Analysts estimate losses from HTX and Heco Bridge hack at $110 million

Justin Sun reported a hacker attack on HTX’s hot wallet and cross-chain bridge Heco Bridge. All platform operations are suspended.

HTX and Heco Cross-Chain Bridge Undergo Hacker Attack. HTX Will Fully Compensate for HTX’s hot wallet Losses. Deposits and Withdrawals Temporarily Suspended. All Funds in HTX Are Secure, and the Community Can Rest Assured. We are investigating the specific reasons for the hacker…

— H.E. Justin Sun 孙宇晨 (@justinsuntron) November 22, 2023

Sun said the exchange would cover the losses itself. Details of the incident will be disclosed after the investigation is completed.

PeckShield researchers were among the first to flag the issue. Initially they noticed withdrawals of 10,145 ETH (~$19 million) from the Heco Bridge.

Update: Total $86.6M worth of cryptos
-346,994 $TUSD
-42,399 $LINK (~$601,641)
-619,000 $USDC
-173,200 $UNI ($931,816)
-346.9M $SHIB (~$2.8M)
-489 $HBTC ($18.8M)
-42M $USDT
-10,145 $ETH (~$19M)

— PeckShieldAlert (@PeckShieldAlert) November 22, 2023

Subsequently, the attacker continued draining other cryptocurrencies, bringing the total damage to about $86.6 million.

PeckShield also noted that the transfers were confirmed by the operator, so a compromise scenario is being considered.

According to Wintermute’s head of research Игоря Игамбердиева, there was an additional HTX exploit of $23.4 million. He asserts that withdrawals occurred immediately after the cross-chain bridge attack and followed a similar pattern.

Heco Bridge was launched to provide low-cost inter-network interaction between Ethereum and HTX’s supported blockchain, Heco Chain. The project combined Tron protocols and the BitTorrent bridge ecosystem.

On November 10, the Sun-owned Poloniex exchange was attacked for $125 million in cryptocurrencies. Then the head of the platform said there had been “successful identification and freezing of part of the assets linked to the hacker’s addresses.” He also proposed returning the coins for a reward of 5% of the stolen amount.

Sun later said that the Poloniex team had identified the offender’s identity, and increased the payout to $10 million. If the hacker does not transfer the funds by November 25, law enforcement from several countries will begin taking action, he warned.

Earlier, HTX lost 5000 ETH ($7.9 million at the time) due to a hot-wallet attack. About two weeks later, the attacker returned the stolen assets for a reward of 250 ETH.