Bilaxy Exchange Suffers Security Breach with a Loss of $21 Million
Summary
On August 28, 2021, Bilaxy, a Seychelles-based centralized exchange, experienced a security breach, resulting in a loss of approximately $21 million. The attacker compromised Bilaxy’s hot wallet and transferred roughly 300 tokens, including notable cryptocurrencies such as USDT, USDC, UNI, and Bilaxy Token(BIA), among others. As of August 16, 2023, the attacker still controls various tokens worth roughly $3,628,005.
Attackers
The identity of the attackers remains unknown. The funds were transferred to the following address:
Losses
The total loss from this security breach amounts to approximately $21 million.
Timeline
- August 28, 2021, 06:19 PM UTC: The first malicious transaction took place with a transfer of 58 ETH.
- August 28, 2021, 07:00 PM UTC: The Bilaxy website was suspended for emergency maintenance.
- August 29, 2021, 01:41 AM: Bilaxy announced the hack on their Twitter and advised against deposits.
- August 30, 2021, 03:00 PM UTC: Bilaxy provided a detailed update on its Telegram channel, disclosing the timeline of the incident.
- August 30, 2021, 03:08 PM UTC: Bilaxy released a statement on Twitter saying that only some tokens were affected and other native assets such as BTC or ETH were safe.
- August 30, 2021, 03:26 PM UTC: 200 ETH were laundered via Tornado Cash mixer in two transactions: one, two
Security Failure Causes
- Private Key Compromise: The attack was facilitated through a compromise of Bilaxy’s hot wallet, allowing the attacker to gain control over various assets.
- Insufficient Security Measures: Bilaxy’s lack of focus on security, insufficient blockchain monitoring, absence of two-factor authentication (2FA) in some layers of the protocol, and overall lack of transparency.