On June 3, a well-known community member named “Lairifangchang” wrote a long article saying that a scammer bought all his personal information on Telegram, and then logged into his email and clicked “Forgot password”, using an AI-synthesized video to apply to change his mobile phone number, email address and even Google Authenticator, causing him to lose more than $2 million in OKX account assets within 24 hours.
Subsequently, two more users disclosed that their OKX accounts had been stolen, suspected to be due to hijacking of text messages and emails.
Research firm Dilation Effect analyzed OKX’s security settings and raised some concerns:
Although the user has bound Google Authenticator (GA), when verifying, it is allowed to switch to a lower security level verification method, resulting in GA verification being bypassed. Users choose to bind GA because it has a higher security level. However, when OKX verifies sensitive operations of users, such as adding whitelist addresses, withdrawing coins, and changing settings, it can directly switch to SMS verification and other low-security verification methods.
When users perform sensitive operations, such as turning off mobile phone verification, turning off GA verification, changing login passwords, etc., the risk control measures of 24-hour withdrawal ban will not be triggered. Among them, the risk control measures of changing login passwords adopt a compromise method and will only be triggered when logging in on a new device.
In addition, withdrawals from whitelisted addresses are not dynamically verified based on the withdrawal limit. Once an address is added to the whitelist, it can be directly withdrawn without verification within the withdrawal limit. Unlike other exchanges, OKX does not have a mechanism that requires re-verification after exceeding the limit. In general, OKX's security settings lack a baseline design. Perhaps in order to improve user experience, OKX has made a lot of compromises on security.
OKX CEO Star responded that there has not been a single case of user asset loss that was completed by switching from GA to SMS. The authentication-free address is designed for the automated withdrawal needs of API users, and setting a limit does not meet actual needs. It is possible to consider introducing a mechanism for automatic expiration of authentication-free addresses. The security level of GA is indeed slightly higher than SMS, but it is not absolutely safe. Methods for stealing user SMS include device Trojan implantation, SIM card duplication, fake base stations, and theft through SMS service providers. Hackers can steal users' GA by implanting Trojans on user devices or stealing Google accounts (turning on cloud synchronization). Asset losses caused by OKX itself will be fully compensated.
Dilation Effect responded to Star Xu: SMS has problems such as SIM card replacement, operator interface problems and legal wiretapping, and its security has long lagged behind the times. GA is much more secure than SMS, and GA should be used as a baseline for security verification. For ordinary users, GA is currently the safest, lowest cost and easiest verification measure. We urge ordinary users to set up GA, get used to using GA, and turn off the cloud backup function.
There is also a rumor in the community that "unknown addresses appear in the USDT-TRC20 withdrawal whitelist of many OKX accounts". After checking multiple addresses, OKX officials found that they were added by the account owners a few years ago. The OKX official account said, "In the address book function on the App, the newly added authentication-free addresses are at the top, and the addresses below cannot be newly added." In response, OKX founder Star Xu rarely posted a Chinese tweet saying, "I often forget the addresses I added a long time ago. If you still have questions, please feel free to contact customer service to verify. The OKX address book function does need to be improved, such as showing the time of addition. OKX will continue to bear full responsibility for customer asset losses caused by OKX's own problems."
On June 12, two users who had previously reported on social media that their OKX accounts had been stolen were promised full compensation, and they have also deleted the relevant information on Twitter.
On June 12, OKX's latest iOS 6.71.1 version has cancelled the mobile verification code for withdrawals and replaced it with double verification via email and authenticator. However, according to the community, in OKX's latest iOS 6.71.1 version, after clicking Modify Authenticator (Google Authenticator), the new GA key can be directly displayed without verification. In further resets, a mobile verification code and a new authentication app code are required. On Binance, if you want to modify the authenticator, you need to pass a layer of key verification (face verification) to display the new GA key, and a new authentication app code is required in further resets. After resetting the authenticator, both OKX and Binance will be unable to withdraw money within 24 hours.
However, rumors of possible collusion between insiders and outsiders subsequently emerged in the community, especially after some user information was disclosed.
OKX's Hai Teng said that the customer information leak was due to "someone forging judicial documents and obtaining the information of a very few customers." No "insider" has been found so far.
OKX has released a statement on the recent security incidents in individual customer accounts: It has been verified that someone forged judicial documents and obtained the information of a very few customers. The matter is under investigation by the judicial authorities, and we cannot disclose more specific details. We have optimized the judicial cooperation process, introduced a verification mechanism, and strengthened the security level of AI face recognition. In the future, we will introduce an expiration mechanism for the certified addresses in the address book to prevent such incidents from happening again.
Star Xu said that OKX has upgraded the reset security item to a new generation of AI face recognition detection. At the same time, for accounts with a balance greater than a certain limit, all reset security item requests have introduced double manual review to ensure that this type of AI face-changing attack will not happen again. For several customers who forged the verification procedures to obtain user information, we have implemented monitoring of customer accounts to ensure asset security.
It's not over yet. Singapore market maker QuantMatter claimed that $11.6 million from its OKX institutional account was suddenly stolen on May 30. The hacker added multiple whitelist addresses, and the funds were converted into BTC, ETH, USDC, and USDT and transferred to the on-chain address. The funds have not been moved at present. Unlike many previous cases, the market maker said that it has set up an offline Google authenticator, and withdrawals require dual authentication of email and GA, which is kept by the founder and partner. This means that the hacker may have taken advantage of the offline GA verification, or the market maker's GA was stolen. Although more than ten days have passed, the market maker itself, security agencies, and OKX are still unable to determine the cause of the theft, and further investigation is needed. The market maker has reported to the police in Singapore and contacted more than five security agencies for inspection.
Star Xu responded that: This account has nothing in common with other cases, and the time is completely different. We are still investigating in depth. What is certain is that there is a complete log showing that the withdrawal was initiated by the web page, and the withdrawal request entered the complete GA and email verification code. #内容挖矿 #BTC #BNB
Click on my avatar to follow me⭐WEB3 radar to get information faster~