On February 28, 2025, Wemix, a developer of blockchain-based games, was the victim of a hack. However, the incident that caused over $6 million in losses only became public several weeks later.
Inside the Attack
Wemix develops games with numerous on-chain elements, including its own cryptocurrency (WEMIX), play-to-earn (P2E) models, an NFT, and some DeFi elements. The attack against the platform targeted the company’s service monitoring system for NILE, its NFT platform.
The root cause of the incident was the theft of authentication keys used to access the monitoring system for NILE. While the exact means by which the keys were stolen is unknown, the company believes that the attackers compromised a shared repository where a developer had uploaded the keys for more convenient access.
The attackers stole the keys two months before they carried out their attack in late February, providing them with the time to plan. When the attack was executed, the hackers attempted fifteen withdrawals of WEMIX tokens. The thirteen successful withdrawals netted them an estimated 8.6 million WEMIX tokens, which were laundered through various exchanges.
While the incident was identified — and reported to the authorities — on February 28th, the company delayed a public announcement. The alleged reason for this silence was that the company didn’t initially know how it was breached, and an announcement could result in follow-on attacks.
Additionally, since much of the stolen tokens were already sold, the company was concerned that a public revelation could have caused a market crash. However, the token’s price dropped nearly 40% between the hack and the public announcement.
Lessons Learned from the Attack
The Wemix hack is another example of a recent focus on off-chain attacks targeting exposed private keys and authentication credentials. In this case, a developer allegedly uploaded the credentials to a repository where the attackers may have gained access to them.
This incident underscores the importance of having strong security practices in place for private keys and other credentials. This data should be stored in a secure vault, such as a hardware wallet for private keys or a password manager for API keys and other credentials. Additionally, multi-sig wallets or multi-factor authentication should be in place where applicable to reduce the risk that an attacker can use stolen credentials.
Designing secure processes and practices is just as important as a smart contract audit for DeFi security. For help in protecting your protocol against similar security threats, reach out to Halborn.