IoTeX reported that it contained a hack and lost around $2 million, on-chain analyst estimates put the theft at $4.3 million.
Summary
- IoTeX secures a $2M exploit and sets up a series of security improvements.
- Analysts estimate $4.3M after tokenization and cross-chain trading.
- Exchanges and law enforcement work to stop stolen funds.
The blockchain platform said it had contacted exchanges and law enforcement to freeze the stolen funds following what it called “a long-planned attack by professional actors targeting multiple chains.”
On-chain analyst Specter posted that IoTeX’s private key may have been compromised, leading to multiple contract assets being issued including USDC, USDT, IOTX, PAYG, WBTC, and BUSD.
The attacker exchanged the stolen goods for ETH and converted 45 ETH to Bitcoin, while generating 111 million CIOTEX tokens.
IoTeX said that blockchain operations and deposits will resume 24-48 hours after the security upgrade is completed.
IoTeX counters with a $4.3M loss estimate and $2M validation
IoTeX’s initial statement acknowledged “suspicious activity involving IoTeX’s secure token” and noted that “the potential loss is lower than the rumors suggest.”
The team said it is engaged in extensive discussions with security partners who are continuing to help track and stop the attacker’s assets.
The updated statement confirmed that “the impact of the exploit is about $2M USD (including USDC, USDT, IOTX, and WBTC).”
Specter’s analysis showed the attacker consumed multiple contract assets and executed a multi-step fraud process.
The stolen funds were exchanged for ETH, with at least 45 ETH blocked in Bitcoin where tracking becomes more difficult. The creation of 111 million CIOTEX tokens indicates that an attacker has gained control of token issuance operations.
The chain is protected by a 24-48 hour downtime for upgrades
IoTeX has suspended chain operations following the discovery. “Our team has contained this situation and the IoTeX chain is secure,” the forum announced.
Deposits and normal operations will resume within 24-48 hours pending the completion of the security upgrade.
The team is working with law enforcement to investigate and recover the funds. IoTeX has also committed to transparent updates as the situation develops.
