If you have been following cryptocurrency news recently, you may have seen reports about the Indodax exchange hack that resulted in approximately $22 million in stolen assets on September 10, 2024. For newcomers to the cryptocurrency space, headlines about exchange breaches can feel alarming and confusing. What does this mean for your investments? Is your money safe? What should you do next? This guide breaks down everything you need to know in plain language.
The Basics
Indodax is one of Indonesia’s largest cryptocurrency exchanges, with a total asset volume of approximately $368 million. Think of an exchange like a bank where you buy, sell, and store your cryptocurrency. On September 10, hackers exploited a vulnerability in Indodax’s withdrawal system — the mechanism that processes requests to send crypto from the exchange to personal wallets. The attackers stole approximately $22 million across multiple cryptocurrencies including Bitcoin, Ethereum, USDT, and others.
At the time of the hack, Bitcoin was trading at around $58,127 and Ethereum at approximately $2,362. The stolen funds included a mix of major cryptocurrencies and tokens across several blockchain networks. Security firms including PeckShield, Cyvers, and SlowMist detected the suspicious activity and alerted the public. Indodax responded by shutting down its platform temporarily to secure remaining funds.
Here is the important part: this type of incident is not unique to Indodax. Cryptocurrency exchanges have been targeted by hackers since the early days of Bitcoin, and even major platforms have experienced breaches. Understanding how and why these attacks happen is the first step to protecting yourself.
Why It Matters
Exchange hacks matter because of a fundamental principle in cryptocurrency: “not your keys, not your coins.” When you store cryptocurrency on an exchange, the exchange holds the private keys to your funds. This means you are trusting the exchange’s security measures to protect your assets. If the exchange gets hacked, your funds could be at risk.
The Indodax hack specifically targeted the withdrawal system, which is the part of the exchange that handles outgoing transfers. This is concerning because it suggests the attackers found a way to authorize withdrawals without the legitimate account holders’ permission. It is like someone finding a way to forge your signature at the bank.
For beginners, the key takeaway is this: exchanges are convenient for trading, but they are not designed to be long-term storage solutions. Just as you would not keep your life savings in a checking account, you should think carefully about how much cryptocurrency you leave on any exchange.
Getting Started Guide
Protecting your cryptocurrency does not have to be complicated. Here are practical steps every beginner should take, ordered from easiest to most advanced.
Step 1: Enable all security features on your exchange account. This means turning on two-factor authentication (2FA) using an authenticator app like Google Authenticator or Authy — not SMS-based 2FA, which is vulnerable to SIM-swap attacks. Set up an anti-phishing code if your exchange offers one. Enable withdrawal whitelist restrictions that only allow transfers to addresses you have pre-approved.
Step 2: Use strong, unique passwords. Your exchange password should be different from every other password you use. Consider using a password manager like Bitwarden or 1Password to generate and store complex passwords. A password like “Crypto2024!” might seem strong, but it can be cracked in seconds by modern tools.
Step 3: Get a hardware wallet. A hardware wallet is a physical device, similar to a USB drive, that stores your cryptocurrency private keys offline. Popular options include Ledger and Trezor, starting at around $60-80. When your crypto is on a hardware wallet, hackers cannot access it through an exchange breach because the private keys never touch an internet-connected device.
Step 4: Transfer excess funds off exchanges. Once you have a hardware wallet, transfer any cryptocurrency you are not actively trading to your personal wallet. The general rule of thumb is: only keep on an exchange what you need for trading in the next few days. Everything else belongs in cold storage.
Step 5: Verify addresses carefully. When transferring crypto, always double-check the destination address. Scammers can use malware to replace clipboard addresses, sending your funds to their wallet instead of yours. Verify at least the first and last few characters of every address before confirming a transaction.
Common Pitfalls
Many beginners make avoidable mistakes that put their funds at risk. Here are the most common pitfalls and how to avoid them.
The biggest mistake is keeping all your crypto on one exchange. If that exchange is hacked, goes bankrupt, or experiences technical issues, you could lose access to everything. Diversify across multiple exchanges for trading purposes, but keep the majority of your holdings in personal wallets.
Another common error is falling for phishing scams. After high-profile hacks like Indodax, scammers often impersonate exchange support on social media and messaging apps. They may claim to help you “secure your account” or “verify your identity” — their real goal is stealing your credentials. Legitimate exchanges will never ask for your password, 2FA codes, or private keys through direct messages.
Some beginners also fall victim to fake recovery services that promise to retrieve funds lost in hacks. These are almost always scams. If you lose funds on an exchange, the only legitimate recovery path is through the exchange’s official support channels and law enforcement.
Next Steps
Now that you understand the basics of crypto safety, take action. Start with the easiest steps: enable 2FA and review your exchange security settings today. Research hardware wallets and order one if you hold more than a few hundred dollars in cryptocurrency. If you found this guide helpful, explore our other educational content about wallet types, transaction security, and the fundamentals of blockchain technology.
Remember, in cryptocurrency, you are your own bank. That freedom comes with responsibility. Taking these simple precautions dramatically reduces your risk and gives you peace of mind as you continue your cryptocurrency journey.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
good writeup for beginners. the bank analogy actually works well for explaining what happened
the withdrawal system being the attack vector is telling. exchanges harden their trading engines but the withdrawal pipelines sometimes still run on legacy code. $22M through a single vulnerability
yuki the withdrawal system being the weak link makes sense. trading engines get all the security budget because thats where the money perception is
the what should you do section should be pinned to every crypto newcomers screen. self custody is non-negotiable after seeing this happen repeatedly
Totally agree with Adaeze, self-custody is the only way to avoid becoming exit liquidity for hackers. If you’re still keeping your whole bag on a CEX after this Indodax mess, you’re basically asking for a haircut. Not your keys, not your coins, it’s literally the first rule of the game.
368M in assets and withdrawal pipeline runs on legacy code. banks have FDIC insurance, indodax users got nothing
insured_or_bust exactly. 22M lost and zero compensation for users. self custody exists because exchanges cant insure against their own incompetence
indodax had $368M in assets and lost $22M. thats about 6%. scary but could have been way worse
potatosalad_ doing the math right. 6% loss sounds manageable until you realize those are real peoples funds and indodax users in indonesia dont have FDIC insurance to fall back on
Saying 6% is ‘manageable’ is pure copium, potatosalad_. Even if it’s not a total wipeout, a breach of the withdrawal pipeline means their whole security model is fundamentally broken. If they can’t protect the exit, they shouldn’t be handling hundreds of millions in the first place.
staking_analyst_ calling 6% manageable when its 22 million in real customer funds is wild. thats not a haircut thats life changing money for thousands of users
for anyone asking about middle ground solutions: multisig with a hardware key plus a mobile signer. bitbox or trezor plus sparrow. not rocket science but takes 30 min to set up
I’m still trying to figure out if my $500 is actually safer in a hardware wallet or if I’m just going to lose my seed phrase. The guide says exchanges are risky, but for a beginner, the thought of being my own bank is honestly pretty terrifying. Is there a middle ground or is it really just all or nothing?
indodax had 368M in assets and couldnt secure their withdrawal pipeline. the bank analogy in the article is too generous, banks dont lose money to basic exploit attempts
xrefugee banks actually have insurance and recourse though. indodax users got zero compensation. the self-custody push after this hack was fully justified