OKX users compensated after SIM-swap attack

OKX, the world’s second-largest cryptocurrency exchange by trading volume, has has quietly reimbursed users who lost funds in a SIM-swap attack last week, according to Chinese crypto reporter Wu Blockchain.

The attackers exploited a vulnerability in the exchange’s SMS notification system. They sent fake messages that appeared to originate from Hong Kong, tricking the victims into creating new API keys with withdrawal and trading permissions.

A flaw in OKX’s two-factor authentication (2FA) security system was reportedly discovered after the incident. Users were able to switch from 2FA to less secure verification methods, such as SMS verification, during sensitive operations on the platform. This allowed the attackers to bypass more robust security measures.

In response, OKX has launched an investigation and contacted the affected users, promising to take full responsibility if the platform is found to be at fault. Despite these assurances, the security concerns have led to large outflows from the platform.

According to DefiLlama, users have withdrawn $204 million on June 10 and $633 million over the past week, totaling $837 million. These mass withdrawals have made OKX the exchange with the largest outflows in the past seven days, while its main competitor, Binance, has seen a net inflow of $1.364 billion during the same period.

Wu Blockchain highlighted several issues in OKX’s security settings including that the exchange does not trigger a 24-hour withdrawal ban for sensitive operations such as disabling phone verification, GA verification, and changing the login password. Withdrawal bans only apply when logging in on a new device. Furthermore, withdrawals to whitelisted addresses are not subject to dynamic verification based on withdrawal amounts. Once an address is added to the whitelist, withdrawals up to the limit can proceed without further verification.

SIM-swapping is a big concern in the crypto world, especially for those with a lot of valuable assets. This is because people in these circles are more likely to have valuable holdings that hackers want to target.

Numerous online services, including email accounts, digital wallets, and cryptocurrency exchanges, offer users an added layer of security through SMS-based two-factor authentication. These services depend on the SIM card, which functions as a person’s unique identifier. However, relying solely on text-based two-factor authentication is a cybersecurity mistake.