OKX Halts DEX Aggregator to Prevent Lazarus Misuse

OKX has temporarily halted its decentralized exchange (DEX) aggregator to prevent further exploitation by the North Korean hacking group, Lazarus. 

On March 17, OKX said, "We recently discovered a concerted effort by Lazarus Group to abuse our DeFi services."  

Following discussions with regulators, the exchange proactively suspended its DEX aggregator services to implement security upgrades and prevent further misuse. 

OKX’s helpdesk confirmed that the suspension is for an internal review and system enhancement, but no timeline for resumption was provided. Meanwhile, crypto wallet services remain accessible, though new wallet creation will be paused in select regions. 

We are temporarily pausing our DEX aggregator to address incomplete tagging on blockchain explorers while we also roll out new security features. This is to address the recent coordinated attacks by media along with unsuccessful efforts by Lazarus group to misuse our DeFi… pic.twitter.com/r6oHNIaalT

— OKX (@okx) March 17, 2025

On March 11, Bloomberg reported that European financial regulators were investigating OKX’s Web3 DEX aggregator and wallet services for their alleged involvement in laundering funds from the Bybit hack. 

In response, OKX described recent media coverage as “targeted attacks” aimed at undermining its integrity. The exchange emphasized its commitment to combating financial crime, highlighting that these accusations surfaced while it was actively addressing such issues. 

According to Bybit CEO Ben Zhou stated that nearly $100 million from the $1.5 billion Bybit hack was funneled through OKX’s Web3 proxy, with some funds now untraceable. 

OKX responded to Bloomberg’s report on March 11, calling it “misleading.” The exchange explained that upon detecting the Bybit hack, it took two key actions: freezing related funds from entering its centralized exchange and enhancing its hack detection mechanisms. 

OKX further clarified that its goal is to ensure blockchain explorers correctly display DEX trade sources rather than mistakenly attributing transactions to its aggregator. 

To strengthen security, the exchange has implemented a hacker address detection system for its DEX aggregator, along with real-time tracking and blocking of malicious addresses on its centralized exchange. 

“We have already introduced multiple safeguards for OKX Web3, including IP restrictions for prohibited regions and real-time detection and blocking of blacklisted addresses,” OKX CEO Star Xu stated on March 17. 

The company reiterated that its Web3 DEX aggregator is not a custodian of user funds but merely provides access to liquidity across various protocols. However, it claimed that certain parties have deliberately misrepresented its platform.