Indonesian authorities have arrested a local hacker accused of stealing cryptocurrency worth $398,000 (approximately Rp 6.67 billion) by exploiting a security flaw in the deposit system of the trading platform Markets.com. Following a complaint filed by Finalto International Limited, the owner of London-based Markets.com, the suspect, identified only as HS, was apprehended on Saturday in Bandung, West Java. HS has been charged under Indonesia’s cybercrime and anti-money laundering laws, facing a maximum penalty of 15 years in prison and a fine of up to $900,000.
Attack Methodology: Simple Business Logic Flaw
The attack methodology reveals a fundamental issue in Markets.com’s security system. It was not a complex blockchain hack, but rather a simple flaw in the Web2 application logic. According to investigators, HS discovered an anomaly in Markets.com’s nominal input system. In this flaw, regardless of the deposit amount entered by the attacker, the platform would create a fraudulent USDT (Tether stablecoin) balance based on that amount, without proper backend validation.
This issue allowed the hacker to deceptively gain crypto balances without actually making a payment. It was a business logic flaw resulting from the poor integration between the traditional banking system and the crypto balance ledger.
Identity Fraud and Scraped Data
The hacker HS did not just use technology to commit the theft; he also employed identity fraud techniques. HS created four fake accounts under the names Hendra, Eko Saldi, Arif Prayoga, and Tosin. For this, he illegally gathered Indonesian National ID information from publicly accessible websites.
HS, who had been a crypto trader since 2017, used his experience to identify and exploit this flaw. Cybersecurity consultant David Seahyoun Baeck warns that the use of data scraping suggests the hacker is connected to a larger underground data ecosystem. Experts believe that traditional KYC (Know Your Customer) procedures are becoming merely a “checkbox exercise.” Traditional KYC alone is no longer sufficient, as bad actors can easily create believable fake identities using leaked data and Artificial Intelligence (AI) tools.
Security Experts’ Warning: Web2 Targets
This case indicates a changing trend in crypto attacks. Experts suggest that attackers are now moving away from complex smart contract hacks and are instead looking for “easy entry points in Web2 systems.” Their main targets are flaws like weak APIs, broken access control, and poor backend validation. This highlights the need for crypto exchanges to give equal importance to traditional Web security practices alongside their blockchain security.
Recovered Assets and Implications
Police confiscated several items from HS, including a laptop, mobile phone, and a shophouse. Most importantly, they seized a cold wallet containing 266,801 USDT, valued at approximately $4.2 million. Since this amount is significantly higher than the $398,000 stolen from Markets.com, it is suspected that HS may have been involved in other crypto thefts or accumulated the funds through other means.
A Key Lesson for Crypto Platforms
This attack on Markets.com offers a crucial lesson for cryptocurrency platforms. In the pursuit of rapid profits, platforms must rigorously tighten their fundamental security coding practices and internal code reviews. To maintain financial liquidity and customer trust, it is essential for every system utilizing crypto to ensure it operates without business logic flaws that can lead to fraud.
