The $100 million stolen from Harmony’s Horizon bridge last week began moving on Monday through the crypto anonymizing service Tornado Cash, according to blockchain records.
The hacker had moved $19 million through Tornado Cash as of mid-afternoon, and was moving funds at a pace of 100 Ethereum — or about $12,000 — every six minutes. Etherscan records showed the perpetrator moved a little more than 18,000 ETH to a second wallet, which split it three ways between three new wallets. The new wallets began sending it to Tornado Cash, which allows users to receive the funds without being tracked on Etherscan.
“We are aware the hacker has begun to move funds through Tornado Cash,” Harmony developers wrote on Twitter on Monday evening. The team is working with two highly reputable blockchain tracing and analysis partners, and collaborating with the FBI as part of an investigation into this criminal act. In parallel, we’re reviewing various options for users and partners and will keep you updated as we continue to explore ways to secure the ecosystem. While we cannot go into specifics, our goal is to share information in a timely manner with as much transparency as possible.
1/ We are aware the hacker has begun to move funds through Tornado Cash. The team is working with two highly reputable blockchain tracing and analysis partners, and collaborating with the FBI as part of an investigation into this criminal act. 🧵
— Harmony 💙 (@harmonyprotocol) June 28, 2022
Nansen data indicates the entity using Tornado Cash to transfer the funds is the fifth-largest bad actor by volume to use the service. The top four include the North Korean-linked Lazarus Group, which breached Axie Infinity’s Ronin bridge, along with the perpetrators behind breaches of the Fei Protocol; Parity Wallet; and Beanstalk Farms. Blockchain analysis firms Elliptic and Chainalysis managed to trace the Ronin hack back to the Lazarus Group despite the effort to conceal their funds.
Harmony developers said two days earlier they would “advocate for no criminal charges” for the hacker if the funds were returned, in addition to paying a $1 million bounty — one of the least generous in recent memory from a project facing a significant loss. The Fei Protocol offered hackers $10 million if they returned the $80 million they stole from that project, while Beanstalk offered 10 percent, or $7.6 million. Victims of the 2017 Parity hack offered $60 million in 2021 for the return of stolen Ethereum that would have been worth $600 million at the time.
RELATED: Meet the Developer Who Publicly Warned Harmony it Would be Hacked Months in Advance
Harmony held an estimated $10 million in liquid cash prior to the attack, along with a stash of its native cryptocurrency, ONE, likely to be valued at less than $100 million. The team’s Thursday disclosure of the breach resulted in stablecoins on the network de-pegging, resulting in an additional loss estimated in the hundreds of millions. Their value is unlikely to return even if the stolen funds are recovered.
As of Monday evening, the Harmony Protocol’s market capitalization had fallen to $273 million, down from $293 million on Sunday, and a little more than 23 percent lower compared to a week earlier.