On June 3, a well-known community member Laifangchang wrote a long article in Japan, saying that the scammers bought all his personal information on Telegram, then logged in to his email address and clicked on the "Forgot Password" function, and applied to change his mobile phone number, email address and even Google Authenticator through an AI-synthesized video. 24 hours later, his OKX account lost more than 2 million US dollars in assets.
Subsequently, two more users disclosed that their OKX accounts had been stolen, suspected to be due to hijacking of text messages and emails.
Research firm Dilation Effect subsequently analyzed OKX’s current security settings and raised concerns:
Although users have bound GA, they are allowed to switch to a low-security verification method during verification, which causes GA verification to be bypassed. Users bind GA (Google Authenticator) because GA has a higher security level. However, when OKX verifies sensitive user operations, such as adding whitelist addresses, withdrawing coins, and changing various verification item settings, it can directly switch to a low-security verification method, such as SMS.
When sensitive user operations occur, such as turning off mobile phone verification, turning off GA verification, and changing the login password, the risk control measure of 24-hour withdrawal ban will not be triggered. Among them, the risk control measure of changing the login password adopts a compromise method, which will be triggered only when logging in on a new device.
There is no dynamic verification based on the withdrawal limit for whitelisted addresses. Once the address is added to the whitelist, it can be withdrawn without verification within the withdrawal limit. Unlike other exchanges, which set a limit and require verification again when the limit is exceeded, OKX's security settings lack a baseline design. Perhaps in order to improve user experience, OKX has made a lot of compromises on security.
OKX CEO Star responded: Currently, there has not been a single case of user data loss that was completed by switching from GA (Google Authenticator) to SMS (text message). The authentication-free address is designed for the automated withdrawal needs of API users, and setting a limit does not meet actual needs. It is possible to consider introducing a silent authentication-free address automatic expiration mechanism. The GA security level is indeed slightly higher than SMS, but it is not absolutely safe. Methods for stealing user SMS include device Trojan implantation, SIM card duplication, fake base stations, and theft through SMS service providers. Hackers who steal user GA can implant Trojans on user devices or steal Google accounts (turn on cloud synchronization). OKX will fully compensate for data losses caused by its own reasons.
Dilation Effect responded to Star Xu: SMS also has SIM SWAP, operator interface problems, legal wiretapping issues, etc. Its security has long been outdated. The security of GA is not slightly higher than SMS, but much higher. GA should be used as a baseline setting for security verification. For retail investors, GA is currently the safest, lowest cost and easiest to use verification measure. We call on ordinary users to set up GA, get used to using GA, and use GA well (turn off the cloud backup function).
There was also a rumor circulating in the community that "unknown addresses appeared in the USDT-TRC20 withdrawal whitelist of many OKX accounts". OKX officials checked multiple addresses and found that they were added by the account owners a few years ago. The OKX official account said, "In the address book function on the App, the newly added authentication-free addresses are at the top, and the addresses below cannot be newly added." In response, OKX founder Star Xu rarely posted a Chinese tweet, saying, "I often forget the addresses I added a long time ago. If you still have questions, please feel free to contact customer service to verify. The OKX address book function does need to be improved, such as showing the time of addition. In addition, OKX will continue to bear full responsibility for customer data losses caused by OKX's own problems."
On June 12, two users who reported on social media that their OKX accounts had been stolen were promised full compensation, and they have also deleted the relevant information on Twitter.
On June 12, OKX's latest iOS 6.71.1 version cancelled the mobile verification code for withdrawals and replaced it with double verification by email and authenticator. However, according to the community, in OKX's latest iOS 6.71.1 version, after clicking Modify Authenticator (Google Authenticator), the new GA key is displayed directly without verification. In further resets, a mobile verification code + new authentication app code is required. On the contrary, on Binance, if you want to modify the authenticator verification, you need to pass a layer of key verification (face verification) before the new GA key is displayed. In further resets, a new authentication app code is required. After resetting the authenticator, both OKX and Binance cannot withdraw money within 24 hours.
