XT.com Hit by Access Control Exploit: $1.7M Lost
Hack details
On November 28, 2024, XT.com became the latest victim of a sophisticated Access Control exploit. Here’s how it unfolded:
- 06:48 Attacker executed batched transfers of 7 tokens on Ethereum within 27 blocks
- 07:04 after the halt, attacker still managed to withdraw 0.8 ETH from hot wallet
- 07:04 PeckShield detected suspicious activity
- 07:54 XT.com notified of halting withdrawals
- 08:23 Stolen funds were converted to 461.58 ETH and moved to wallet 0xB43f…8F83
- 2:50 29.11.2024, XT.com partially restored withdrawal functions
Impact Assessment
The total damage amounts to approximately $1.7 million across Ethereum and Optimism networks.
All stolen assets converted to 461.58 ETH.
XT.com Cybersecurity Score
XT.com cybersecurity score – 76/100 on CER.live.
Exchange have a valid penetration testing certificates and runs third-party bug bounty programs, yet these measures proved insufficient against the exploit.
Industry Context
This breach continues a worrying trend. Access Control exploits have already cost the crypto industry $1.4 billion in 2024 – a significant jump from 2023’s $1 billion in losses. These numbers highlight a critical weakness in centralized exchanges’ attidude to prevention of this attack type.
How to prevent
Level 3 CCSS certification, specifically designed to prevent Access Control vulnerabilities, needs to become mandatory. Without enforced security standards, these exploits will likely continue as the crypto market grows. The XT.com breach serves as another expensive reminder: current security measures aren’t enough. As crypto adoption increases, exchanges must adopt stricter security protocols to protect user assets.
