BingX suffers exploit with over $52M stolen
Singapore's BingX encountered a cyber intrusion, with attackers breaching its hot wallets.
This assault compromised multiple blockchains, leading Cyvers Alerts to estimate the losses at a staggering $52 million plus.
PeckShield was the first to flag the unusual outflux of funds from the platform — a whopping $13.5 million on September 20, as noted on X. This estimate was later corrected to $26.7 million as further details emerged.
Vivien Lin, the chief product officer at BingX, spoke on the matter, revealing that around 4 AM Singapore time, their tech team noticed unauthorized network activity hinting at a hot wallet compromise.
The platform immediately enacted a crisis response, involving swift asset relocation and pausing withdrawals.
Lin clarified that he bulk of assets are held in cold storage, with only a nominal amount in hot wallets for transactional purposes. Despite the temporary pause on withdrawals for emergency checks, the goal was to resume normal operations within a day.
Lin further emphasized the minor extent of the loss, assuring customers their assets were secure and effectively shielded by their comprehensive asset management strategy.
Yet, data from blockchain security firms tells another story. PeckShield disclosed that an additional $16.5 million was drained shortly after the first incident, bumping the total estimated losses to beyond $43 million.
Cyvers Alerts later revised this loss estimate, now claiming it surpassed $52 million, with a significant portion of the stolen assets already traded. The theft spread across several blockchains including Ethereum, BNBChain, BASE, Optimism, Polygon, Arbitrum, and Avalanche.
According to EtherScan, an address identified by PeckShield received a substantial sum in various tokens from several blockchains. These transfers originated from a wallet designated "BingX 15," identified as one of the trading platform's hot wallets.
Earlier that day, BingX had alerted its users to a temporary system maintenance, hinting at possible delays in deposits and withdrawals.
This advisory, however, faced backlash for its lack of clarity. Harrison Leggio, a co-founder of the crypto venture g8keep, criticized their transparency, questioning the logic behind citing "minor asset loss" if it was merely "wallet maintenance." He advised users to opt for more reliable platforms, cautioning against centralized exchanges that downplay such breaches.