Back to all stories
Reports
Incident Analysis
Heco Bridge Exploit
11/23/2023
Heco Bridge Exploit

Introduction

On 22 November, another major private key compromise affected the Heco Bridge and HTX hot wallets amounting to $113.3 million in losses. A malicious actor compromised several wallets belonging to HTX as well as the Heco bridge operator wallet, allowing them to withdraw withdraw assets on Ethereum and TRON. We have also identified a suspicious movement of Bitcoin. This brings the total lost to private key compromises this year to over $800 million, representing 56% of all funds lost in 2023. This incident is also the fifth largest incident in 2023 and is the largest bridge attack this year.

Event Summary

Justin Sun announced on X that Heco Bridge and HTX hot wallets had been compromised leading to major losses. Unfortunately for Justin Sun, this was the second such announcement that he has had to make this month following the private key compromise on the Poloniex exchange. The Heco Bridge was compromised due to the bridge's operator wallet being compromised. The exploiter wallet received ETH and ERC-20 tokens through 0x3d655889D197125fb90dcB72e4a287A8410ED1B9 (Heco Bridge Operator) calling withdrawToken. Based on the Heco Bridge contract, this function can only be called by the operator.

3e46732f-7c88-4f87-bd28-928c01b4f65e

The exploiter withdrew the following assets from the Heco bridge:

  1. 10,145 ETH
  2. 42,110,000 USDT
  3. 489 HBTC
  4. 346,867,120,000 SHIBA INU
  5. 173,200 UNI
  6. 619,000 USDC
  7. 42,399 LINK
  8. 346,994 TUSD

In total, this amounts to approximately $87 million worth of assets with the malicious actor swapping the ERC-20 tokens for ETH and distributing to multiple wallets.

CertiK also discovered suspicious movements of funds originating from HTX hot wallets. For example, HTX hot wallet 0xb9F775179bcC7FcF4534700a48F09C590E390eAd transferred 1,240 ETH to EOA 0x5A22F867DFCb4F32d25a5Fa365b9D9D78D5515dC. The wallet then transferred 1 ETH to six wallets who received ERC-20 tokens from HTX hot wallets. When we analyzed the USDT transactions, we observed normal activity up until 10:39 am UTC up until a 7.3 million USDT transfer to EOA 0x121A0Ff24027fffCDd0ae008dA82f2789C7945cc. Following that transfer, normal activity continued followed by a recovery effort.

f8b94de5-381e-41d7-bd51-7776783f2ec0

In total, the following funds were transferred to addresses likely controlled by a malicious actor

  1. 1,240 ETH
  2. 7,330,600 USDT
  3. 1,780,000 USDC
  4. 61,250 LINK
  5. 2,195,836 ARIX
  6. 4,254,541 KOK

Discounting the ARIX and KOK transactions due to a lack of available liquidity for these tokens, $13.6 million was stolen from HTX hot wallets on Ethereum.

Additionally, we noticed suspicious transfers on TRON with Huobi 3 transferring 500,000 TRX, 10.3 million USDT, 2,2 million USDC, 521.7k RockDAO and approximately 1 million BTT token. These transfers occurred around the same time as the suspicious movements on the Ethereum network. In total, this amounts to $12.6 million.

Finally, 73.797 BTC was transferred from HTX to bc1qaafa2geuc4jw0w2ukys65p3kqdpspfml74n9j9 around the same time that the suspicious transfers took place. At the time of writing, the funds remain in the wallet and could represent additional losses, however this is not confirmed.

When we combine the dollar value of all suspicious funds, we come to an overall figure of approximately $113.3 million.

Tracing Funds

CertiK traced suspicious movement of funds from Heco Bridge and HTX hot wallets. In total, we observed suspicious movements of funds on Ethereum, TRON and BTC. Below, is the initial movement of funds from the Heco Bridge and HTX hot wallets.

Screenshot 2023-11-23 at 15.24.50

At the time of writing, the Bitcoin transferred into bc1qaafa2geuc4jw0w2ukys65p3kqdpspfml74n9j9 has not moved further, nor have the majority of funds in the hackers Ethereum wallet. However, EOA 0xe47e6dA16Bb83EB0FD26b3F29b15CE8Fab089B9e which is labeled “Heco Bridge Exploiter 2” on Etherscan transferred 23,574.342 ETH to four wallets:

  1. 0xB6baC5CAe1cD4b7e8137bFe5254dFB1CF1F36d0e (received 11.22 ETH)
  2. 0x8DC70E0305c0f19d926AC8F07b61C5C2cfb9Ab75 (received 1,122 ETH)
  3. 0x7bEfDBB89C21863E910310A36Da5058704552935 (received 11,220 ETH)
  4. 0xEdBdCb1b763Ef7920978c700007Ab1F05b18b8f6 (received 11,221.122 ETH)

Conclusion

November has been a month to forget for the crypto space, particularly Justin Sun, which has now seen more losses than any other month in 2023. Losses this month have so far reached $358 million with private key compromises accounting for $272,281,722. Unfortunately, this is not surprising for analysts at CertiK. In our $1 billion brief we predicted that private key compromises will likely account for major losses seen in a single month which played out. For example, the major losses in July, September and now November have been driven by private key compromises of centralized entities. Unfortunately, this trend will likely continue until more funds are locked in DeFi projects which will likely occur in the next bull run.