Share this article
$139M BXH Exchange Hack Was the Result of Leaked Admin Key
The hack might have been the work of one of BXH’s own employees, CEO says.
Updated May 11, 2023, 6:26 p.m. Published Nov 1, 2021, 11:28 a.m. 2 min read
A hack on Boy X Highspeed (BXH), a decentralized cross-chain exchange, that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk
- Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said.
- The hacker either broke into the keyholder’s computer or might have been one of BXH’s technical staff, Wang said. The team is looking into the possibility the hacker set up a virus on BXH’s own site that the administrator clicked on, giving the attacker access to his computer and eventually the key, the CEO said.
- BXH announced the hack in a tweet on Sunday. BXH user funds on Ethereum, Huobi ECO Chain and OKEx OEC are safe, the team said. BXH halted withdrawals until the issue is resolved.
- The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO.
- Wang attributed these findings to PeckShield, a blockchain security company that is working on the case with BXH. He said he is confident that with the support of PeckShield and Chinese authorities the hacker will be tracked down.
- If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said.
- BXH is offering a $1 million bounty to any teams that help retrieve the funds, and will give the hacker an unspecified reward if the money is returned.
- PeckShield confirmed the leaked admin key theory in a tweet early on Monday, without providing details.
- BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said.
- The hack is one of several attacks on DeFi projects in the last couple months. Just days before the attack on BXH, Cream Finance suffered $130 million in losses. August saw the largest hack in DeFi history when cross-chain protocol Poly Network lost $600 million, which was eventually returned.
Read more: Poly Network Hacker Releases Private Key for Remaining Looted $141M
More For You
Andrew Gault, the venture capitalist who funded the quantum hardware labs now threatening bitcoin, says the industry is looking in the wrong place. Google's own security team moved in the same direction in March.
What to know:
- Security experts warn that the most urgent quantum threat to bitcoin and the broader financial system is not wallet keys but the encrypted authentication data already moving between institutions and being quietly harvested today.
- Adversaries are pursuing a “harvest now, decrypt later” strategy, stockpiling encrypted interbank messages, payment records and...
