Crypto Exchange BingX Suffers $43M Hack, Gradually Resumes Services While Promising to Compensate Users

BingX posted on the X platform on Friday, confirming abnormal access to its hot wallet and suspecting a possible cyber attack. The exchange also mentioned that the loss was minor as most of the assets were already secured in cold wallets and pledged to compensate users for their losses.

“To protect user funds, we’re extending recharge & withdrawal times while reinforcing security. Coins will be processed within 24 hours. We’re sorry for the inconvenience and appreciate your understanding,” it said.

BingX has announced it will gradually resume withdrawal services. Key details include the resumption of withdrawals on the BSC network, covering popular tokens like USDT, USDC, BTC, ETH, TRX, and SOL, as well as USDT withdrawals on the TRC20 network, which are expected to be operational by September 21, 08:30 (UTC+8), although some withdrawal times may experience delays due to ongoing security reviews.

In the coming 1-2 weeks, the platform says it will “gradually reinstate withdrawals” for other tokens and reopen deposit services. No confirmation of timings has been provided to date.

Apart from stablecoins, hackers stole over 360 types of altcoins. According to Etherscan data, the majority of the stolen cryptocurrency was traded for ETH and BNB on DEXs like Uniswap and Kyberswap.

Blockchain security company PeckSheild reported that the security breach led to a $43 million loss, mostly affecting Ethereum and BNB Chain. Initially, the company estimated the loss amount to be $26.8 million. Later, it confirmed another $16.5 million with cryptocurrencies had been drained from its hot wallet. The stolen funds comprised 4.1K BNB, 5.3K ETH, and 1.65M Matic and PeckSheild says the hacker quickly traded most of the stolen crypto for around 7,864.7 $BNB and 4,526 $ETH. 

Vivien Lin, BingX’s chief product officer announced that withdrawals have been temporarily halted on the exchange and that BingX is going to compensate users for their losses. “BingX will fully compensate for the loss with our own capital. The total loss is minimal and manageable. This incident will not affect our ongoing business operations. Trading services continue as usual,” she said. 

Later, BingX posted a temporary wallet maintenance notice saying the exchange would undergo a 24-hour maintenance service and would notify its users once it was done. However, crypto startup g8keep co-founder Harrison Leggio, also known as “Pop Punk” on X, confronted BingX’s disclosure of the problem in a September 20 X post.

“Is it ‘wallet maintenance’ or are your wallets being drained?” he inquired. “If it was ‘wallet maintenance’ then why is there a ‘minor asset loss? If you’re going to use a CEX (Centralized Exchange), please use a real one that doesn’t pay off exploits like this.” Keystone, a hardware wallet provider urged BingX users to secure their funds in cold hardware wallets to avoid the rising threats of hot wallets. 

Recent events in the cryptocurrency exchange industry highlighted significant security concerns, and two more high-profile occurrences brought attention to the flaws of these platforms.

Last week, hackers broke into cryptocurrency exchange Indodax and stole over $20 million worth of digital assets. Several blockchain investigation firms including PeckShield, Cyvers, and SlowMist reported the attack on Indodax’s hot wallets. The hacker stole a significant amount of Bitcoin (BTC), Ethereum (ETH), Tronix (TRX), Polygon (POL), Shiba Inu (SHIB), and other tokens on this occasion.

Meanwhile, attackers recently orchestrated a string of suspicious transactions on WazirX, a popular exchange in India that drained $234 million from the platform. Web3 security firm Cyvers first identified several suspicious transactions from WazirX’s Safe Multisig Ethereum wallet. The exchange immediately suspended all transactions and declared that clients would only be allowed to withdraw 33% of their current INR balances.