OKX and its security partner SlowMist are investigating a major security breach that stole millions of dollars from two user accounts.
The incident on June 9 involved a SIM swap attack, raising concerns about the vulnerabilities associated with SMS-based two-factor authentication (2FA) mechanisms.
The investigation also sheds more light on the growing sophistication of phishing attacks and the ongoing security challenges in crypto and Web3.
SlowMist founder Yu Xian reported on X (formerly Twitter) that the attack involved creating a new API key with withdrawal and trading permissions. Although the amount stolen is unclear, Xian noted that “millions of dollars of assets were stolen.”
“The SMS risk notification came from Hong Kong, and a new API Key was created (with withdrawal and trading permissions, which is why we suspected a cross-trading intention before, but it seems that it can be ruled out now,” Xian stated.
The security breach appears to have utilized OKX’s 2FA system, enabling attackers to switch to a lower-security verification method and whitelist withdrawal addresses via SMS verification. While the investigation is ongoing, SlowMist has indicated that OKX’s 2FA mechanism may not have been the primary vulnerability.
Instead, the exploiters bypassed 2FA by leveraging the lower-security SMS verification process. An analysis by Web3 security group Dilation Effect suggests that the attackers used this to carry out their malicious activities.
One of the crypto theft victims expressed gratitude for being compensated by the OKX team.
This incident shows the growing sophistication of phishing attacks. For example, earlier in June, a Chinese trader lost $1 million in a sophisticated scam involving a compromised