Explained: The XT Exchange Hack (November 2024)

In November 2024, XT Exchange, a centralized exchange (CEX) based in the Seychelles, was the victim of a hack. The attacker stole an estimated $1.7 million from the exchange’s wallets, later swapping it to ETH.

Inside the Attack

CEX hacks have become a common occurrence, and the most common cause of these is compromised private keys. A CEX often needs a certain amount of liquidity on hand to be able to handle withdrawal orders, and this crypto is stored in a hot wallet. If an attacker can access the private key used to control this account, then they can drain the value from the hot wallet.

After the incident was detected, XT Exchange froze all withdrawals on its platform. Like many other breached CEXes, it initially claimed that the freeze was due to maintenance and wallet upgrades.

However, the actual cause of the freeze was the theft of tokens from the project’s platform. In total, an estimated $1.7 million in crypto was stolen, including 12 different types of tokens. The attacker later swapped the stolen tokens for 461.58 ETH.

In a later statement, the exchange acknowledged the hack and the fact that an unusual transfer had occurred from the project’s wallets. It also stated that it maintains reserves 1.5x all user deposits, so user funds were safe despite the theft.

Lessons Learned from the Attack

Like many CEX hacks, the most likely cause of the XT Exchange hack was a compromised private key. This would allow the attacker to access the exchange’s account and use the privileges associated with it, including the power to transfer various tokens from that wallet to the attacker’s address.

These incidents highlight the fact that private key security is a fundamental component of a blockchain security strategy. Blockchain’s identity management and transaction validation system depends on the fact that only the legitimate owner of an account knows the associated private key and can generate valid digital signatures using that address.

Implementing private key security best practices is essential to protect against these types of attacks. While storing some tokens in a hot wallet may be essential for an organization’s business, using a multi-sig or multi-party computation (MPC) wallet to protect this account reduces the risk of a compromised private key. To learn more about how to protect your blockchain accounts from being compromised, check out our blog on private key security best practices.