Harmony Hacked $100 Million Worth of Altcoins

[TL; DR]
Horizon Bridge to Harmony blockchain lost $10 million worth of altcoins in a security breach.
Tether (USDT), Wrapped BTC (wBTC),Frax (FRAX), Ether (wETH) AAG (AAG), Binance USD (BUSD), Aave (AAVE), SushiSwap (SUSHI, Frax Share (FXS), Dai (DAI), and USD Coin (USDC) were stolen during the hacking incident.
The hackers got hold of the two out of five private keys resulting in the security breach.
Blockchain researchers at Elliptic suspect that Lazarus hackers, linked to North Korea, are behind this hacking incident.
Harmony Blockchain promises $10 million to anyone who helps to recover the stolen cryptocurrencies.

Keywords: Harmony, $100 million, multi-signature, Lazarus Hackers, hacking, altcoins

Cases of hacking which result in thefts of millions of dollars continue to hog the limelight in the DeFi sector. Despite constant security warnings some blockchains still show signs of unpreparedness. The Horizon Bridge to the Harmony layer-1 blockchain is the latest victim of hacking, losing $100 million in the process. This layer-1 blockchain’s bridge between Bitcoin and Binance Coin lost Tether (USDT), Wrapped BTC (wBTC),Frax (FRAX), Ether (wETH) AAG (AAG), Binance USD (BUSD), Aave (AAVE), SushiSwap (SUSHI, Frax Share (FXS), Dai (DAI), and USD Coin (USDC). However, the attackers did not hack the Bitcoin Bridge. Therefore, it remains intact and the related cryptocurrencies are safe. Meanwhile Harmony has stopped operations to facilitate investigations.


The line of fault

---

The hacking of Harmony shows a lack of security consciousness on the part of the team. Despite the fact that the attackers did not hack the blockchain itself, they accessed two of the five signatures. With that, they managed to get hold of the altcoins since the smart contract rules allowed two out of the five signatures to transfer the cryptocurrencies.

In reality, the hackers compromised the servers where the hot wallets were running and got hold of two private keys. Mudit Gupta, Polygon’s chief information security officer summarized what happened, “The attacker compromised the server(s) that these hot wallets were running on. Once inside the server, they could access the keys that were kept in plaintext for signing legit transactions. The server exploit was likely either SSH key compromise or social engineering. This is eerily similar to how Ronin was hacked.”


Since it was a traditional hack, contingency measures should have prevented this attack. Gupta pointed out that, previously, he had been telling the team to focus on both the traditional security and the blockchain security to avoid unnecessary attacks. Unsurprisingly, before the attack the community had raised concern over using two signatures to secure the blockchain. Specifically, the founder of Ape Dev, a Chainstride Capital crypto-focused venture fund is one of the people who raised this concern on 2 April through a tweet. However, some analysts conclude that the attackers could have got a tip from this alert

On 3 June the development team announced that the blockchain security was breached and $100 million worth of altcoins siphoned out. And in response they are working with the relevant parties, including national authorities and forensic specialists to identify the hackers and take appropriate action.

Using multi-signatures to secure blockchains have often resulted in these attacks, even if more than 2 private keys are used to authorize the transactions. The example of The Ronin Bridge is a testimony to this. Although five signatures out of nine were required to facilitate transactions, the attackers managed to get hold of the required number and extracted over $600 million worth of cryptocurrencies.


Processing of the transactions

---

The hackers did not transfer the funds in a single transaction since different altcoins were involved. Indeed, they siphoned out the cryptocurrencies in 11 transactions between 7:08 am EST and 7:26 am EST. The early indication is that they sent the tokens to different wallets before swapping them for ETH on UniSwap Decentralized Exchange then returning them to the same wallets.


Market performance of the Harmony Token

---

Despite the hacking incident Harmony’s token remains stable. The same is true of all the other affected cryptocurrencies. They have all maintained some stability as the market has not responded negatively.



Lazarus Hackers linked to the $100 million Harmony Bridge Hacking

---

Blockchain researchers and analysts have linked the Harmony Bridge hacking incident to the North Korea linked Lazarus hackers. They base their conclusion on the nature of the hack which is similar to that of the Ronin Network. Blockchain researchers with Elliptic, a London-based blockchain analytic firm see resemblance in the two attacks. First, the hackers used Tornado cash, a platform normally used to launder ill-gotten cryptocurrencies.

In the first instance, the hackers sent 35 000 ETH about 40% of the stolen tokens to Tornado Cash. In total Lazarus Hackers have stolen over $2 billion worth of cryptocurrencies and its current thrust is on DeFi services such as crosschain bridges. Notably, The US Treasury linked the North Korean hackers to the Ronin Network hack.

Source: Bleepingcomputer

Similarly, the hackers compromised the multi-signatures of Harmony Bridge in the same manner that happened to the Ronin Network security breach. Another piece of evidence against Lazarus Hackers is their targeting of APAC-based individuals and entities. The reason for this could be the language their targets use. Incidentally, some of the core team members of Harmony have links with the APAC region.


Recovery measures in place

---

Harmony and the involved parties are hunting for the $100 million crypto hackers. According to Harmony, Law enforcement, Chainalysis, and AnChainAI are all actively searching for these criminals. However, the company has urged the attackers to return the cryptocurrencies. It said, “We are providing one FINAL opportunity for the actor(s) to return stolen assets with anonymity.” An additional measure to entice the hackers to return the assets is a 10 million bounty. On a similar note, Harmony has offered an additional $10 million for any lead that can facilitate the safe return of the stolen funds.


Conclusion

---

On 23 June, the world woke up to the news of a hacking incident where the Horizon Bridge to the Harmony layer-1 blockchain lost $100 million worth of altcoins. The attackers compromised the blockchain when they accessed two of the five multi-signatures. However, the Bitcoin Bridge was not breached, thus its assets are safe. Some blockchain researchers have suspected that North Korean linked Lazarus hackers are behind the attack. In order to recover the stolen assets, Harmony is offering a $10 million bounty and a $10 million reward for any assistance that may lead to the recovery of the stolen altcoins.






Author: Mashell C., Gate.io Researcher
This article represents only the views of the researcher and does not constitute any investment suggestions.
Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all cases, legal action will be taken due to copyright infringement.