Explained: The BingX Hack (September 2024)

BingX is a Singaporean CEX that suffered a hack in September 2024. A compromised hot wallet resulted in an estimated $52 million being stolen from the protocol.

Inside the Attack

Compromised CEX hot wallets have been a common trend throughout 2024. Some of the biggest hacks of the year include DMM Bitcoin, WazirX, and Indodax, all of which are CEXs compromised via hot wallet hacks. Many of these incidents were potentially attributed to the Lazarus Group, the North Korean APT that specializes in social engineering attacks and has recently turned its hand to crypto.

In the case of BingX, the attacker gained access to the CEX’s hot wallets across multiple different blockchains and at least ten different exploit addresses. After collecting various types of crypto, the attacker swapped them to ETH, another common tactic used by the Lazarus Group.

Approximately an hour after the exploit, BingX responded by freezing withdrawals and posting a statement on Twitter/X that claimed that they were performing temporary wallet maintenance that would be completed within 24 hours. A later post by the organization’s Chief Product Officer (CPO) downplayed the $52 million theft as a minor loss of funds and promised that all stolen customer funds would be reimbursed from the CEX’s reserves.

Lessons Learned from the Attack

The BingX hack was a classic example of a CEX suffering a large-scale theft from hot wallets. Many CEXs — including BingX — hold the majority of their assets in cold storage, where private keys are kept on non-networked devices. However, they must retain a certain amount of liquidity in hot wallets to support withdrawals, and these wallets can be exposed to potential attackers.

In most cases, these attacks are enabled by hot wallets that are managed by a single private key. If an attacker can gain access to this private key — through social engineering, malware, or other means — they can transfer crypto out of the associated wallet. The scale of this incident, with multiple different hot wallets compromised across different chains, indicates that BingX likely stored copies of its private keys in a single, centralized repository.

A better approach to hot wallet security is to use multi-signature or multi-party computation (MPC) wallets, which require access to multiple private keys to perform a transaction. This distributes the risk and reduces the probability that an attacker will gain full control over a wallet. 

To learn more about protecting against this type of attack against your personal wallets, check out our blog on wallet security best practices.