide an update on our ongoing efforts to ensure the security and stability of the INDODAX system. We are currently working with an external party that specializes in Cyber ​​Security Forensic Investigation to conduct a thorough audit of our database, software, and servers. This is part of our commitment to continuously improve the security of the platform."

"We have found a security hole exploit used by the attacker and are remediating the hole. Currently, together with several world-class cybersecurity consulting, we are conducting an intensive audit to ensure that there are no more exploits/backdoors in the system. Once this can be confirmed, we will immediately open platform access to the public. This is to ensure that member assets remain safe and there are no similar incidents.

In the next few days the system will be back up, member asset balances, both Rupiah and crypto, will be exactly the same as before the maintenance. After all maintenance is complete, assets can be traded or sent as usual.

Indodax apologizes profusely for this incident. Thank you for your patience in waiting for the system to be back up."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Indodax - Rekt (Accessed Sep 13, 2024)
  2. @CyversAlerts Twitter (Accessed Sep 13, 2024)
  3. @CyversAlerts Twitter (Accessed Sep 13, 2024)
  4. @lookonchain Twitter (Accessed Sep 13, 2024)
  5. Arkham (Accessed Sep 13, 2024)
  6. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 13, 2024)
  7. Indodax Exploiter 1 | Address 0xb0a2e43d3e0dc4c71346a71484ac6a2627bbcbed | Etherscan (Accessed Sep 13, 2024)
  8. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 13, 2024)
  9. @RektHQ Twitter (Accessed Sep 13, 2024)
  10. @SlowMist_Team Twitter (Accessed Sep 13, 2024)
  11. @SlowMist_Team Twitter (Accessed Sep 13, 2024)
  12. @WilliamSutant0 Twitter (Accessed Sep 13, 2024)
  13. @WilliamSutant0 Twitter (Accessed Sep 13, 2024)
  14. @indodax Twitter (Accessed Sep 13, 2024)
  15. @indodax Twitter (Accessed Sep 13, 2024)
  16. @indodax Twitter (Accessed Sep 13, 2024)
  17. @kelukesahcrypto Twitter (Accessed Sep 13, 2024)
  18. Jual Beli Bitcoin dan Trading Kripto Indonesia - INDODAX (Accessed Sep 13, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Indodax_Withdrawal_System_Exploited&oldid=5909"