Blockchain security firm SlowMist has called out two cryptocurrency exchanges that it had identified with serious vulnerabilities affecting fund security on their respective platforms. 

SlowMist’s founder, who uses the pseudonym Evilcos, expressed frustration over the lack of response. 

“Unknown exchanges are truly unreliable,” he wrote on X. “Our security team discovered serious vulnerabilities in two exchanges (directly impacting fund security), but we couldn’t reach anyone, and even public mentions got no response.”

The exchanges in question handle significant daily trading volumes, with one having a 24-hour trading volume of $3.7 billion, while the other manages around $240 million, according to Evilcos.

Disclosure attempts rebuffed

SlowMist issued security notices to Seychelles-registered Azbit and Turkish exchange ICRYPEX Global on December 16 and December 17, respectively. The firm also claimed to have attempted to contact both platforms through direct messages and public posts, following standard responsible disclosure practices, but received no acknowledgment.

ICRYPEX, which was established in 2018 and holds virtual asset service provider licenses in two European Union countries, reports serving millions of users across more than 30 countries.

Azbit was launched in late 2019 and operates in Seychelles; however, earlier this year, the regulator in Seychelles stated that “the company does not, nor has it had any authorization to operate under the Virtual Asset Service Providers Act, 2024, and is simply an international business company (“IBC”) incorporated under the IBC Act.”

The failure to establish contact prompted SlowMist to take the unusual step of publicly disclosing the vulnerability discoveries before resolution, which is a bit concerning, although one may assume that the respective exchanges are already working on them. 

However, a public address or acknowledgement of SlowMist’s findings will go a long way to calm their customers.

Industry-wide security concerns

The incident occurs against a backdrop of persistent security challenges across the cryptocurrency sector. SlowMist’s 2024 annual security report documented 410 security incidents resulting in losses of over $2.013 billion.

Cybersecurity firm CertiK shared that crypto exchanges lost over $29 million in November 2025, ranking second in the list of losses by type after decentralized finance (DeFi).

Best practices recommend that cryptocurrency developers establish contact points for reporting security issues, including long-term public keys for secure communication.

Will the exchanges be reaching out?

SlowMist’s experience of reaching out and not getting any response, while not unique, shows that even established exchanges with considerable user bases may lack adequate channels for receiving critical security intelligence.

This also raises questions about the readiness of crypto exchanges to quickly address vulnerability disclosures.

SlowMist has worked with major exchanges, including Binance, OKX, HTX, and Crypto.com, lending credibility to its security assessments and in plugging the gaps that they find.

Last month, Cryptopolitan reported that the firm SlowMist led an investigation that uncovered vulnerabilities in NOFX AI, an open-source cryptocurrency futures trading system built on DeepSeek and Qwen’s large-language-model architecture, and also shared recommendations on how the issue could be resolved. 

Industry guidelines for responsible disclosure usually recommend that affected parties respond within two working days of initial contact. If no response is received after multiple attempts, security researchers often set a public disclosure of the matter to ensure transparency, especially when funds are involved.

Neither ICRYPEX nor Azbit had responded to the security notices or made public statements regarding the vulnerabilities as of this publication.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.