Harmony’s Horizon Bridge has seen funds moving into Ethererum mixer Tornado Cash since the money from Harmony’s bridge began to move into it. This indicates that the attacker does not intend to accept the bounty of $1 million offered.
If the Harmony team decides to obfuscate the ill-gotten gains, then the question remains whether its offer of just 1% of the $100 million in crypto funds stolen on June 24 will be sufficient to convince the exploiter to return the funds. A blockchain analysis by security company shows the hacker’s Ethereum wallet still contains $80 million in ETH tokens as well as about $65,000 worth of other tokens stolen during the bridge exploit, as of the judicious use of three transactions from the hacker’s address on June 23rd for a total of around 30K ETH (around $36 million).
1/ The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM. We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.
— Harmony 💙 (@harmonyprotocol) June 23, 2022
More 🧵
In 2019 Harmony was launched as a proof-of-stake blockchain at layer 1. A Horizon bridge with Harmony’s network allows users to send cryptocurrencies between blockchains including that of Binance Chain, Ethereum, and Harmony’s network.
Using cryptocurrency mixing services, users can hide the origins of their cryptocurrencies by pooling multiple cryptocurrencies in a single pool and mixing them, which is a process commonly used to launder illicitly obtained tokens.
In the hackers’ attack on Thursday, $100 million was stolen in WETH, AAVE, SUSHI, DAI, USDT, and USDC, which were then swapped for Ethereum. Initial reports suggested that it was an exploit of the Harmony protocol by the company, however, it has since declared that it has not found any evidence that a breach of our smart contract code has occurred nor any vulnerabilities on the Horizon platform.
The Ronin Bridge hack in March was also attributed to a similar situation, in which hackers managed to steal about $600 million out of cryptography. It was later on revealed that the Roin attacker which was later branded by the US government as the North Korean-linked hacking group Lazarus had compromised five out of nine validators of the bridge protocol.
A bounty of $1 million was offered by Harmony Protocol on Saturday in exchange for the return of the bridge funds, saying on Twitter that the company would not pursue criminal charges if the funds were returned. As a result of today’s transfers, the offer appears to have been rejected.
Several hours after the hack, Harmony announced to its users that the theft did not affect Harmony’s BTC bridge and that it was working with national authorities and forensic specialists to identify the culprit and recoup the stolen funds. They also stepped up their security.
We have migrated the Ethereum side of the Horizon bridge to a 4-of-5 multisig since the incident, which means that at least four of five separate private keys will be needed to sign and authorize transactions. We will continue taking steps to further harden our operations and infrastructure security.
Stephen Tse, Founder – Harmony
This is yet another token bridge, Horizon, that has been exploited in a growing number of attacks. In 2021, Poly Network was hacked and lost $610 million, which was almost entirely recovered. The Meter, Wormhole, Ronin and Horizon token bridges have all been used to extract over $1 billion through nefarious means in 2022.
