Cyber Incident Victim: OKEx
Date:
Aug 2017
Location:
China
Summary
A Bitcoin exchange experienced unauthorized withdrawals totaling over 600 Bitcoin (approximately $3 million) after users began reporting compromised accounts, with some tracing logins to German IP addresses. The platform denied any breach of its systems, attributing the losses to individual account compromises resulting from phishing or insufficient user security measures. Affected customers included users of both the exchange and its sister platform, though the company asserted all client assets remained secure. Following the incidents, the exchange publicly emphasized the importance of enabling two-factor authentication to mitigate such risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August 2017, customers of cryptocurrency exchanges OKEx and OKCoin began reporting unauthorized withdrawals from their accounts, with rumors of a potential hack circulating by the end of the month. Multiple users observed funds disappearing from their accounts, with some noting German IP addresses had accessed their accounts shortly before the thefts occurred. The cumulative losses exceeded 600 Bitcoin, valued at approximately 20 million Chinese yuan (equivalent to $3 million USD at the time of reporting in October 2017). One individual user reported losing more than 200 Bitcoin in the incident. While most affected accounts belonged to OKEx customers, some OKCoin users also experienced similar thefts, with both platforms being sister exchanges operated by the same Chinese company. The thefts prompted public allegations that the exchanges had suffered a security breach, though no technical evidence of a platform-level compromise was disclosed by users or external investigators.
OKEx and OKCoin management categorically denied any breach of their systems, issuing formal statements in early October 2017 refuting claims of a hack. Lennix Lai, Director of Financial Markets for both exchanges, asserted that all client assets remained secure and attributed the losses exclusively to compromised individual accounts. The company maintained that attackers gained access through user-specific vulnerabilities such as weak passwords, reused credentials, or successful phishing campaigns rather than exploiting exchange infrastructure. In response to the incidents and subsequent negative publicity, OKEx published a security advisory urging customers to enable two-factor authentication (2FA) on their accounts as a protective measure. The exchanges did not disclose whether they implemented additional security controls, reimbursed affected users, or collaborated with law enforcement regarding the German IP addresses linked to the unauthorized logins. At the time of reporting, OKCoin ranked as the world's sixth-largest Bitcoin exchange by transaction volume, while OKEx held the 46th position overall among cryptocurrency trading platforms.