BingX

Raw content extract from web search (WebFetch tool not available).

BingX Hack — September 19–20, 2024

Summary

BingX, a Singapore-based centralized exchange, suffered a hot wallet exploit. Initial reports placed losses at $43M; later reports estimated up to $44.7M–$52M. Most stolen assets were swapped to ETH and BNB on Uniswap and KyberSwap.

Timeline

• BingX detected "abnormal network access" at ~4 AM Singapore time on September 20, 2024.

• First wave: ~$26M drained.

• Second wave (a few hours later): ~$16.5M drained.

• More than 360 different altcoin tokens were stolen, in addition to stablecoins.

Root Cause

The attacker gained access to BingX's hot wallets across multiple blockchains, with at least ten different exploit addresses. The cross-chain compromise indicates BingX likely stored copies of its private keys in a single, centralized repository — a single point of failure. A safer architecture would be multi-signature or MPC wallets that distribute private key shares.

Response

• BingX CPO Vivien Lien stated: "The total loss is minimal and manageable. This incident will not affect our ongoing business operations. Trading services continue as usual. Withdrawals and deposits are temporarily delayed and are expected to be restored within 24 hours at the latest."

• BingX promised a full refund to all affected users.