As a result, I apologize for the insufficient timing of the communication. We are reviewing all suspicious penetration scenarios and transferring the blockchain-related infrastructure to a new environment with the goal of fully resuming services by the 21st of this month.
Kim Seok-hwan, CEO of the Wemade blockchain subsidiary WEMIX Foundation, which suffered about 9 billion won in cryptocurrency theft due to a hacking incident last month, noted on the 17th during a press meeting held at Hancom Tower in Seongnam, Gyeonggi Province, that he would address the incident's progress, response issues, and future plans. Kim said, "I apologize to all ecosystem participants who were affected by the hacking incident," and stated that he would do his best to normalize the ecosystem through swift recovery efforts and thorough investigations and security measures to prevent recurrence.
Earlier, the WEMIX Foundation announced on the 4th that approximately 8,654,860 WEMIX coins were stolen due to a malicious external attack on the cryptocurrency wallet "Play Bridge Vault" on the 28th of last month. The estimated damage amounts to about 8.75 billion won. Play Bridge is a system for transferring WEMIX to another blockchain network, and Play Bridge Vault is a wallet that stores virtual assets during this process.
According to the investigation by the WEMIX Foundation, the attacker stole authentication keys used for monitoring the service of the WEMIX non-fungible token (NFT) platform "Nile" and attempted 15 abnormal transactions, ultimately stealing the WEMIX coins that were stored in the vault. With 13 out of 15 attacks successful, the attacker withdrew the WEMIX to two separate wallets. It is estimated that the stolen WEMIX was later deposited into seven overseas exchanges, including KuCoin and BitMart, and most of it was sold.
As of now, the attacker has not been identified. The WEMIX Foundation stated, "It seems to be the work of a professional hacker" but noted that according to the opinions of internal and external security experts, they do not place significant weight on the possibility of involvement by the North Korean hacking organization "Lazarus."
The WEMIX Foundation stated that it is exploring all possibilities to determine the cause of the incident. Based on the investigations conducted so far, it reports that the most likely path of initial leakage occurred from materials uploaded to a public repository by a systems worker in July 2023. Kim mentioned, "While it has not been fully specified, it is the most likely initial leakage path and cause of the incident," adding that they have identified the possibility of hacking during the authentication process through the materials and have addressed additional breach scenarios.
Additionally, they explained that the reason for not immediately notifying the public about the incident right after the hacking occurred was a concern about potential additional hacking and market panic. Previously, the collective council of cryptocurrency exchanges (DAXA) identified the WEMIX team as having delayed the announcement by four days after the hacking incident. Kim stated, "There was not the slightest thought or attempt to conceal the hacking," and acknowledged that while they had identified that the hacking occurred through internal system intrusions, they had not yet clearly identified potential vulnerabilities, necessitating technical review and measures.
The WEMIX Foundation emphasized that it is focusing all efforts on investor protection and preventing recurrence as they announce plans to resume services on the 21st. Initially, they announced on the 13th that they would implement a buyback of 10 billion won and mentioned plans to purchase an additional 20 million WEMIX on the 14th, indicating that they aim to buy back more WEMIX than what was stolen to recover from the losses incurred due to the hacking.
Following the news of the buyback, WEMIX's price has surged. On the 13th, the closing price for WEMIX on the domestic cryptocurrency exchange Bithumb was 715 won, a 3.92% increase from the previous day. On the 14th, following news of additional purchases, it rose 19.3% to 853 won, and the next day it surged 18.5% to 1,011 won, continuing its climb. As of 10 a.m. today, it stands at around 971 won.
The WEMIX Foundation has replaced all authentication logic in preparation for breach scenarios to prevent the recurrence of hacking incidents. They explained that they transferred all infrastructure and expanded the scope of 24-hour service monitoring. They also added that they would be cautious not to store too many assets in a single vault.
Ahn Yong-woon, the new Chief Technology Officer (CTO) recruited from Bithumb, stated, "When reopening the NFT bridge, we replaced all the keys, so the likelihood of the same issue occurring again, regardless of what keys the attacker had, is low." He added, "Since we do not know what might remain within the server, we changed it to untainted source code. We replaced keys, paths, and infrastructure, which significantly lowers the probability of a similar breach incident occurring."
The WEMIX Foundation also stated that it continues to provide explanations to lift the transaction caution designation by DAXA. DAXA can extend or lift the transaction caution designation or end trading support (delisting) by the 21st.
WEMIX faced delisting from the five major domestic cryptocurrency exchanges, including Upbit, due to issues related to falsely reporting its circulation in 2022. Consequently, Jang Hyun-guk, the former CEO of Wemade, announced that he would use his entire salary to purchase WEMIX, working to increase its value, and successfully relaunched it on major exchanges, excluding Upbit, in December 2023.