The Major Security Flaws of Wirex (WirexApp) Exchange

Beware of the Wirex Crypto Phishing Email Scam: I Lost 1000 GBP worth of USDT

I have been a victim of a scam yesterday and I lost about 1355 USDT Crypto token (worth of 1000 GBP) due to opening a phishing email on the phone and had my phone number “verified”.

I was doing some housework, and I received this phishing email see below. It looked so real on the Apple iPhone Pro 15 Max, which didn’t reveal the actual email addresses. If I had it opened on desktop, I would immediately see it as a scam/fake email.

Anyway, I was not thinking for another second and clicked the link (which it didn’t show the URL anywhere otherwise I would immediately close), and I entered the username/password on a phishing website, and entered the SMS verification code, the next thing is that my funds were immediately stolen and transfered out. I was so stupid.

The scammer went through all my Crypto tokens, and exchanged them to USDT, and then sent out to an external ETH wallet address. I accidentally transferred some TRX a few weeks ago into Wirex Exchange, and was waiting for a higher price to exchange to USDT. The withdraw fee for TRX at Wirex is a lot higher than the others. For example, the HTX charges 1 TRX withdrawal fee but Wirex charges 49 TRX. Not to mention that wirex has a higher exchange fee than others.

The scammer exchanged TRX to USDT and transfer the funds out immediately. The WXT wallet is below the withdrawal threshold and it is a great luck that my main asset (XX BTC) was frozen in X-account. The scammer init a withdrawal which requires 30 days to be unfrozen. Lucky the funds are frozen in X-account. I did that for additional 1% extra interests, which saves me!

There is about 450 GBP in the fiat account. The scammer probably didn’t notice, otherwise he would buy the USDT tokens with GBP and nullify the account.

I checked the transactions records of the scammers ETH wallet, there are currently 5 victims including me (today).

I contacted the Wirex Support immediately via Email, and this time, they responded quickly (It turns out it was due to that I am a Wirex Private Customer i.e. a VIP):

I am truly sorry you faced this. I have forwarded your case to the relevant team for further investigation and will update you once there is any news. Our legitimate email communications can be only from @mail.wirexapp.com or @wirexapp.com email addresses and we never ask to randomly confirm your phone number via email.

The Wirex locked my account quickly so that no operations can be made (the assets are safe) while they were investigating the case.

I noticed that while I was re-enabling the 2-FA (I was able to login to Wirex on Desktop browser because of a valid session/cookie), shortly it was disabled by the scammer. The password (apart from the phone number) may have also been changed by the scammer.

The next day, they have concluded the case, and the wirex says it is 100% my fault. And WirexApps didn’t comment or take any meaningful actions any further.

We understand how frustrating the situation may be and apologize for the time taken to accomplish the review.

Please let us highlight the following information to help bring in additional clarification to the occurred case:

Please be kindly advised that the following security methods are implemented by Wirex: The Time-Based One Time Password, Biometrics, Push notification, whereas for crypto transfers SMS confirmation is used (more information: here). As you have stated before, you received an email and completed device confirmation which led for an unauthorized activity. The profile information was altered via OTP sent to the original phone number (+44 XXXXXXX). Please be kindly advised that Terms of Service for a personal Wirex account were accepted, please see further details here Wirex | General Terms of Service, as accepting such implies an agreement that you are responsible for all transactions initiated through your Wirex Profile. Unauthorized use of your Wirex Profile may have serious consequences for you, including financial consequences. Ultimately, it is your responsibility to keep your Wirex Profile secure by engaging in the following practices (10. Security).

We highly appreciate your opinion and cooperation. Thank you for sharing your suggestion. Although we understand that this may not be the outcome you were hoping for, our decision is based on the facts from our systems as well as the information you submitted.

Please refer to our complete complaints policy via the link below

I’ve got my account back by changing the Password, and reverting the phone number. We have to be careful in these days where scammers have been most fussed be careful in the future because security and privacy we don’t have that’s a lie, you just have to be careful and be suspicious and always verify the source.

Security Risks of the Wirex Exchange

In summary, in my opinion, Wirex Exchange has the following security risks (security flaws)

• Only a phone verification code is needed to disable QR code verification and change the password and phone number, which gives too much authority.
• I am in the UK (registered account address in the UK), and it allows direct change to a US phone number without triggering a security assessment.
• Why do scammers have my email? This data leak is closely related to Wirex.
• As early as February (three months ago), there were similar phishing emails from scammers. Why hasn’t Wirex taken these issues seriously and implemented related measures?
• There is no cooling period to withdraw funds to new external wallet addresses.

Wirex came up with a bunch of regulations, saying it was my own problem, completely absolving themselves of any responsibility. As a major exchange, this is extremely irresponsible.

PS: After I’ve re-verify my account with a selfie (holding a passport ID and a note stating the date), I’ve been given a temporary password, and then it requires me to enter the code from 2-FA Authenticator to unlock the account. I’ve started withdrawing the assets from the X-Account and it requires 30 days and I’ll transfer them out to a safer Exchange HTX.

Wirex Exchange, your actions have disappointed many loyal customers and eroded their trust. Rebuilding this trust is a challenging, if not impossible, task once it has been lost.

TLDR; A week ago, I lost some funds by clicking a phishing link which I shouldn’t have clicked. However, at that time, a One-Time Code (SMS) was able to compromise my account and disabled the 2-FA factor. This was a security incident but @wirexapp denied to admit. Now, when I log in to my account, the 2-FA starts to show up.

The chances are very low that the stolen funds be returned, unless these funds are tracked and someday moved to Exchanges which then got frozon. The stolen funds were moved out and transfered to another wallet which shows more than 100K USDT have been stolen (ERC-20 Assets Transfer Records).

Other Posts regarding this Stolen Assets incident (WirexApp)

• WirexApp Says The Stolen Funds Have been Recorded/Reported
• Another Phishing Email for WirexApp Airdrops
• Crypto Updates: Wirex Security Flaws

–EOF (The Ultimate Computing & Technology Blog) —

2080 words
Last Post: Teaching Kids Programming - Implement the Pairwise Function in Python using the Iterator/Yield
Next Post: Why and How You Should Stop the ChatGPT and Bytedance Bots Crawling Your Pages?