Security Notice: Third-Party Vendor Incident

Ndax has been notified of a security incident involving its third-party service provider, SumSub.

Ndax relies on SumSub to provide identity verification and know-your-client (KYC) services. On February 2, 2026, SumSub notified Ndax and other customers of a data security incident it detected on January 22, 2026. The incident affected personal information associated with a limited number of customer accounts dating back to July 2024.

Upon learning of the incident, Ndax immediately initiated its incident response plan and retained external cybersecurity experts to assist with the investigation. Ndax is also working closely with SumSub to better understand the scope and impact of the incident.

At this time, there is no indication that Ndax’s systems were compromised.

You can review SumSub’s official statement here. 

Ndax has notified all affected users whose information was accessed without authorization and has outlined the specific information involved.

The following information was not accessed:

• Login credentials (including usernames, passwords, and 2FA codes)
• Identity document images
• Bank account or payment details
• Government-issued identification 

While the accessed information cannot be used to directly access your Ndax account, it could be used in phishing or social engineering attempts.

Such messages may appear authentic and attempt to persuade you to call an unauthorized phone number, click a fraudulent link, disclose personal details, or log into a counterfeit website imitating Ndax that is not hosted on ndax.io.

Ndax encourages all users to remain vigilant against phishing and social engineering risks.

Ndax will never ask you to:

• Provide your password, 2FA codes, or recovery phrase
• Grant remote access to your device
• “Secure” your account through an unsolicited link
• Transfer or move funds to any wallet outside of Ndax
• Download additional apps to your device

If you receive communications claiming to be from Ndax requesting sensitive information, treat them as fraudulent and contact us immediately without responding. Ndax emails are sent only from the ndax.io domain.

Always access your account by typing ndax.io directly into your browser. 

Out of an abundance of caution, we strongly encourage you to:

• Change your Ndax password
• Ensure two-factor authentication (2FA) is enabled
• Review and update your email address on file

You can manage your account security by following the steps outlined in this article:

How do I update my account information on Ndax?

You may also review guidance from the Canadian Centre for Cybersecurity for additional information on protecting yourself from phishing risks. 

Ndax continues to actively monitor the situation and work closely with SumSub and external cybersecurity experts to understand the scope of the incident and ensure appropriate safeguards are in place. Protecting your information remains our top priority.

We have implemented a risk-based enhancement to our withdrawal process, which may result in temporary delays for certain crypto asset withdrawals while additional security checks are completed. In some cases, we may contact you to confirm specific information before processing a transaction.

These measures have been introduced out of an abundance of caution. 

If you have questions about this incident or believe you may have received a phishing message related to it, please contact our support team directly at: [email protected]