OKX halts DEX Aggregator over Lazarus Group misuse

Following discussions with regulators, OKX decided to temporarily suspend its DEX aggregator service to prevent further misuse by the Lazarus Group.

“Recently, we detected a coordinated effort by Lazarus group to misuse our defi services,” said OKX on March 17.

“After consulting with regulators, we made the proactive decision to temporarily suspend our DEX aggregator services. This move allows us to implement additional upgrades to prevent further misuse.”

OKX’s helpdesk confirmed that the company took the DEX aggregator offline for an internal review and upgrade, though it did not share an estimated return date.  

OKX also assured users that they would still have access to crypto wallet services, though some markets would temporarily freeze new wallet creation.  

According to Bloomberg’s March 11 report, European financial regulators have launched an investigation into OKX Web3 and its wallet services due to suspected involvement in laundering funds from the Bybit hack.  

“Over the past few days, we’ve faced targeted media attacks questioning our integrity and operations,” the firm stated in a blog post. It added that it “can’t ignore the fact that these attacks are happening at a time when we are actively fighting against financial crime.”

Bybit’s CEO, Ben Zhou, alleged that hackers used OKX’s Web3 proxy to launder about $100 million of the $1.5 billion stolen in the Bybit hack, with some funds now beyond tracing.  

In response to Bloomberg’s article, OKX stated on March 11 that the report was “misleading.” The company asserted that after the Bybit hack, it prevented suspicious funds from reaching its CEX and introduced new security measures.  

Read also: The SEC may drop crypto exchange registration rule

OKX emphasized that explorers should correctly identify the DEX responsible for executing trades rather than mistakenly recognizing its aggregator as the point of trade.  

To enhance security, the exchange introduced a “hacker address detection system” for its DEX aggregator and implemented a system that actively tracks and blocks newly discovered hacker addresses on its centralized exchange.  

“We already rolled out a lot of controls for OKX Web3 to fight with the misuse, including prohibited markets’ IP blocking and real-time black address detection and blocking system,” said OKX CEO Star Xu on March 17.

OKX reiterated that its Web3 DEX aggregator does not hold user assets and clarified that its function is to provide seamless access to liquidity across various protocols. However, “some have deliberately misrepresented our platform,” it said.