Editing | Wu on Blockchain
On June 3, a well-known community member posted a lengthy article, claiming that fraudsters purchased all of his personal information on Telegram and then used it to reset his phone number, email, and even Google Authenticator through the "forgot password" option. Within 24 hours, over 2 million USD worth of assets were lost from his OKX account.
Subsequently, two more users revealed that their OKX accounts were compromised, likely due to their SMS and email being hijacked.
Research institution Dilation Effect then analyzed OKX's current security settings and raised concerns:
Despite users binding Google Authenticator (GA), the verification process allows for a switch to a lower security level, bypassing GA verification. Users bind GA (Google Authenticator) with the expectation of higher security. However, OKX allows for a direct switch to a lower security level verification method, such as SMS, when verifying sensitive user operations, such as adding whitelist addresses, withdrawals, and various verification setting changes.
When sensitive user operations occur, such as disabling phone verification, disabling GA verification, or changing login passwords, they do not trigger a 24-hour withdrawal restriction risk control measure. The risk control measure for changing login passwords is compromised, as it only triggers when logging in from a new device.
Whitelist address withdrawals lack dynamic validation based on withdrawal amounts. Once an address is added to the whitelist, it can freely withdraw within the set limit without any validation. Unlike other exchanges that set withdrawal limits and require re-verification for amounts exceeding the limit, OKX's security settings lack fundamental design. Perhaps in an effort to enhance user experience, OKX has made significant compromises in security.
OKX CEO Star responded: "Currently, there is no case where user asset loss occurred due to switching from GA (Google Authenticator) to SMS (Short Message Service). Non-authenticated addresses are designed for API users' automated withdrawals, and setting limits does not align with actual needs. Consider introducing a mechanism for the automatic expiration of silent non-authenticated addresses. While GA security level is indeed slightly higher than SMS, it is not absolutely secure. Methods for stealing user SMS include device trojan implantation, SIM card cloning, rogue base stations, and theft through SMS service providers. Hacking to steal user GA can involve implanting trojans on user devices or stealing Google accounts (with cloud sync enabled). OKX will fully compensate for any user asset loss caused by its own reasons."
Dilation Effect responded to Star Xu: "SMS also faces SIM SWAP, operator interface issues, legal interception issues, and more. Its security has long fallen behind the times. GA's security is not slightly higher than SMS, but significantly higher. GA should be the baseline setting for secure verification. For retail investors, GA is currently the relatively safest, lowest-cost, and most user-friendly verification measure. We urge ordinary users to set up and use GA properly (disable cloud backup function)."
Midway through, there were rumors circulating in the community about "many OKX accounts having unknown addresses added to the USDT-TRC20 withdrawal whitelist." OKX officials inspected multiple addresses and found that they had been added by account owners several years ago. The OKX official account stated, "Newly added non-authenticated addresses are listed at the top in the app's address book. Addresses listed below cannot be newly added." In response, OKX founder Star Xu made a rare Chinese tweet, stating, "I often don't remember addresses I added a long time ago. If you have any doubts, please feel free to contact customer service for verification. The address book function of OKX indeed needs improvement, such as displaying the addition time. Furthermore, OKX will continue to take full responsibility for any customer asset loss caused by its own reasons."
On June 12, the two users who had previously reported their OKX accounts being compromised on social media were promised full compensation. They have also deleted the relevant information from Twitter.
On June 12, the latest IOS 6.71.1 version of OKX removed phone verification for withdrawals and replaced it with dual verification via email and authenticator. However, the community discovered that in the latest IOS 6.71.1 version of OKX, clicking on "modify authenticator" (Google Authenticator) does not require verification and directly displays the new GA key. Subsequent resets require a phone verification + new authenticator app code. In contrast, on Binance, modifying authenticator verification requires a key verification (facial recognition), which then displays the new GA key. Subsequent resets also require the new authenticator app code. After resetting the authenticator, both OKX and Binance prevent withdrawals for 24 hours.
However, the community later erupted with rumors of possible collusion between internal and external parties, especially regarding the disclosure of some users' information.
OKX's Haiteeng stated that the leakage of customer information was due to "someone forging judicial evidence to obtain the information of very few customers." Currently, no "mole" situation has been found.
OKX released a statement regarding recent security incidents involving individual customer accounts: "It has been verified that someone forged judicial evidence to obtain the information of very few customers. This matter is currently under investigation by judicial authorities, and we cannot disclose more specific details. We have optimized the process of judicial cooperation, introduced a verification mechanism, strengthened the security level of AI facial recognition, and will introduce an expiration mechanism for authenticated addresses in the address book to prevent such incidents from happening again."
Star Xu stated that OKX has upgraded to a new generation of AI facial recognition for resetting security items and introduced dual manual review for requests to reset security items for accounts with balances exceeding a certain limit, ensuring that such AI facial replacement attacks will not occur again. For the few customers whose information was obtained through the forgery of judicial procedures, we have implemented monitoring of their accounts to ensure asset security.
The matter is not yet over. Singapore market maker QuantMatter claimed that its OKX institutional account had been stolen on May 30, with 11.6 million USD being transferred to multiple whitelisted addresses and converted to BTC, ETH, USDC, and USDT, then sent to on-chain addresses. Unlike previous cases, the market maker stated that it had set up offline Google Authenticator, and withdrawals required dual authentication via email and GA, managed by the founder and a partner. This likely indicates that the hacker probably used offline GA verification and compromised the market maker's GA. Despite over ten days passing, the reasons for the theft are currently undetermined by the market maker itself, security agencies, or OKX, and further investigation is needed. The market maker has reported the incident to the Singapore police and has contacted over 5 security agencies for inspection.
Star Xu responded to this: "This account has no commonalities with other cases, and the timing is completely different. We are currently conducting an in-depth investigation. What can be confirmed is that complete logs show that the withdrawal was initiated from the web interface, and the withdrawal request entered the complete GA and email verification codes."
On June 7, OKX caused Bitcoin network congestion due to a script error. Bitcoin network fees surged to 520 sat/vb (~$52), causing congestion. It is suspected that OKX (bc1quh…0r8l2d) was consolidating and aggregating user wallets. There are currently over 330,000 unconfirmed transactions on the Bitcoin network, with memory usage reaching 1.35 GB. The abnormal consolidation fees raised questions in the community, to which OKX responded that the team was testing a consolidation program, which has now been halted.
On June 11, data showed a significant outflow of funds from OKX. Defillama indicated that OKX had a net outflow of 204 million USD in the past 24 hours and 630 million USD in the past 7 days, exceeding the total outflow of other exchanges, with total reserve assets of 21.64 billion USD. In contrast, Binance had a net inflow of 1.364 billion USD in the past 7 days.
Another exchange, Binance, also experienced an incident recently.
On June 3, 2024, a Twitter user recounted how they lost 1 million USD due to downloading a malicious Chrome extension, Aggr, raising concerns about extension risks and the security of their crypto assets. This incident was primarily the user's responsibility. He Yi responded: "Binance has already added big data alerts and manual double confirmation for sudden price fluctuations, and will increase verification frequency for plugin operation and cookie authorization based on user differences. Additionally, Binance has provided some compensation to affected users."
Regarding the previous wash trading incident, Binance co-founder He Yi stated that the product had placed more emphasis on user-friendliness and was not strict enough. After this experience and lesson, they will raise the current risk control standards and levels. At the time, they noticed price fluctuations, but the risk control team did not consider it a major issue. However, she does not believe that "friendly competitors" engage in self-theft.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
