Reposted from netizens:

Ninth sister:

Hello.

It has been almost a week since my account was hacked. These few days seemed like a century to me. I have something to say to you and I want to ask for your help.

I don't remember which social group I added you on WeChat, but I have always been following your circle of friends. Huang Yang told me that you two are very good friends, and she told me many stories about you. Since she and I are also very good friends, I have a natural trust in you.

Of course, I am not telling you this to morally blackmail you. In fact, my use of OKX has nothing to do with you, but I really think this platform is very suitable for me.

In the early years, my experience in this industry was more like that of a silly coin hoarder, so BN was my first choice: its depth was good enough, its security was good enough, its credibility was strong enough, and its benefit effect was large enough. After experiencing a bull-bear transition, I gradually began to transform from a coin hoarder to a trader. At this time, BN actually felt uncomfortable to me.

Later, because the DOJ sued CZ, I was worried about the safety of my assets and immediately transferred most of BN's assets to our platform. If you look carefully at my data on the platform, you will find that after my funds entered our platform, I opened up a new world. It is true that our full-position mode and mixed margin mode are too convenient and suitable for leverage players like me. But to be honest, with the previous experience of FTX in front of me, I always have some doubts about centralized exchange platforms. One is the potential misappropriation of funds, and the other is the possible leakage of KYC related information during transactions.

My doubts were completely eliminated at the end of January and the beginning of February this year. That afternoon, I saw OKB drop from 50 USD to around 25 USD in one breath. To be honest, my first reaction at that moment was not to buy at the bottom, but I felt that the platform must have encountered some unknown risk problems, so I immediately transferred all the funds on the account to BN. The subsequent results were as I expected, because the depth caused a series of liquidations. However, our OKX disclosed information in a timely manner, actively and bravely assumed the responsibility to users, and paid full compensation, which made me give a big thumbs up to our OKX platform.

I am ashamed to say that after our platform took full responsibility, I immediately withdrew all the funds back to okx. The next problem I faced was that bn sent me an email asking me about the reason for the large transfer in and out, and asked me to provide the source of funds. Proof, I didn’t even reply to them, because in my heart, I felt that after this round of bull market, maybe the depth of okx could be completely comparable to that of bn, which is no longer an unattainable dream. So having a BN account does not seem to be a necessary option for me.

My account was stolen in the early morning of May 3rd, and I had just finished paying respects to my grandmother. My grandmother passed away unexpectedly at 6am on May 1st, so I hurried back to my hometown to mourn. My first reaction when I saw this message was that the platform had pushed an error, but I still unconsciously clicked on the platform and tried to log in repeatedly until I found that my account had been deleted. Here, I am really very, very grateful that every time I encountered any problem, you were able to reply to me and help me as soon as possible. This really makes a user of the platform feel safe.

To be honest, I have thought about many reasons for the account being stolen, such as internal problems, system bugs, and acquaintances. In the end, I initially determined that the potential cause was myself, because there are indeed two friends who are inseparable from me. In theory, if they do something bad, I may really lose the ownership of the account. So I contacted SlowMist as soon as possible. I hope that through the efforts of third parties and platforms, they can help me recover my assets and reduce my losses.

But the development of the situation was far beyond my expectations. In the active communication with the platform, I soon learned that this was not a large-scale leak, but an individual attack. Regarding the theft of my account, it was not even because I leaked my email password, mobile phone number and Google verification, but the other party logged in to the email number and clicked on the forgotten password, and directly bypassed all my firewalls through the AI-synthesized video. In other words, without my knowledge, a third party replaced my mobile phone number, email number and Google authenticator, and 24 hours later, all my assets were lost.

To be honest, when I saw on the police phone that the so-called person who looked very much like me was holding a fake ID card and reading "I am Wu Suohan, ID number 4222..." into the camera, I could tell at a glance. Under the premise of being fake, it was able to bypass the risk control of your multi-billion dollar asset platform. At that moment, I didn’t know whether to cry or something else. Today is my grandma's first birthday, but I am not in my hometown to accompany my grandpa, my mother and my family. I can't even go to her tombstone to complete my worship because I am out of town to cooperate with the police in recovering my assets. . But such a clumsy method can circumvent the platform's risk control system and ultimately lead to this tragedy. Doesn't your platform bear unshirkable responsibility for this?

Your staff repeatedly stressed to me that all your processes are compliant, but process compliance and security omissions are two different things. As a user, I put all my assets here because I trust your platform, but because of your so-called compliance process, you eventually made me lose all my assets. Isn't this a very ridiculous thing?

I don't know if you have seen the data in my background. If you saw the two clumsy people and the fake ID card later, I believe you would feel the same as I do.

But now that things have come to this, no matter how absurd the reality is, we can only face it positively and bravely. Here, I would like to write this letter to you, my ninth sister, and hope that you can convey my expectations for the platform.

1. The police have already intervened in the case and have obtained some clues. Through the comparison of big data in the public security system, the real information of the two counterfeiters has been initially screened out. The next thing is to prepare the procedures for arrest. But it is highly likely that these two are just the front runners, and there must be other thieves who have not yet shown their heads. This is a process that takes time. This is where the police are good at, but there are also areas where the police are not good at, such as how to track the information on the chain; which platforms to go to to obtain evidence; and the ideas and judgment directions of tracking. These all require professional guidance. After all, blockchain is still a relatively unfamiliar field for the public security. I hope that the process of tracking down the murderer can be the result of the joint efforts of me, the platform, and the public security, rather than my unilateral efforts. Here, I hope that my ninth sister will convey for me that OKX must set up a special task force internally. On the one hand, it is necessary to conduct internal investigations to ensure that there are no problems with the internal employees of the platform. On the other hand, the technology must repair the secondary vulnerability as soon as possible to ensure the safety of other users' assets. Third, it can actively communicate with the public security to establish a working group to track down the murderer;

2. About myself. I hope OKX can have the courage to ask users to take responsibility as before and compensate me for the full amount of my losses this time. More than 2 million US dollars is a small amount for the platform, but for me as a user, it is an astronomical figure. I believe that the platform can understand the significance of funds and opportunity costs for every practitioner. If you ask me to wait until this case is settled before paying, I may have missed the entire bull market. I am unwilling to accept such a result, and it is not my responsibility.

Here, I promise that as long as the platform actively fixes the loopholes and actively and constructively communicates with me, I will never leak any information to a third party. I hope you can convey the above two points to the senior management on my behalf.

Best wishes for your business.

Sorry to bother you so late at night. 🙏 I hope you can understand

The last sentence is also a little thought I have recently had because of this strange experience and I want to share it with you: In my limited knowledge, using face verification should be the highest level of security for the platform. Compared with email verification, mobile phone verification, and third-party dynamic code, face verification is the customer sacrificing privacy to ensure its uniqueness, and it should be the safest verification method, judging from the risk-benefit perspective. But now it is absurd that someone else has broken through this line of defense with someone else's face.