$100 million was stolen in a hacker attack on Horizon Bridge

Hackers withdrew $100 million as a result of a hacker attack on Horizon Bridge service by Harmony. More than half of the stolen funds were laundered through the Tornado.cash mixer.

On June 23, 2022, Horizon Bridge announced on its website as well as on Twitter that the service was temporarily suspending operations because it was attacked by hackers. More than $100 million was stolen by unidentified individuals.

In addition, the Horizon Bridge team announced a $1 million reward for the information that can help to find and recover the stolen funds. The blockchain project also offered not to contact the law enforcement agencies in case the hacker returns the stolen crypto-assets.

Blockchain bridge technology allows users to transfer their crypto-assets from one blockchain to another. For example, using Horizon Bridge service, users can transfer assets, including tokens, stablecoins and NFTs, between Ethereum, Binance Smart Chain and Horizon Bridge blockchains.

The TokenScope Team decided to take a look into the circumstances of the hacker attack on the Horizon Bridge, as well as to track the withdrawal chain over the past 3 days:

• On June 23, 2022, a group of hackers used a vulnerability in the protocol to gain an access to the Horizon Bridge service addresses and transferred funds that were stolen in different currencies within the service into ETH - the amount of the stolen funds totaled 85 837 ETH (at the exchange rate of 1 ETH = $1 200, the equivalent is over $100 million). On the same day, hackers began to concentrate the stolen funds from multiple addresses into one address 0x0d043128146654c7683fbf30ac98d7b2285ded00.

• On 27 June 2022 from this address, the funds in the amount of 18 036.3 ETH were transferred to 0x1ec6f83b55c3f4cefc630442716872ba15f16430 then by 2 transactions of 6 012 ETH each and 1 transaction of 6 009 ETH were distributed to 3 addresses owned by hackers:

  • 0x8a0858888beeb5d1435ecd3657831699f169c3f4
  • 0x4507ac1bdf4ae5e61ffcec3a9aeda312e2505970
  • 0x432a9cb4353bed67ec5351734d4a44c0826847ae

  From the addresses above, on the same day, by multiple transactions of 100 ETH each, funds totaling 18 000 ETH were sent to the address 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b, located on the well-known crypto mixer Tornado.cash.

• On June 28, 2022, funds in the amount of 18 036.3 ETH were withdrawn from the address 0x0d043128146654c7683fbf30ac98d7b2285ded00 to the address 0x809dc735e80be1578ad4fe04a30aa6b7e280c5e4, then by 2 transactions of 6 012 ETH each and 1 transaction of 6 009 ETH were distributed to 3 addresses owned by hackers:

  • 0x20dbccd46eef96a1b78383cf0d26bb575ec00201
  • 0x40efc580e5cb5701797a762990d9e690108dadfd
  • 0x89f89d61644c6e606efb25a01210159f102fbd8b

  From the addresses above, on the same day, by multiple transactions of 100 ETH each, funds in the amount of 18 000 ETH were sent to the address 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b, located on the well-known crypto mixer Tornado.cash.

• On June 29, 2022 from the address 0x0d043128146654c7683fbf30ac98d7b2285ded00, 18 036.3 ETH were transferred to 0x752023bcdd7672755a04e36e2c9770944e9b3ccf then by 2 transactions of 6 012 ETH each and 1 transaction of 6 009 ETH funds were distributed to 3 addresses owned by hackers:

  • 0xec3e23e7a7782b1b2d77901c478823c701d912ea
  • 0x482f32c3e1a851a1dc08931e3087ac5a209f3342
  • 0xe71d5fa89d1086d5c3b0ab03eeee2483d2d5ca97

  From the addresses above, on the same day, by multiple transactions of 100 ETH each, 18 000 ETH were sent to the address 0xd90e2f925da726b50c4ed8d0fb90ad053324f31b, located on the well-known crypto mixer Tornado.cash.

Thus, within 3 days, 54 000 ETH out of 85 837 ETH stolen by hackers were withdrawn via Tornado.cash. crypto mixer using the same transaction scheme.

According to some analysts, Lazarus Group, a group of North Korean hackers could be involved in hacking Horizon Bridge. This assumption is made because the withdrawal of funds presumably occurs according to some algorithm (the amount and the sequence of the withdrawal transactions during 3 days in all cases are identical), as well as the withdrawal time coincides with the time zone of the Asia-Pacific region.

TokenScope Team continues to follow the development of the hacker attack case on Horizon Bridge.

Successful investments in cryptocurrency projects and don't forget to check addresses for risks, it can help to save your funds! Also, you can report us any cases related to specific cryptocurrency addresses and the considered risks at TokenScope via "Reporting a cryptocurrency address" form. This will help to protect other users from the risks of interacting with such addresses and their owners.