Singapore-based cryptocurrency exchange BingX suffered a security breach with over $26 million worth of cryptocurrency assets being transferred to a hacker's address, according to Lookonchain. 

The affected assets include cryptocurrencies such as USDT, BTC, and USDC. While the full extent of the breach is still under investigation, BingX has responded with emergency measures to mitigate the situation.

Hacker’s Activity on the Blockchain

The hacker behind the breach reportedly transferred over 360 different altcoins to a wallet address identified as “0xF7e8,” where many of the stolen assets were swapped for Ethereum (ETH) and Binance Coin (BNB). 

Lookonchain reports that the attacker liquidated assets across multiple blockchain networks, including Ethereum and BNB Chain.

Details of the stolen assets include:

• 4.44M USDT

• 1.04M WUSD

• 608.7K USDC

• 9.38 BTCB (~$590K)

• 86,545 ZRO (~$369K)

PeckShield, a blockchain security firm, also confirmed that the hacker managed to swap the stolen assets into roughly 4,526 ETH and 7,864.7 BNB. The Ethereum blockchain address linked to the breach shows millions of dollars in tokens flowing from BingX's hot wallet.

Hacker’s Tactics

In the wake of the breach, blockchain forensics revealed that the hacker employed tactics commonly seen in similar attacks. 

Small amounts of cryptocurrency were transferred through Kyberswap, a decentralized exchange, likely as an attempt to conceal the origin of the stolen funds. This is a well-known technique used by hackers to evade tracking by mixing or swapping assets on decentralized platforms.

BingX is now reportedly collaborating with security experts to track down the stolen funds and prevent further exploitation of the compromised wallet.

BingX Issues Response

BingX confirmed the security breach in a statement, noting a “minor asset loss” but refrained from providing full details of the incident. 

According to Vivien Lin, Chief Product Officer at BingX, the exchange’s technical team detected unusual network activity early in the morning on September 20, 2024. This led to suspicions of an attack on one of the exchange’s hot wallets.

Lin added that BingX quickly activated its emergency response plan, which included transferring remaining assets from the compromised wallet and halting withdrawals to prevent further damage. Withdrawals remain suspended as of now, with BingX assuring users that they will be restored within 24 hours once wallet services are thoroughly inspected.

“We sincerely apologize for the inconvenience and are working diligently to resolve the issue,” Lin stated in a post on X (formerly Twitter).

BingX stated that the majority of user assets are stored in cold wallets, which are more secure and offline. Only a small portion of funds is kept in hot wallets, which are connected to the internet and used for daily withdrawal purposes. The exchange clarified that the breach affected only the hot wallet, where less critical funds are kept.

The crypto exchange has promised a full investigation and compensation plan for any users affected by the breach. According to a spokesperson from the exchange, BingX is still calculating the exact amount of losses and will issue an official update once more information becomes available.

BingX urged its users to refrain from depositing or withdrawing until the situation is resolved.