Indonesian Crypto Exchange Indodax Hacked for $22M; Pauses Activity Before Bigger Hit

  • Indodax was hacked with over $22 million worth of various tokens stolen.
  • The exchange confirmed the security breach by pausing platform operations for "maintenance." However, there were indications of compromised social media activities, such as a suspicious giveaway announced on Instagram, suggesting further security issues.

Indonesia-based crypto exchange Indodax was hacked for over $22 million worth of various tokens early Tuesday in an apparent attack on their hot wallets, security researchers said on X.

Over $14 million worth of tokens including ether (ETH) , $2.4 million in Tron’s TRX, $1.4 million in bitcoin (BTC) and $2.5 million in Polygon’s MATIC, among smaller amounts of other tokens, were stolen in the attack, security firm Slowmist and CertiK said.

The stolen stash was a relatively small amount as the exchange’s wallets continue to hold over $400 million worth of various tokens, Arkham data shows .

Indodax is a centralized cryptocurrency exchange established in 2014 and targets the local Indonesian market. It traded over $11 million worth of cryptocurrencies in the past 24 hours, CoinGecko data shows, and offers all tokens against the Indonesian rupiah, which is worth 15,409 IDR per U.S. dollar as of Tuesday.

Indodax confirmed the attack on their X account early Tuesday, stating that platform operations were paused due to “maintenance” activities. However, several users on X and the exchange’s Telegram channel claimed they could no longer see wallet balances.

Halo Member INDODAX,

Kami ingin menginformasikan bahwa team security kami menemukan potensi indikasi keamanan pada platform kami.

Saat ini, kami sedang melakukan pemeliharaan menyeluruh untuk memastikan seluruh sistem beroperasi dengan baik. Selama proses pemeliharaan ini,… pic.twitter.com/kYAc6ilERF

— indodax (@indodax) September 11, 2024

While platform operations remain paused, Indodax’s X account is touting a “giveaway” of Indonesian rupiah on their Instagram page - suggesting it may be compromised.

The exact mechanism of the attack remains to be determined and is not publicly known as of European morning hours.