M2 Exchange

M2 Exchange Hack - October 31, 2024

Overview

On October 31, 2024, the Abu Dhabi-based crypto exchange M2 reported an exploit that drained approximately $13.7 million from its hot wallets across multiple chains, including Ethereum (ETH), Bitcoin (BTC), and Solana (SOL).

Timing and Detection

• The incident occurred on October 31, 2024 at around 3:16 AM local time

• M2 reported a targeted attack on its hot wallets across multiple blockchain networks

• The exchange claimed to have detected and resolved the incident within 16 minutes

Root Cause

The root cause was an access control vulnerability in M2's hot wallet infrastructure. This flaw allowed the attacker to bypass standard authorization checks, enabling unauthorized access to the hot wallets holding customer funds on Ethereum, Bitcoin, and Solana chains.

Stolen Assets

• ~$3.7 million in USDT

• ~97 million SHIB tokens

• ~1,378 ETH (~$10 million remaining on Ethereum network at time of reporting)

Attack Vector

The attacker exploited the access-control flaw in M2's hot wallet infrastructure to issue authorized-looking withdrawal transactions across multiple chains, bypassing standard authorization checks.

Response and Recovery

• Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved"

• M2 restored customer funds from their own corporate assets, rather than relying on recovery of the stolen assets

• M2 emphasized its commitment to customer protection, assuming full responsibility for potential losses

• Worked closely with authorities on the investigation

Sources

• UAE's M2 crypto exchange hacked for $13.7M, assures full fund recovery - CryptoSlate

• M2 Exchange Hack: A Multi-Chain Heist Revealed - QuillAudits

• Why UAE-Based M2 Crypto Exchange Lost $13.7M in Hack - CoinGape

• M2 Exchange - Rekt News

• M2 Exchange Restores Customer Funds Following $13.7 Million Cybersecurity Incident - Unlock-BC