After Delayed Announcement of 'Wemix Hacking'... "There Was No Attempt to Cover Up"

Reasons for Delayed Disclosure of Hacking Incident Revealed

"We Deeply Reflect and Will Quickly Recover Damages"

Company Estimates Cause from Public Repository Data

Wemix Foundation, a blockchain subsidiary of Wemade, emphasized that "there was absolutely no intention or attempt to cover up the hacking" in response to criticism about the delayed announcement of the hacking incident. Wemix suffered a theft of cryptocurrency worth 9 billion won in the hack.

Kim Seok-hwan, CEO of Wemix Foundation (WEMIX PTE. LTD), stated at an emergency press conference held at Wemade headquarters in Pangyo, Seongnam, Gyeonggi Province on the 17th, "The announcement was delayed due to concerns about the possibility of additional attacks and potential market panic from the stolen assets."

On the 4th of this month, the company announced through its website that 'approximately 8,654,860 Wemix coins were abnormally withdrawn due to a malicious external attack on the Play Bridge Vault on February 28.' 'Play Bridge' is a system that transfers Wemix to other blockchain networks, and 'Play Bridge Vault' is the wallet that stores virtual assets during this process. The announcement came four days after the company recognized the hacking damage.

Regarding the response process, CEO Kim said, "Immediately after recognizing the hacking damage on February 28, we shut down the affected server right away and began detailed analysis," adding, "On the same day, we filed a complaint with the Seoul Metropolitan Police Agency's Cyber Investigation Unit against the unidentified attacker, and the National Investigation Headquarters is currently conducting an investigation."

He continued, "In a situation where the infiltration method had not been identified, making a hasty announcement could expose us to additional attacks, so we did not make an immediate announcement," adding, "Most of the stolen assets had already been sold, so the market impact had already occurred, and there was concern that immediately announcing this in a situation where we couldn't guarantee there would be no additional risks could cause market panic."

He emphasized, "I made the decision regarding the disclosure, and if it was wrong, I believe I should take responsibility." Before, during, and after the press conference, CEO Kim bowed his head several times, apologizing to Wemix investors, saying, "We are deeply reflecting on the occurrence of the incident."

According to Wemix, the unidentified attacker infiltrated the system by stealing an authentication key for the service monitoring system of the NFT platform 'Nile.' The attacker then prepared a meticulous attack over two months, creating abnormal transactions and attempting withdrawals 15 times. While 2 attempts failed, 13 succeeded, diverting 8.65 million Wemix coins which were then sold through foreign exchanges.

CEO Kim explained, "We discovered that in mid-July 2023, a worker uploaded related materials to a public repository for development convenience, and while we can't be 100% certain, we believe this is the most likely initial leak path and cause of the incident," adding, "It appears to be the work of professional hackers."

When asked if the Wemix theft was the work of the North Korean hacking group 'Lazarus,' he said, "Based on external security consultation results, we are not currently leaning toward the possibility that it was 'Lazarus.'"

He also outlined investor protection and recurrence prevention measures. CEO Kim explained, "We are checking all suspected infiltration scenarios and moving all blockchain-related infrastructure to a new environment, aiming for complete service resumption by the 21st."

He added, "We will track down the attackers to the end," emphasizing, "We will also review and improve our crisis response protocols, including investor communication."

Regarding the buyback plan, he explained, "Disclosing specific buyback (market purchase) plans could be exploited by arbitrage traders and also poses legal risks," adding, "We will conduct buybacks through domestic exchanges." The Wemade Foundation had previously announced a 10 billion won buyback plan on the 13th, followed by a plan to purchase 20 million coins from the market the next day.

The Digital Asset Exchange Joint Consultative Body (DAXA), a consortium of domestic cryptocurrency exchanges, designated Wemix coin as a cautionary item and suspended deposits on the day Wemix Foundation announced the hacking damage.

Ahn Yong-woon, Chief Technology Officer (CTO) who recently joined Wemade from Bithumb, explained, "Hacking issues are constantly occurring in the virtual asset industry, and I believe recurrence can be sufficiently prevented if exchange security and internal policies are properly established."

CEO Kim said, "It's difficult to talk specifically about the explanation process, but we will do our best to explain to DAXA," adding, "Service normalization is our top priority now, but if a decision is made to terminate trading support, I will address that later."

He concluded, "The path Wemix will walk doesn't end with this hacking," adding, "We will do our best to ensure that Wemix becomes a successful blockchain ecosystem and platform through this incident."

Park Soo-bin, Hankyung.com reporter waterbean@hankyung.com