September 2024 has been a brutal month for cryptocurrency exchange security. With more than $120 million stolen across over 20 separate hacking incidents, the industry is once again confronting a fundamental architectural weakness: hot wallet infrastructure. From BingX’s $44 million loss to Indodax’s $21 million breach, the pattern is clear and persistent. Centralized exchanges continue to rely on security models that are failing in practice.
The Threat Landscape
The numbers from September 2024 paint a stark picture. PeckShield reported that the crypto space suffered more than 20 hacking incidents in a single month, causing approximately $120 million in losses, and that figure excludes an additional $32.4 million drained in a phishing attack involving Spark Wrapped Ethereum on September 27.
BingX, a Singapore-based exchange, lost between $44 million and $52 million when attackers breached its hot wallet system on September 20. Just days earlier, Indonesia’s largest crypto platform, Indodax, suffered a $21 million breach targeting its withdrawal infrastructure, with attackers making off with Bitcoin, Tron, Polygon, and Shiba Inu tokens. Penpie, a DeFi protocol also based in Singapore, was drained of $27 million through a reentrancy vulnerability that allowed an attacker to manipulate the platform’s reward system using a fake Pendle market registration.
These incidents are not isolated events. Earlier in 2024, India’s WazirX lost more than $230 million, and Japan’s DMM Bitcoin suffered a $300 million breach. The scale and frequency of these attacks demonstrate that current security architectures are inadequate for the value they protect.
Core Principles
Hot wallets exist because users demand fast withdrawals. When a user requests to move their cryptocurrency off an exchange, they expect the transaction to complete within minutes, not hours or days. Meeting this expectation requires keeping sufficient liquidity in internet-connected wallets that can sign and broadcast transactions automatically.
The fundamental problem is that internet-connected systems are inherently attackable. Every hot wallet requires private keys to be accessible by automated signing systems, and any system with network access can potentially be compromised. The attack surfaces are numerous: compromised employee credentials, supply chain vulnerabilities in wallet management software, zero-day exploits in server operating systems, and social engineering attacks against operations staff.
The security model for hot wallets typically relies on multi-signature arrangements, rate limiting, and anomaly detection. In practice, these measures have proven insufficient against sophisticated attackers who conduct extensive reconnaissance and patiently develop access before executing their theft.
Tooling and Setup
Exchanges that have avoided major breaches tend to employ a layered security architecture. The first layer is strict isolation between hot and cold wallet systems. Hot wallets should contain only the minimum liquidity necessary for daily operations, typically estimated at 2-5% of total exchange reserves. The remainder should reside in cold storage systems with air-gapped signing capabilities.
The second layer is real-time monitoring powered by machine learning anomaly detection. Modern security systems can flag unusual transaction patterns within seconds, enabling rapid response before significant losses accumulate. BingX’s attackers were able to extract $44 million before detection, suggesting either inadequate monitoring or response delays that exceeded acceptable thresholds.
The third layer is multi-signature authorization with geographic distribution. Requiring cryptographic approval from multiple key holders across different locations makes it significantly harder for a single compromised system to authorize large withdrawals. Hardware Security Modules, or HSMs, provide tamper-resistant key storage and can enforce policies such as transaction size limits and time-delayed execution for large transfers.
The fourth layer is proactive threat intelligence. Engaging firms like SlowMist, Chainalysis, and PeckShield before a breach occurs, rather than only in response to one, enables exchanges to benefit from industry-wide threat intelligence that can identify attack campaigns targeting their specific infrastructure.
Ongoing Vigilance
Security is not a one-time implementation but a continuous process. Exchanges must conduct regular penetration testing, including red team exercises that simulate the full spectrum of attack vectors. Access control reviews should occur at least quarterly, with particular attention to privileged accounts that have access to wallet management systems.
Incident response plans must be tested through tabletop exercises and live drills. When BingX suffered its breach, the speed of response directly influenced the outcome: the exchange managed to freeze $10 million of stolen funds through rapid coordination with blockchain security firms. Exchanges that discover their incident response plans are inadequate during an actual breach are already too late.
The broader crypto community also plays a role. Information sharing between exchanges about attack patterns, indicators of compromise, and threat actor tactics helps raise the collective security baseline. Industry organizations and security firms like PeckShield that publish aggregate data on hacking incidents provide valuable intelligence that exchanges should actively incorporate into their defensive strategies.
Final Takeaway
The $120 million lost to crypto hacks in September 2024 is not an anomaly. It is the predictable result of an industry that has prioritized user convenience over security architecture. Until exchanges fundamentally rethink hot wallet design, implementing true multi-layer security with real-time monitoring, multi-signature controls, and proactive threat intelligence, these breaches will continue at escalating scale.
For users, the lesson is straightforward: minimize exposure to centralized exchange risk by keeping only actively traded amounts on any platform. With Bitcoin near $63,395 and Ethereum at $2,616, the financial stakes of exchange-level security failures have never been higher. Hardware wallets and personal custody remain the most reliable defense against the next inevitable breach.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about cryptocurrency storage and security practices.
$120 million in one month and exchanges still keep most funds in hot wallets. the cost savings on infrastructure vs the losses dont even math out anymore
Indodax losing $21M and they process withdrawals manually? what year is this
indodax is the largest exchange in indonesia. 200M people and their security was held together with duct tape
ngl i pulled everything off exchanges after the BingX thing. not waiting to become a statistic
the pattern is always the same though. breach, suspend, investigate, resume, promise better security, repeat
^ and users always forgive and forget. give it 3 months and deposits are back to normal like nothing happened
bingx losing $44M and still operating normally is insane. any other industry would face criminal charges for that level of negligence