The blockchain subsidiary of Wemade, a KOSDAQ-listed company, Wemix Foundation, has belatedly announced that it was hacked and lost 9 billion won worth of cryptocurrency, causing controversy. The foundation explained that there was no intention to conceal the hacking, and the announcement was delayed due to concerns about the possibility of additional attacks and market panic.
Kim Seok-hwan, the CEO of Wemix Foundation, said at an emergency briefing held at the Wemade headquarters on the 17th, "There was no thought or attempt to conceal the hacking," and "The announcement was delayed to prevent concerns about additional attacks and market confusion."
Earlier, the Wemix Foundation announced the incident through its official website on March 4, four days after the hacking occurred. The foundation said that on February 28, about 8,654,860 Wemix coins were abnormally withdrawn due to a malicious external attack on the Play Bridge Vault.
Play Bridge is a system that allows Wemix to be connected to other blockchain networks, and the Play Bridge Vault plays a role in storing virtual assets in this process. The hacking targeted this wallet.
Regarding this, the CEO said, "As soon as we became aware of the problem, we immediately shut down the affected server and conducted a detailed analysis," and "We filed a complaint with the Seoul Metropolitan Police Agency's Cyber Investigation Unit on the same day, and the National Investigation Headquarters is currently investigating."
He also emphasized, "If we had announced it hastily before the hacking route was identified, the risk of additional attacks could have increased, and there was a possibility of causing market panic, so we were cautious."
According to the Wemix Foundation, this hacking was carried out by stealing the authentication key for the service monitoring system of the Non-Fungible Token (NFT) platform 'NILE'.
The attacker, after meticulously preparing for about 2 months, infiltrated the system and arbitrarily generated abnormal transactions, attempting 15 withdrawals. Two of them failed, but 13 were successful, resulting in the theft of a total of 8,654,860 Wemix. The attacker is believed to have sold the assets through overseas exchanges.
The most likely cause of the initial hacking route is an incident where a worker uploaded related data to a shared storage for development convenience in mid-July 2023. The CEO said, "While we can't be 100% sure, this is the most likely cause of the incident," and "It is presumed to be the work of a professional hacker."
Some have raised the possibility of involvement by the North Korean hacking group 'Lazarus', but Wemade said that based on external security consultations, it is currently difficult to see it as the work of Lazarus.
The Wemix Foundation has announced measures to protect investors from the hacking damage. As the first response, they announced a 10 billion won buyback (market purchase) plan on the 13th, and the next day, they also announced an additional purchase plan of 20 million units. The goal is to normalize the service by the 21st.
The CEO said, "We will strengthen communication with investors and re-examine and improve the crisis response protocol," and explained that the buyback will be carried out through domestic exchanges.
The Digital Asset Exchange Association (DAXA), a consultative body of domestic virtual asset exchanges, designated Wemix as a trading caution item and suspended deposits on the same day the Wemix Foundation announced the hacking damage. The future support for Wemix trading remains unclear.
