In brief
- Indonesian police have arrested a local hacker who reportedly exploited a security flaw in Markets.com’s deposit system to steal $398,000 from the platform.
- The suspect allegedly created four fake accounts using scraped national ID data and manipulated the platform’s input system to generate fraudulent USDT balances.
- Police seized evidence including a cold wallet containing 266,801 USDT, worth approximately $4.2 million, along with a shophouse property in Bandung.
Indonesian authorities have arrested a local hacker who allegedly exploited security flaws in trading platform Markets.com’s deposit system to steal $398,000 worth of cryptocurrency.
Police detained the suspect, identified only as HS, on Saturday in Bandung, West Java, following a complaint filed by Finalto International Limited, the London-headquartered owner of Markets.com, according to a local media report.
The operation resulted in losses totaling $398,000 (Rp 6.67 billion) for the trading platform, with HS facing charges under Indonesia’s cybercrime and anti-money laundering laws, with potential penalties of up to 15 years in prison and fines reaching $900,000 (Rp 15 billion).
Decrypt has reached out to Finalto International for further comment.
Deputy Cybercrime Director Andri Sudarmadi said investigators uncovered how HS allegedly exploited an anomaly in Markets.com’s nominal input system.
The platform reportedly generated USDT balances based on whatever deposit amount the attacker entered, creating an opening for fraudulent gains without proper backend validation.
According to police, HS created four fake accounts under the names Hendra, Eko Saldi, Arif Prayoga, and Tosin, sourcing real identity data by scraping Indonesian national ID information from publicly accessible websites.
Authorities say the suspect, a computer accessories distributor and crypto trader since 2017, used his experience to identify and exploit the system vulnerability.
Police seized a laptop, mobile phone, CPU unit, ATM card, a 152-square-meter shophouse in Bandung, and a cold wallet containing 266,801 USDT worth approximately $4.2 million (Rp 4.45 billion).
KYC “isn’t enough anymore”
Cybersecurity consultant David Sehyeon Baek told Decrypt the scraped ID data indicates that the hacker was “someone plugged into a much bigger underground data ecosystem” rather than being a lone operator.
“A lot of exchanges still treat KYC like a checkbox exercise,” he said, noting the ease with which bad actors can “build convincing fake identities using leaked data and AI tools.”
“Traditional KYC alone just isn’t enough anymore,” Baek said, urging exchanges to adopt “continuous monitoring, device and network intelligence, and better cross-platform collaboration” to detect synthetic identities early.
Baek said the case fits “a very clear industry trend.” He explained that attackers are moving away from complex smart contract hacks and looking for “easier entry points in Web2 systems—things like business logic flaws, weak APIs, broken access control, and poor backend validation.”
These kinds of issues can be addressed by “basic secure coding practices, internal code review, and routine security testing,” the expert added.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.