The FBI is investigating after hackers absconded with $100 million from the Harmony Protocol’s Horizon bridge, project developers announced late Thursday.
“The Harmony team has identified a theft occurring this morning on the Horizon bridge amounting to approx. $100MM,” the team wrote in an announcement posted on Twitter. “We have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”
They shared the hacker’s Etherscan address in a subsequent tweet, showing the $102,323,726 sum was still held in a single wallet. The bridge targeted by the perpetrator allowed users to move their tokens between Harmony’s network and other chains, including Ethereum, the Binance Smart Chain, and Chainlink. Stolen assets included Ethereum, Binance Coin, USDT, USDC, DAI.
RELATED: Cosmic Universe Founder Suggests Harmony Network Could be Insolvent Within 12 Months
Developers said the attack did not affect a separate bitcoin bridge, saying “its funds and assets” were “stored on decentralized vaults” and “safe at this time.”
“Immediately following the attack, multiple cyber security partners, exchange partners, and the FBI were notified and requested to assist with an investigation in identifying the culprit and methods to retrieve stolen assets,” the project’s Matthew Barrett wrote in a subsequent post published on Harmony’s Medium account. “Further, the team has attempted communication with the hacker with an embedded message in a transaction to the culprit’s address.”
The price of Harmony’s token, ONE, fell slightly after the news, to a low of 2.3 cents. It was already down roughly 93 percent from an all-time high of 38 cents set in January.
RELATED: Harmony Network Lays Out New Roadmap for ‘Bringing More Games’ to the Ecosystem
The high-profile nature of the case makes anonymously accessing the cash implausible. Two hackers who stole 119,754 bitcoin in a 2016 attack on Bitfinex — Ilya Lichtenstein and Heather Morgan — were arrested in Manhattan this year after they attempted to withdraw just $500 of their $3.6 billion stash using a prepaid Walmart gift card.
A hacking organization linked to the North Korean regime, the Lazarus Group, was fingered as the culprit behind a March attack on Axie Infinity’s Ronin Bridge, which resulted in the loss of around $600 million. That group unsuccessfully attempted to cover their tracks using Tornado Cash, a crypto anonymizing service. The Treasury Department’s Office of Foreign Assets Control announced sanctions against an Ethereum wallet tied to the group in April.
Polygon’s chief security officer, Mudit Gupta, said Harmony’s assailant used methods that were “eerily similar” to the Ronin hack by compromising a server with a method that likely including social engineering.
This was not a “Blockchain Hack”. It was a “Traditional Hack”
I’ve been begging protocols to focus on traditional security too alongside blockchain security for months now….
ps the convex compromise earlier today was also not blockchain related.https://t.co/n1qI48awUD
— Mudit Gupta (@Mudit__Gupta) June 24, 2022
“This was not a ‘Blockchain Hack,'” Gupta wrote in an assessment published on Twitter. “It was a “Traditional Hack.'”
Barrett added in the project’s Medium post: “Harmony believes that focusing on decentralized bridges is an essential step forward for Web3. This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us. Ongoing investigations present a challenge of what information is allowed to be shared with the public, but we will continue to provide updates with the latest information as soon as we are able to share.”