SIM Swap Attack: OKX Investigates Millions in Crypto Stolen

Why Trust Techopedia
Key Takeaways

  • OKX and SlowMist are investigating a major security breach that led to a multimillion-dollar exploit.
  • Attackers exploited OKX's 2FA system, bypassing security measures and whitelisting withdrawal addresses via SMS verification.
  • SlowMist suggests that OKX's 2FA system might not be the main vulnerability exploited in the attack, indicating a more complex security issue at play.

OKX and its security partner, SlowMist, are investigating a major security breach that stole cryptocurrency from two user accounts.

The incident occurred on June 9 and was executed through an SMS attack, commonly known as a SIM swap. The OKX SIM attack has prompted the exchange to undertake a thorough examination to fully understand the exploit.

Is 2FA System Breach a Cause?

Yu Xian, the founder of SlowMist, a blockchain security firm, commented on the incident in a post on X account.

While the amount stolen through the attack remains undisclosed, Xian confirmed that “millions of dollars of assets were stolen” from the two OKX user accounts targeted in the SIM swap attack.

As noted by Xian, both received SMS notifications of suspicious activity purportedly from “Hong Kong.” The attackers created unauthorized API keys with permissions for withdrawals and trading. Initially, this led to suspicions of cross-trading intentions, though this theory has since been discounted.

The attacks appear to have been orchestrated by a coordinated criminal group. MistTrack is monitoring the digital wallet addresses linked to both breaches.

Interestingly, SlowMist’s initial analysis suggests that the exchange’s 2FA mechanisms may not have been the primary point of vulnerability exploited in this attack.

However, according to an analysis by the Web3 security group Dilation Effect, OKX’s 2FA system allowed the attackers to switch to a less secure verification method, enabling them to whitelist withdrawal addresses using SMS verification.

Rise in 2FA Bypassing

The incident highlights the growing sophistication of hackers in bypassing 2FA security measures.

On June 3, a Chinese trader lost $1 million to a scam involving a malicious Google Chrome extension called Aggr. This extension stole user cookies, allowing hackers to bypass passwords and 2FA authentication.

CryptoNakamao shared the information on X. In a now-deleted post, they unveiled that their Binance account started executing unexpected trades. They only discovered this when they tried to check the price of  Bitcoin through the exchange’s app.

When CryptoNakamao finally sought help from Binance, it was too late: the thief had already emptied their account.

Phishing in Crypto Industry

Phishing attacks are another common threat vector that has been on the rise in the cryptocurrency space.

Recently, CoinGecko, a popular crypto data aggregator, confirmed a data breach suffered by its third-party email management platform, GetResponse, which resulted in 23,723 phishing emails being sent to victims.

These phishing attacks often aim to steal sensitive information like crypto wallet private keys or trick investors into sending funds to fraudulent addresses through address poisoning scams.

According to Merkle Science’s 2024 HackHub report, over 55% of hacked digital assets were lost due to private key leaks during 2023, highlighting the growing importance of safeguarding personal data and private keys to mitigate the risk of such attacks.