On September 11, 2024, Indodax — Indonesia's largest cryptocurrency exchange — detected unauthorised outflows from its hot wallets. Total losses settled at roughly $20 million across Ethereum, BNB Chain, Polygon, Tron and a handful of other networks.
What happened
Indodax did not publicly disclose a full technical post-mortem. The on-chain signature was the by-now familiar pattern: simultaneous unauthorised hot-wallet activity across multiple chains, immediate cross-chain bridging into mixers, and a coordinated laundering campaign in the hours after.
Several security firms attributed the operation to Lazarus / TraderTraitor based on TTPs consistent with the Phemex and DMM Bitcoin attacks earlier and later in the same year. Indodax did not officially confirm attribution.
Aftermath
- Indodax paused operations for roughly 24 hours, rotated hot-wallet keys, and resumed trading with replenished balances from internal reserves.
- Affected users were made whole.
- No public recoveries from the attacker's addresses.
Why it matters
Indodax illustrates that 2024 was the year the multi-chain hot-wallet compromise became a routine threat. Five mid-tier exchange hits in twelve months — BtcTurk, WazirX, BingX, Indodax, DMM Bitcoin — share the same operational fingerprint. The pattern is now so well documented that exchanges without per-chain HSM partitioning are effectively running a known operational risk.
Sources & on-chain evidence
- [01]blockchaingroup.iohttps://blockchaingroup.io/compliance-and-regulation/top-10-crypto-losses-of-2024-hacks-frauds-and-exploits/
- [02]cryptotimes.iohttps://www.cryptotimes.io/2024/12/30/in-2024-crypto-lost-2-2-billion-to-hackers-top-5-hacks/