Security Alarms Ring: SlowMist Exposes Critical Flaws at Azbit and ICRYPEX—Silence Follows
Two crypto platforms just got a failing grade from one of the industry's top security watchdogs—and they're not even picking up the phone.
The Red Flags Are Flying
Blockchain security firm SlowMist has publicly flagged serious vulnerabilities at exchanges Azbit and ICRYPEX. The bombshell? The warnings came only after repeated attempts to contact the platforms privately went completely unanswered. It's the security equivalent of shouting into a void.
When Silence Isn't Golden
The standard protocol is clear: find a flaw, notify the company discreetly, and give them time to patch it. That process collapsed here. The lack of response forced SlowMist's hand, turning a private heads-up into a public alarm bell for all users. It raises a brutal question: if they won't answer their security mail, what else are they ignoring?
A Costly Reputation Hit
In crypto, trust is the most valuable—and most fragile—asset. This public naming and shaming delivers a direct blow to credibility. For users, it's a stark reminder that due diligence extends beyond tokenomics and into the often-opaque world of platform security practices. After all, what's the point of chasing yield if the front door's unlocked?
The episode cuts to the core of crypto's maturation struggle. For every institution promising 'robust frameworks,' incidents like this expose the gaps—where the relentless pursuit of growth sometimes bypasses the boring, essential homework of security. The market might forgive a hack, but it rarely forgets negligence.
Disclosure attempts rebuffed
SlowMist issued security notices to Seychelles-registered Azbit and Turkish exchange ICRYPEX Global on December 16 and December 17, respectively. The firm also claimed to have attempted to contact both platforms through direct messages and public posts, following standard responsible disclosure practices, but received no acknowledgment.
ICRYPEX, which was established in 2018 and holds VIRTUAL asset service provider licenses in two European Union countries, reports serving millions of users across more than 30 countries.
Azbit was launched in late 2019 and operates in Seychelles; however, earlier this year, the regulator in Seychelles stated that “the company does not, nor has it had any authorization to operate under the Virtual Asset Service Providers Act, 2024, and is simply an international business company (“IBC”) incorporated under the IBC Act.”
The failure to establish contact prompted SlowMist to take the unusual step of publicly disclosing the vulnerability discoveries before resolution, which is a bit concerning, although one may assume that the respective exchanges are already working on them.
However, a public address or acknowledgement of SlowMist’s findings will go a long way to calm their customers.
Industry-wide security concerns
The incident occurs against a backdrop of persistent security challenges across the cryptocurrency sector. SlowMist’s 2024 annual security report documented 410 security incidents resulting in losses of over $2.013 billion.
Cybersecurity firm CertiK shared that crypto exchanges lost over $29 million in November 2025, ranking second in the list of losses by type after decentralized finance (DeFi).
Best practices recommend that cryptocurrency developers establish contact points for reporting security issues, including long-term public keys for secure communication.
Will the exchanges be reaching out?
SlowMist’s experience of reaching out and not getting any response, while not unique, shows that even established exchanges with considerable user bases may lack adequate channels for receiving critical security intelligence.
This also raises questions about the readiness of crypto exchanges to quickly address vulnerability disclosures.
SlowMist has worked with major exchanges, including Binance, OKX, HTX, and Crypto.com, lending credibility to its security assessments and in plugging the gaps that they find.
Last month, Cryptopolitan reported that the firm SlowMist led an investigation that uncovered vulnerabilities in NOFX AI, an open-source cryptocurrency futures trading system built on DeepSeek and Qwen’s large-language-model architecture, and also shared recommendations on how the issue could be resolved.
Industry guidelines for responsible disclosure usually recommend that affected parties respond within two working days of initial contact. If no response is received after multiple attempts, security researchers often set a public disclosure of the matter to ensure transparency, especially when funds are involved.
Neither ICRYPEX nor Azbit had responded to the security notices or made public statements regarding the vulnerabilities as of this publication.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
