Today, a user claimed that they were hacked while using the OKX Web3 wallet to make a transfer, resulting in a loss of 50,000 USDT during the TRX exchange. In response, OKX officials have also issued a statement.
(Background:
Browsing theft: Analysis of Chrome Extension Theft Incident)
Two days ago, a Binance user suspected that they had downloaded a malicious browser extension, resulting in their account funds being stolen, causing a loss of 1 million US dollars. Today, another user (0xNing0x) revealed that OKX, another globally renowned exchange, also experienced a user being “hijacked” while using the OKX Web3 wallet’s exchange page, resulting in a loss of 50,000 USDT.
Hacking Incident:
The victim reconstructed the incident and stated that a new address had just received USDT from the Tron network. However, when attempting to transfer out the funds, it was likely that they would use the exchange function provided within the OKX Web3 wallet. As shown in the left image below, the TRX balance insufficiency would be indicated in the top left corner, along with a redirect link to “Supplement TRX”.
Upon entering the link, the victim emphasized that the hacker’s theft occurred on this page (shown in the right image below). The hacker would hijack this page and transfer 100 TRX to the user within an extremely short period. When the user clicks on the exchange button, a permission authorization confirmation box would appear, and the user would assume that it is a confirmation prompt for exchanging TRX. After clicking “confirm,” the hacker would obtain permission for the user’s address.
The victim emphasized that the hacker’s criminal behavior continued until yesterday and followed the same modus operandi:
1. Identify the target user.
2. Transfer 100 TRX to the target user’s address.
3. Hijack the user’s exchange page, where the user would click on the fake exchange and confirmation buttons, which are actually authorization update confirmation buttons.
4. The hacker obtains permission for the user’s address and subsequently transfers the funds.
The victim also stated that the final step of transferring the funds may not occur immediately because the user’s account permission has already been stolen by the hacker. However, the user is unaware of this until they receive a notification of insufficient permission when transferring funds (only then would the user realize they have been hacked).
Unaware of the situation, it is still possible for the user to continue depositing funds into this address since the user can see that the funds are still in their address. This is why the hacker does not rush to withdraw the user’s funds.
The victim claims that when users deposit large amounts of USDT from the Tron network into the OKX Web3 wallet, the hacker monitors and obtains this information. They pointed out one of the hacker’s addresses: THDkuJMo2DeKoDzZfaKnNjepuziCbu75ej, stating that the theft from this address started on December 7th last year and has occurred dozens of times since.
@0xNing0x also warned that according to on-chain dynamics, this hacker is likely an organized entity that continues to engage in malicious activities today, with numerous victims, thus requiring increased vigilance.
OKX Official Response: Suspected mnemonic leakage, SlowMist: Suspected phishing
This incident has caused widespread concern in the community. However, OKX executive Haiteng responded that there are no clear signs indicating that the wallet has been hijacked:
Haiteng stated that security has always been a priority for OKX, and although there are no specific indications, they will continue to investigate the allegations made by the victims.
SlowMist’s Chief Information Security Officer also responded:
Related Reports
Beware of Open Source Bots on Github! SlowMist Cosine: A free open-source bot with hidden backdoors that steal Solana private keys
Preventing Hacker Phishing Attacks: You must understand these three signature authorization principles
DEX Hacked: Velocore loses $6.88 million in ETH, user liquidity is wiped out, what happened?