Crypto hackers steal $139 million with Horizon bridge attack

The hack targeted crypto firm Harmony's Horizon bridge, which offers cross-chain transfers between Ethereum and Binance. PHOTOS: HARMONY ONE/FACEBOOK, REUTERS

NEW YORK (BLOOMBERG) - Hackers looted about US$100 million (S$138.89 million) from a so-called cryptocurrency bridge, targeting a key vulnerability in the digital asset ecosystem.

Harmony said in a tweet the hack of its Horizon bridge, which lets people swap coins between blockchains, took place on Thursday morning (June 23).

It has "begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds".

Horizon, which offers cross-chain transfers between Ethereum and Binance, marks the third major bridge hack this year.

In February, hackers stole more than US$300 million from the Wormhole bridge. In late March, Ronin Bridge lost about US$620 million to hackers.

Even before the Horizon hack, money stolen from bridges exceeded US$1 billion, researcher Chainalysis has estimated.

Harmony's native ONE token dropped 13 per cent over the past 24 hours, according to CoinGecko.

"The theft seems to have happened due to a private key compromise," said Mr Xuxian Jiang, chief executive officer of security firm PeckShield, which has been contacted by Harmony for support.

Harmony's bridge is managed and secured by four multi-signature wallets and an authentication from at least two of them is required to validate and execute a transaction, Jiang said.

The Ronin Bridge, linked to the popular play-to-earn video game Axie Infinity, employed a similar mechanism, with five out of nine validators required to sign off.

Bridges are particularly vulnerable to hacks, as their technology is complex and they are often run by anonymous teams.

The way they safeguard funds is often unclear.

The amount of money locked on bridges connected to the Ethereum blockchain declined 60 per cent in the last 30 days, to less than US$12 billion, per tracker Dune.

The drop was triggered by a wider crypto market slump and liquidity concerns surrounding lender Celsius Network and crypto-focused hedge fund Three Arrows Capital.

Join ST's Telegram channel and get the latest breaking news delivered to you.