On September 10, 2024, Indonesian cryptocurrency exchange Indodax fell victim to a sophisticated security breach that resulted in the loss of approximately $22 million in digital assets. The attack, detected by security firms PeckShield, Cyvers, and SlowMist, targeted the exchange’s withdrawal infrastructure rather than its hot wallet private keys — a distinction that raises critical questions about the security architecture of centralized trading platforms.
The Exploit Mechanics
SlowMist’s analysis of the Indodax breach reveals a carefully orchestrated attack that exploited the exchange’s withdrawal system. Unlike typical hot wallet compromises where private keys are stolen, the attackers appear to have gained access to the withdrawal authorization mechanism itself. This allowed them to initiate more than 150 suspicious transactions across multiple blockchain networks, including Ethereum, Polygon, Tron, Bitcoin, and Optimism.
The stolen assets included 6.14 million USDT, 1,047 ETH worth approximately $2.48 million, 26.2597 BTC valued at $1.5 million, 2,202,200 POL tokens, 1.8 million USDT on Polygon, 2.36 million USDT on Tron, 160 billion BTT tokens, and 380 ETH on Optimism worth $870,000. The breadth of assets targeted across multiple chains indicates the attackers had deep access to Indodax’s withdrawal processing systems.
According to Cyvers Alerts, the suspicious address accumulated $14.4 million before beginning to swap the stolen tokens for Ether. This conversion pattern is significant — rather than converting to stablecoins as seen in previous hacks, the attackers chose native tokens like ETH, TRX, and POL, likely due to increased scrutiny and blacklisting efforts by Tether and other stablecoin issuers.
Affected Systems
The attack impacted Indodax’s withdrawal infrastructure across at least five blockchain networks. Merkle Science’s flow-of-funds analysis breaks down the damage: Ethereum accounted for $18.14 million in various tokens, Polygon saw $2.6 million stolen, Tron lost $2.43 million, Bitcoin losses totaled $1.5 million, and Optimism suffered $870,000 in theft.
Indodax, which holds a total asset volume of approximately $368 million according to CoinMarketCap, responded by immediately halting all withdrawals and placing the platform into maintenance mode. The exchange assured users that their funds would remain unaffected and balances would be preserved after the system update. At the time of the breach, Bitcoin was trading at approximately $58,127 and Ethereum at $2,362.
The Mitigation Strategy
Indodax’s incident response followed a standard playbook: immediate withdrawal suspension, fund migration to secure cold storage, and public communication. The exchange swiftly transferred remaining funds from compromised wallets to more secure locations, preventing further losses.
Cyvers has speculated that the North Korean hacker group Lazarus may be behind the attack, citing pattern similarities with previous state-sponsored cryptocurrency thefts. If confirmed, this would add to Lazarus’s growing portfolio of exchange breaches, which includes the $305 million DMM Bitcoin hack from May 2024 that on-chain researcher ZachXBT also attributed to the group.
Lessons Learned
The Indodax breach underscores several critical security lessons for the cryptocurrency industry. First, withdrawal system security is just as important as private key management. Exchanges must implement multi-layered authorization for withdrawal transactions, including hardware security modules, multi-signature requirements, and real-time anomaly detection.
Second, the shift in laundering tactics — from stablecoins to native tokens — suggests that attackers are adapting to blockchain surveillance improvements. This evolution demands more sophisticated on-chain monitoring tools capable of tracking fund movements across multiple native token conversions.
Third, the synchronized multi-chain nature of the attack highlights the need for cross-chain security monitoring. Security teams can no longer focus on a single network but must maintain visibility across all chains where their platform operates.
User Action Required
For Indodax users, the immediate priority is monitoring official communications from the exchange. Users should enable all available security features including two-factor authentication, withdrawal whitelist restrictions, and anti-phishing codes. For users on other exchanges, this incident serves as a reminder to minimize the amount of funds kept on any single platform and to transfer long-term holdings to personal hardware wallets.
The Indodax hack serves as yet another reminder that centralized exchanges remain high-value targets for sophisticated threat actors. As the cryptocurrency industry matures, the security perimeter must expand beyond private key protection to encompass the entire transaction processing infrastructure.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
targeting the withdrawal system instead of private keys is a different attack pattern. 150+ transactions across 5 chains means they had serious infrastructure set up beforehand
segfault_ targeting withdrawal authorization instead of keys means they had inside knowledge or spent serious time reverse engineering the withdrawal flow. this wasnt opportunistic
hitting the withdrawal authorization flow instead of keys is a nightmare scenario. means even cold storage practices on the exchange side wouldnt have helped
Pavel B. exactly. cold storage is pointless if the withdrawal signing flow itself is compromised. exchanges need hardware-level signing thresholds not just HSMs
mekong_tracer_ hardware signing thresholds would have stopped this cold. the fact that a mid size exchange in 2024 still doesnt have them is negligent
6.14M USDT, 1047 ETH, 26 BTC… the mix of assets across ETH, Polygon, Tron and Optimism suggests they were probing multiple withdrawal endpoints simultaneously
Diego M the multi-chain approach is telling. they probably had withdrawal endpoints mapped for weeks before pulling the trigger
150+ suspicious transactions across 5 chains in one window. that requires serious coordination and testing beforehand. not some random exploit
targeting withdrawal authorization instead of keys means their HSM setup was fine but the business logic on top of it was swiss cheese
had funds on indodax back in 2021. pulled everything after their last security incident. once is bad luck, twice is negligence
SlowMist catching this in real time shows how much better on-chain monitoring has gotten. PeckShield and Cyvers confirming within minutes too. the defensive side is improving
indodax had a prior incident in 2021 and still got hit in 2024. at some point users need to stop trusting exchanges that refuse to learn
indodax is one of the largest exchanges in southeast asia. $22M is bad but the real damage is user trust. that takes years to rebuild