Hackers Stole $100 Million in Cryptocurrency from Harmony’s Horizon Bridge

So-called blockchain bridges have become a prime target for hackers seeking to exploit vulnerabilities in the world of decentralized finance.

Jakub Pozhitsky | NurPhoto | Getty Images

Hackers have stolen $100 million in cryptocurrency from Horizon, the so-called blockchain bridge, in the latest major heist in the decentralized finance world.

Details of the attack are scarce yet, but Harmony, developers of Horizon, said they discovered the theft on Wednesday morning. Harmony has singled out an individual account that it believes is the culprit.

“We have begun working with national authorities and forensic experts to identify the culprit and recover the stolen funds,” the startup said in a tweet late Wednesday.

In a follow-up tweet, Harmony said it was working with the Federal Bureau of Investigation and several cybersecurity firms to investigate the attack.

Blockchain bridges play a big role in the DeFi space, offering users a way to transfer their assets from one blockchain to another. In the case of Horizon, users can send tokens from Ethereum networks on Binance Smart Chain. Harmony said the attack did not affect a separate bridge for bitcoin.

Like other aspects of DeFi aimed at restoring traditional financial services such as blockchain loans and investments, bridges have become a prime target for hackers due to vulnerabilities in their underlying code.

Bridges “maintain large pools of liquidity,” making them “an enticing target for hackers,” according to Jess Symington, head of blockchain research firm Elliptic.

“In order for people to use bridges to move their funds, assets are locked up on one blockchain and unlocked or minted on another,” Symington said. “As a result, these services hold large volumes of crypto assets.”

Harmony did not disclose exactly how the funds were stolen. However, back in April, one investor raised concerns about the safety of his Horizon bridge.

The security of the Horizon Bridge depended on a “multi-sig” wallet that required only two signatures to initiate transactions. Some researchers speculate that the breach was the result of a “private key compromise” where hackers obtained the password or passwords needed to access the crypto wallet.

Harmony was not immediately available for comment when contacted by CNBC.

This follows a series of notable attacks on other blockchain bridges. The Ronin Network, which supports the crypto game Axie Infinity, lost over $600 million in a security breach that occurred in March. Wormhole, another popular bridge lost over $320 million in a separate hack a month earlier.

The robbery adds to the deluge of negative news in crypto lately. Cryptocurrency lenders Celsius and Babel Finance have put freeze on withdrawal after a sharp drop in the value of their assets led to a liquidity crisis. Meanwhile, the beleaguered cryptocurrency hedge fund Three Arrows Capital can be set by default on a $660 million loan from a brokerage firm Voyager Digital.