Millions stolen from crypto platforms Exactly Protocol and Harbor Protocol

Millions of dollars worth of cryptocurrency were stolen from two cryptocurrency platforms over the last few days, with both being forced to pause their operations and warn customers of potential losses.

On Friday, decentralized finance platform Exactly Protocol confirmed that it was “actively investigating a security issue” and was temporarily pausing the protocol, only allowing customers to withdraw assets.

Exactly Protocol allows users to lend and borrow crypto assets at fixed and variable rates – announcing on August 4 that it reached more than $100 million worth of deposits.

Several news outlets and experts reported that the platform suffered more than $12 million worth of losses after 7,160 ETH coins were stolen. But several blockchain security firms told Recorded Future News that they believed there was about $7 million in losses, and the company later said $7.3 million worth of ETH had been stolen during the attack.

“We are currently trying to communicate with the attackers to return the stolen assets,” the company said. “Police reports have already been filed. Additionally, our team is actively collaborating with Chainalysis and other security experts to identify the attackers and take appropriate measures.”

They added that a fix for the issue that was exploited will be implemented soon and that more data will be released about what happened at a later date. The company did not respond to requests for comment about whether users will be compensated for their losses.

They later offered a $700,000 reward for information about the hackers behind the attack and Chainalysis confirmed on Tuesday that it is tracking the stolen funds.

User anger at Harbor response

On Saturday, the Harbor Protocol announced that it was also dealing with its own cyberattack. The platform – a DeFi tool created by crypto company ComDex – said in a statement that they discovered funds were drained from the platform but they were unsure of how much was taken. They pledged to release a report on the situation but urged customers to help them trace the funds.

“In case the exploiter(s) are able to read this message, we urge you to reach out to us as we are open to talk to find a solution that is optimal and doesn't impact users and community members,” they said.

1/ Dear Harbor Community,

It has come to our notice that Harbor protocol has been exploited over the past few hours, resulting in a drain on a portion of the funds sitting in the stable-mint and stOSMO, LUNA and WMATIC vaults.

— Harbor Protocol (@Harbor_Protocol) August 19, 2023

“As a team, we have put blood, sweat and tears to get Harbor to where it is today and remain fully committed to dedicating all that we have towards finding the exploiters to eliminate/minimize the losses incurred.”

The platform did not respond to requests for comment and has not provided an update since that statement.

On the company’s Telegram channel, several customers were irate that the team was not communicating more details about the situation.

“Guys, this is getting ridiculous. Still no statement from the team. We don't even know how much money was stolen. No info on the website. What about voting? Rewards? It's ok if the whole protocol is paused. But then it should be communicated that way. We want and need information, the trust is already very low and dwindling by the hour,” one user said.

Harbor Protocol has already dealt with one security incident this year, announcing in June that several vaults were liquidated but declining to provide a monetary figure for the losses.

The attacks come just three weeks after Vyper — one of the most popular Web3 programming languages – was exploited by hackers who ended up stealing at least $61 million worth of cryptocurrency.

North Korea’s Lazarus hacking group has been one of the primary drivers of attacks on cryptocurrency platforms, using billions in stolen crypto to allegedly fund its nuclear weapons program. According to blockchain security firm PeckShield, nearly $500 million was stolen in 395 major cyberattacks on crypto platforms in the first half of 2023, with all but nine involving DeFi platforms.