However, rumors of possible collusion between insiders and outsiders subsequently emerged in the community, especially after some user information was disclosed.
OKX Haiteng said that the customer information leak was caused by "someone forging judicial documents to obtain the information of very few customers." No "insider" has been found so far.
OKX released a statement on the recent security incidents in individual customer accounts: It has been verified that someone forged judicial documents and obtained the information of a very few customers. The matter is under investigation by the judicial authorities, and we cannot disclose more specific details. We have optimized the judicial cooperation process, introduced a verification mechanism, and strengthened the security level of AI face recognition. In the future, we will introduce an expiration mechanism for the certified address in the address book to prevent such incidents from happening again.
Star Xu said that OKX has upgraded the reset security item to a new generation of AI face recognition detection, and introduced double manual review for all reset security item requests for accounts with balances greater than a certain limit, to ensure that this type of AI face-changing attack will not happen again. For several customers who forged the verification procedures to obtain user information, we have implemented monitoring of customer accounts to ensure asset security.
The matter is not over yet. Singapore market maker QuantMatter claimed that $11.6 million of its OKX institutional account was suddenly stolen on May 30. The hacker added multiple whitelist addresses, and the funds were converted into BTC ETH USDC USDT and transferred to the on-chain address. The funds have not been moved at present. Unlike many previous cases, the market maker told Wu that an offline Google authenticator was set up, and the withdrawal of coins required double authentication of email and GA, which was kept by the founder and partner. This also means that there is a high probability that the hacker used offline GA verification to steal the coins and the market maker's GA was stolen. Although more than ten days have passed, the cause of the theft cannot be determined by the market maker itself, security agencies, OKX, etc., and further investigation is needed. The market maker has reported to the police in Singapore and contacted more than 5 security agencies for inspection.
Star Xu responded: This account has nothing in common with other cases, and the time is completely different. We are still investigating in depth. What is certain is that there is a complete log showing that the withdrawal was initiated by the web page, and the withdrawal request entered the complete GA and email verification code.
On June 7, OKX caused congestion on the Bitcoin network due to a script error. The Bitcoin network fee soared to 520 sat/vb (~$52), and was in a congested state. It is suspected that OKX (bc1quh...0r8l2d) is sorting and collecting user wallets. There are more than 330,000 unconfirmed transactions on the Bitcoin network, and the memory usage is 1.35 GB. The abnormal collection fee has aroused doubts from the community. In response, OKX said that the team was testing a collection program, which has been stopped.
Data from June 11 showed that OKX had a significant outflow of funds. Deflama showed that OKX had a net outflow of $204 million in the past 24 hours and a net outflow of $630 million in the past 7 days, exceeding the total outflow of other exchanges, with total reserve assets of $21.64 billion. Binance had a net inflow of $1.364 billion in the past 7 days.
Another exchange, Binance, also had an incident recently.
On June 3, 2024, a Twitter user wrote about how he lost $1 million in theft due to downloading the malicious Chrome extension Aggr, which aroused the attention of the majority of crypto community users to the risks of extensions and the security of their own crypto assets. This is mainly the responsibility of the users themselves. He Yi responded: Binance currently has superimposed big data alarms and manual double confirmations for sudden price fluctuations, and will also give users additional reminders; the verification frequency will be increased in plug-in operation and cookie authorization, and Binance will increase security verification links according to user differences. In addition, Binance has also compensated the affected users to a certain extent.
Regarding the previous cross-trading incident, Binance co-founder He Yi said that the product was more concerned about user ease of use and was not strict enough. After learning from the experience and lessons this time, the current risk control standards and levels will be improved. At that time, price fluctuations were detected, but the risk control department felt that the problem was not serious and let it go. But she does not think that "friendly competitors" are committed to stealing.