Cybercrime

FBI investigating $100 million theft from blockchain company Harmony

Blockchain company Harmony said $100 million in cryptocurrency was stolen from the platform on Thursday evening. The company said the FBI is now investigating the theft alongside several cybersecurity firms. 

A cross-chain bridge – also known as a blockchain bridge – allows people to transfer tokens, assets, smart contract instructions and data between blockchains. They have become a ripe target for hackers in recent months and exploits in bridges have led to millions of dollars in losses. 

Harmony – which helps people send cryptocurrency, stablecoins and NFTs between different blockchains like Ethereum and Binance Smart Chain – has notified other exchanges and stopped the Horizon bridge to prevent further transactions.

In a series of Tweets, the company said it is working with government agencies and specialists to find the people behind the attack and get the stolen funds back. The hackers stole about 85,837.252 Ethereum in the attack.

“We have also notified exchanges and stopped the Horizon bridge to prevent further transactions. The team is all hands on deck as investigations continue,” the company said. 

Blockchain security company PeckShield told The Record that right now, it seems like the attackers were able to compromise private keys that gave them the ability to validate fraudulent transactions. 

The Harmony bridge is “managed by a 2-out-of-4 multisig,” PeckShield said, allowing the attackers to control funds held on the protocol through access to the private keys. 

Another blockchain security company, CertiK, confirmed that once the attackers were able to access the owners of Horizon’s multiSig wallets, they began draining vast amounts of altcoins from Harmony.

Experts are still unsure of how hackers managed to gain control of the MultiSig Wallets, but CertiK criticized Harmony for having a system that only required two signatures to validate transactions.

“Horizon’s system of only requiring two out of four signatures has raised concerns in the past. Having only two signatures required to access such privileged controls is a glaring security vulnerability, and naturally makes an enticing target for a hacker,” CertiK said. 

“In this way the attack bears some similarity to the Ronin Bridge hack in March of this year, where a hacker drained $600 Million after they gained control of the nodes required to validate withdrawals.”

Harmony was previously exploited in January and experts have long warned that the company’s system was vulnerable to these kinds of attacks. One expert specifically mentioned the idea that if two of the four multisig signers were compromised, there would be “another 9 figure hack.”

Blockchain bridge attacks have become increasingly common over the last year. In addition to the Ronin Bridge hack in March, a hacker abused a vulnerability in the Wormhole cryptocurrency platform in February to steal an estimated $322 million worth of Ether currency. 

A week before the Wormhole hack, a similar attack took place against another blockchain bridge when a hacker stole $80 million from Qubit Finance.

“The fact that we are again seeing such huge losses from attacks on cross-chain bridges is a reminder both of the huge demand for this kind of infrastructure in web3, but also of their severe and persistent security vulnerabilities,” CertiK CEO Ronghui Gu told The Record.

“Solving the problems with cross-chain bridges is vital to ensuring a secure web3 ecosystem moving forward.”

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Chinese cyber agency signals support for tech industry

CAC officials set a conciliatory tone towards tech Friday, but are still supervising rides-hailing giant’s…

3 hours ago

Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs. In…

4 hours ago

Google says it stopped the largest DDoS attack ever recorded in June

One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack…

5 hours ago

European Commission’s Despina Spanou on why cyber officials must ‘learn lessons from crises’

When it comes to privacy and cybersecurity regulations, the European Union often sets the standards…

6 hours ago

Cyber insurers weigh in on latest cybersecurity trends, threats

The numbers speak for themselves: more companies are opting in for cyber insurance coverage than…

1 day ago

TikTok asks House of Representatives to rescind cyber advisory about company

Short-form video giant TikTok refuted claims made by the Chief Administrative Officer (CAO) of the…

1 day ago