HECO Bridge, HTX - REKT



It's been a rough few weeks for Justin Sun.

Today, another $99M went missing as two Sun-linked projects were hacked in short succession.

$86.6M was lost from HECO (Huobi ECO) Chain’s Ethereum bridge, and $12.5M from hot wallets belonging to HTX (formerly Huobi).

The hacks come just twelve days after Sun’s Poloniex lost $126M on the Ethereum, Tron and Bitcoin networks. HTX had also already been drained of $8M in late September, though funds were recovered around two weeks later.

Yesterday, all eyes (including Justin’s) were on CZ and Binance’s settlement with US authorities.

But His Excellency makes sure to never stay out of the spotlight for long…

With increasing regulatory pressure on crypto’s main players, this repetitive-rektage couldn’t have come at a worse time for Sun.

Or are these repeated “hacker attacks” just building a rainy-day fund, ready for a life on the lam?

Credit: Peckshield, Cyvers

Two hours after the first alerts of fund movements on HECO then HTX, Sun acknowledged the attacks, promising to compensate the HTX losses:

HTX and Heco Cross-Chain Bridge Undergo Hacker Attack. HTX Will Fully Compensate for HTX's hot wallet Losses. Deposits and Withdrawals Temporarily Suspended. All Funds in HTX Are Secure, and the Community Can Rest Assured. We are investigating the specific reasons for the hacker attack. Once we complete the investigation and identify the cause, we will resume services.

The HECO Bridge funds were drained via a compromised operator account, which (beginning at 09:59 AM UTC) withdrew funds from the bridge to the attacker’s address. The majority of funds were forwarded onto an accumulation wallet.

The compromised HTX hot wallet addresses (ETH, others) transferred funds (beginning at 10:41 AM UTC) directly to separate attacker addresses (ETH, others).

While the precise source of the attacks is unknown, it seems likely that vulnerabilities exploited in previous hacks could have been reused, given the connections between the affected entities.

Peckshield puts the HECO bridge losses at $86.6M, in the following assets: 42M $USDT, >10k ETH ($19M), 489 HBTC ($18.8M), 347M SHIB ($2.8M), 173k $UNI ($930k), 619k USDC, 42k $LINK ($600k), 347k TUSD.

Cyvers summed $12.5M in losses from HTX, made up of: 1,240 ETH ($2.5M), 7.3M USDT, 1.78M USDC, and 62.2K $LINK ($870k).

HECO attacker address: 0xfc146d1caf6ba1d1ce6dcb5b35dcbf895f50b0c4

Compromised operator address: 0x3d655889d197125fb90dcb72e4a287a8410ed1b9

HECO Bridge address: 0xa929022c9107643515f5c777ce9a910f0d1e490c

HTX hot wallet 1 (ETH): 0xb9f775179bcc7fcf4534700a48f09c590e390ead

HTX hot wallet 2 (other assets): 0x9281035df6f00557c0285d7df21d323c2e2f99ad

HTX attacker 1 (ETH): 0x5a22f867dfcb4f32d25a5fa365b9d9d78d5515dc

HTX attacker 2 (other assets): 0x121a0ff24027fffcdd0ae008da82f2789c7945cc

After receiving, funds were forward on to various further addresses; Hacken provided a list.

This style of attack targeting CEX and bridges has all the hallmarks of DPRK’s Lazarus Group, who’ve cleared over half a billion dollars in the last six months alone.

Once they find a foothold, insufficient spring cleaning is sure to result in more losses.

Regardless of who carried out the double-pronged hack, costs are mounting up for Justin Sun, who may be next in line for the US authorities’ ongoing crypto cleanse.

HECO and HTX are the 3rd and 4th incidents inside three months on Sun-linked projects, totaling 233M in losses (with just $8M returned, so far).

Earlier this month, we wondered:

How deep do Sun’s pockets go?

At this rate, perhaps one day we'll find out?


share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.