HTX and Heco Chain fall victim to $100 million crypto heist
Crypto exchange HTX and blockchain protocol Heco Chain suffered a security breach, with a combined loss of $97 million in various tokens. Crypto entrepreneur Justin Sun, an investor in HTX, confirmed the incident and assured that the exchange would fully cover any losses incurred by its users.
According to Sun, while deposits and withdrawals on HTX are currently suspended as part of the response plan, the funds that have not been affected by the hack are secure. The security breach was initially flagged by blockchain security firm Cyver, which suspected the root cause to be a private key leak. This leak presumably allowed unauthorized access to the Heco bridge, facilitating the transfer of tokens between Heco Chain and Ethereum.
Despite the two entities operating independently, HTX has been identified as one of the maintainers of Heco Chain. This incident marks the second security exploit linked to Sun’s projects, following a smaller-scale theft at HTX in October, where hackers stole 500 ether, approximately $8 million in value at the time. Those losses were also reportedly fully covered.
PeckShield, another blockchain security firm, observed over $86.6 million in digital assets moved from the HECO Chain bridge to suspicious addresses. The evidence suggested that the bridge itself was compromised, with the operator-initiated transactions hinting at potential operator compromise.
HECO, which was launched in December 2020 and merged into a single ecosystem with Tron and BitTorrent’s bridge in October 2022, aimed to offer high performance and a seamless cross-chain user experience. The recent breach on the HECO Chain is yet another challenge for Sun, coming on the heels of another exploit at Poloniex, a crypto exchange he acquired in 2018, which saw a $125 million loss attributed to compromised private keys.
Poloniex has since reported progress in its recovery efforts and is collaborating with a top security audit firm to enhance its protective measures. Justin Sun, also the founder of Tron, offered the hackers a 5% ‘white hat bounty’ with a seven-day deadline to return the stolen funds before involving law enforcement. He provided crypto wallet addresses for the hackers to return the stolen coins.
Cryptocurrency exchanges, frequently targeted by hackers, have witnessed similar incidents in recent months, including hacks on HTX, Bitrue, Gdac, and Deribit, resulting in massive losses.
Justin Sun was charged by the US Securities and Exchange Commission with market manipulation, fraud, and other offenses. Additionally, eight celebrities, including actress Lindsay Lohan and rapper Soulja Boy, have been accused of unlawfully promoting Sun’s crypto assets.
