OKX and SlowMist Investigate Multi-Million Dollar SIM Swap Exploit

OKX and its security partner SlowMist are investigating a major security breach that stole millions of dollars from two user accounts. The incident on June 9 involved a SIM swap attack, raising concerns about the vulnerabilities associated with SMS-based two-factor authentication (2FA) mechanisms.The investigation also sheds more light on the growing sophistication of phishing attacks and the ongoing security challenges in crypto and Web3.

Two OKX Users Compromised Via Sim Swap Attack

SlowMist founder Yu Xian reported on X (formerly Twitter) that the attack involved creating a new API key with withdrawal and trading permissions. Although the amount stolen is unclear, Xian noted that “millions of dollars of assets were stolen.”

“The SMS risk notification came from Hong Kong, and a new API Key was created (with withdrawal and trading permissions, which is why we suspected a cross-trading intention before, but it seems that it can be ruled out now,” Xian stated.

The security breach appears to have utilized OKX’s 2FA system, enabling attackers to switch to a lower-security verification method and whitelist withdrawal addresses via SMS verification. While the investigation is ongoing, SlowMist has indicated that OKX’s 2FA mechanism may not have been the primary vulnerability.

Instead, the exploiters bypassed 2FA by leveraging the lower-security SMS verification process. An analysis by Web3 security group Dilation Effect suggests that the attackers used this to carry out their malicious activities.

One of the crypto theft victims expressed gratitude for being compensated by the OKX team.

The Rising Alarm Of Phishing Attack

This incident shows the growing sophistication of phishing attacks. For example, earlier in June, a Chinese trader lost $1 million in a sophisticated scam involving a compromised Google Chrome plugin named Aggr, which stole cookies to gain access to the trader’s Binance account.The hackers used these cookies to bypass password and 2FA protections, allowing them to make unauthorized trades and withdrawals.Despite the trader’s immediate contact with Binance customer service, the hackers managed to withdraw all funds before any security measures could be enacted.Phishing attacks have increased, with major incidents such as the data breach suffered by CoinGecko‘s third-party email management platform, GetResponse, leading to the distribution of 23,723 phishing emails.The breach occurred on June 5, caused by a compromised GetResponse employee email account. The attackers could export the contact information of over 1.9 million users.The compromised data includes names, email addresses, IP addresses, and email open locations, though CoinGecko stated user accounts and passwords are secure. In response to the breach, CoinGecko provided users with steps to protect themselves from scams, such as avoiding unfamiliar domains and not clicking unsolicited links.It’s also worth noting that the rise of AI-enhanced scam tactics, including deep fake technology, further complicates crypto security. Scammers impersonate influential figures like Elon Musk to promote fraudulent investment schemes.According to Merkle Science’s 2024 HackHub report, over 55% of hacked digital assets in 2023 were lost due to private key leaks, emphasizing the critical need for enhanced security protocols to protect digital assets from sophisticated phishing attacks.