Today, a user claimed that they encountered a hacker attack while using the OKX Web3 wallet for transferring funds, resulting in a loss of 50,000 USDT during the TRX exchange process. In response to this, OKX officials have also issued a statement.
(Previous Summary:
Complaints about slow response from Binance, millions of assets lost! How dangerous is the malicious Chrome extension “Aggr”? Binance’s public response.)
(Background Supplement:
Browser theft: Analysis of the Chrome extension theft incident.)
The day before yesterday, a Binance user suspected that they had downloaded a malicious browser extension, resulting in their account funds being stolen, causing a loss of 1 million USD. As a result, this morning, another user, X (0xNing0x), revealed that another well-known global exchange, OKX, also experienced a user being “hijacked” while using the OKX Web3 wallet’s exchange page, resulting in a loss of 50,000 USDT.
Hijacking Process:
The victim provided a detailed account of the incident, stating that a new address had just received USDT from the TRON blockchain. However, when they tried to transfer it out, they did not have TRX, so they were likely to use the exchange function provided by the OKX Web3 wallet. As shown in the left image below, the TRX balance insufficiency is indicated in the top left corner, along with a redirect link to “Supplement TRX”.
Upon entering that link, the victim emphasized that the hacker’s theft occurred on this page (as shown in the right image below). The hacker would hijack this page and transfer 100 TRX to the user within a very short period of time. When the user clicks on the exchange button, a permission authorization confirmation box will pop up, and the user would believe that it is a confirmation prompt for exchanging TRX. After clicking “confirm,” the hacker steals the permission of the user’s address.
The victim emphasized that the hacker’s criminal behavior was ongoing until yesterday and that the modus operandi was always the same:
1. Confirm the target user.
2. Transfer 100 TRX to the target user’s address.
3. Hijack the user’s exchange page, with the user clicking on the fake exchange and confirmation buttons, which are actually authorization update confirmation buttons.
4. The hacker obtains the permission of the user’s address and subsequently transfers the funds.
The victim also stated that the final step of transferring the funds may not happen immediately because the user’s account permission has already been stolen by the hacker. However, the user is unaware of this until prompted by insufficient permissions during the transfer (the user only realizes they have been hacked when they receive a notification of insufficient permissions during the transfer).
Unaware of the situation, users may continue to deposit funds into this address because they can see that the funds are still in their own address. Therefore, this is also the reason why the hacker is not in a hurry to withdraw the user’s funds.
The victim claims that when users deposit large amounts of USDT from the TRON blockchain into the OKX Web3 wallet, the hacker monitors and obtains this information. They pointed out one of the hacker’s addresses: THDkuJMo2DeKoDzZfaKnNjepuziCbu75ej, stating that the theft behavior of this address has been occurring since December 7th of last year, with dozens of transactions already taking place.
@0xNing0x also reminded that based on the blockchain dynamics, this hacker should be an institutionalized entity, and they are still engaging in malicious activities today, with numerous victims, necessitating increased vigilance.
Screenshot of using OKX Web3 wallet to supplement TRX (exchange Gas)
OKX’s Official Response: Suspected mnemonic leakage, SlowMist: Suspected phishing
This incident has caused widespread concern in the community. However, OKX executive Haiteng responded that there is no clear evidence indicating that the wallet has been hijacked:
Haiteng stated that security has always been a significant concern for OKX. Although there is no clear indication, they will continue to investigate the “app hijacking” that the victims have questioned.
SlowMist’s Chief of Security also responded:
Related Reports
Beware of open-source bots on Github! SlowMist Cosine: A free open-source bot hides a backdoor and steals Solana private keys.
Preventing hacker phishing attacks: Three signature authorization principles you must understand.
DEX hacked: Velocore loses $6.88 million in ETH, user liquidity completely wiped out. What happened?