On September 20, 2024, the BingX cryptocurrency exchange, based in Singapore, became the third major Asian exchange this year to suffer a cyberattack, with hackers making off with over $52 million from its hot wallets. The attack, following similar breaches at Indodax and WazirX, has once again raised questions about the adequacy of regulatory frameworks for ensuring robust cybersecurity in the crypto sector.
The Story of the BingX Hack
At approximately 4 a.m. on September 20, BingX’s technical team detected unusual withdrawal activity, triggering an emergency protocol that saw the exchange freeze all withdrawals and transfer assets to cold wallets. Despite the swift response, hackers managed to steal $52 million from the exchange’s hot wallets, which are more vulnerable to cyberattacks due to their online nature.
In the aftermath, BingX reassured users that the majority of their funds were safe, stored in cold wallets that remained untouched by the attack. BingX has pledged to fully compensate users for the stolen assets through its capital reserves, demonstrating a strong commitment to customer security. As of today, the exchange has managed to freeze $10 million of the stolen assets and continues working with blockchain security firms, including SlowMist and Chainalysis, to track down the remaining funds.
While certain withdrawal services have resumed, BingX is conducting additional checks and overhauling its wallet infrastructure to prevent future breaches.
Are Regulatory Frameworks Falling Short?
The BingX hack highlights an important issue: Regulation doesn’t always mean security. BingX operates under regulatory oversight in Lithuania and Australia, ensuring compliance with AML and KYC standards. However, these regulatory frameworks often focus more on financial rules, such as anti-money laundering, rather than addressing critical elements like cybersecurity, custody practices, insurance coverage, and the use of cold wallets for asset protection.
In jurisdictions like Lithuania, regulation may grant exchanges the “license to bank,” ensuring they meet compliance requirements. However, this regulatory stamp of approval often does not translate into strict standards for technical security and the cyber resilience needed to fend off sophisticated attacks. The focus on legal compliance leaves exchanges more vulnerable to breaches, as demonstrated by BingX and other recent hacks in the region.
Cyberattacks in Asia: A Growing Trend
The BingX hack is part of a troubling trend, as Asian cryptocurrency exchanges have become prime targets for cybercriminals in 2024. Indodax and WazirX both suffered significant breaches earlier this year, and hackers are increasingly targeting exchanges with high trading volumes and large liquidity pools. While these platforms are often regulated, the security measures enforced by regulators do not always keep up with the rising sophistication of these attacks.
The reliance on hot wallets—which are connected to the internet for liquidity purposes—makes even regulated exchanges vulnerable to theft. Without enhanced security protocols, such as cold wallet storage and insurance-backed protection, these platforms are at risk of falling prey to cybercriminals.
The Need for Stronger Focus on Security
BingX’s situation demonstrates that regulatory compliance alone is not enough to protect user assets. While financial compliance with AML/KYC rules is essential, cybersecurity standards need to be just as robust. Effective regulation should encompass comprehensive security measures, including cold wallet usage, multi-layered cyber defenses, and insurance to cover potential losses.
In addition to enhanced regulation like in the UAE, exchanges must implement third-party security audits and real-time threat detection systems to better guard against the ever-evolving tactics used by hackers. The gap between regulatory compliance and security has been made clear by the attacks on BingX, Indodax, and WazirX, exposing the need for stronger safeguards across the board.
