Harmony, a $100m heist victim, offers a six-digit bounty for the return of funds


Threat actors stole $100 million worth of cryptocurrency via Harmony's Horizon bridge, a tool for swapping crypto between different blockchains.

Harmony, a California-based company, has joined a long list of victims faced with crypto heists. The company announced crooks took close $100 million worth of digital coins.

Two days after the initial hack, Harmony tweeted that the company is willing to pay a $1 million bounty for the return of Horizon bridge funds. The victim company claims it will advocate for no criminal charges when funds are returned.

ADVERTISEMENT

A bounty offer might signal that Harmony hopes whoever was behind the hack will reconsider and insist the hack was only a security test. A similar case happened last year when threat actors stole $610 million worth of crypto from Poly Networks only to return the money later.

Poly Networks thanked the hacker for exposing security flaws, offered a $500 thousand bug bounty, and asked the unknown threat actor to become companies' Chief security advisor.

How did it happen?

Harmony claims that private keys were compromised, leading to the breach. The company persists that those keys were encrypted via passphrase and a key management service, and no single machine had access to the keys.

However, attackers likely managed to get ahold of several keys or machined to piece the necessary key together. Several types of digital coins were taken by threat actors. However, all were swapped for Ethereum coins.

"All assets were then swapped to ETH and currently remain on the hacker's account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets," the company said in a blog post.

Mudit Gupta, the chief information security officer at Polygon, a decentralized Ethereum scaling platform, thinks that hackers successfully abused a multisignature (multisig) wallet.

ADVERTISEMENT

According to Gupta, if any two addresses tell an account to transfer funds, the wallet complies and does as instructed. Threat actors likely compromised at least two addresses to perform the hack.

"The two addresses were likely hot wallets used to listen for and process legit bridging transactions. The attacker compromised the server(s) that these hot wallets were running on," Gupta shared on Twitter.

Once inside the servers, threat actors accessed the keys kept in plain text for signing legitimate transactions.

Dog days

2022 has already been a record-breaking year for crypto heists, with $1.26 billion lost in the first three months alone. The recent surge in thefts is equivalent in value to 55% of all cryptocurrency stolen in 2021.

In March, hackers stole $615 million worth of crypto from the Ronin decentralized currency exchange. The attackers also used hacked private keys to forge fake withdrawals.

The FBI attributed the attack to the Lazarus Group, associated with the Democratic People's Republic of Korea (DPRK).

Crypto markets experience a downturn in the second quarter of the year, with major market players such as Coinbase laying off almost a fifth of its global employees.

ADVERTISEMENT