On September 24, Huobi Global’s HTX cryptocurrency exchange suffered a breach, resulting in the loss of $7.9 million in digital assets, as reported by blockchain analysis platform Cyvers. Remarkably, a known Huobi hot wallet took an unusual step by reaching out to the attacker in Chinese. The message revealed that the exchange had identified the hacker and extended an offer: return 95% of the stolen funds, and in return, they would be rewarded with a 5% “white-hat bonus.”
At precisely 10:00 am UTC on September 24, the suspected Huobi hot wallet with the address 0x2Abc22eb9A09EbBE7b41737CCde147F586EfeB6A transferred 4,999 Ether (equivalent to $1,589) – approximately $7.9 million – to an address with no prior transaction history. The following day, another wallet linked to Huobi sent a message in Chinese to the attacker. The message, as translated by Google, read:
“We have verified your true identity. Kindly return the funds to 0x18709E89BD403F470088aBDAcEbE86CC60dda12e. We are willing to offer you a 5% white-hat bonus. This offer stands for 7 days and expires on October 2, 2023. Failure to return the funds within the stipulated period will prompt us to seek legal intervention.”
Cyvers reported the breach on September 25, and blockchain analytics platform Arkham Intelligence confirmed that the wallet sending the message was associated with Huobi. This wallet also appears on a Huobi support page as being owned by the exchange.
Justin Sun, an investor in Huobi Global, acknowledged the attack on the morning of September 25, disclosing that HTX had suffered a loss of 5,000 ETH (equivalent to $8 million USD) due to the hacker’s actions. Sun reassured users that their funds were secure and that the exchange was operating normally. He stated, “HTX has fully covered the losses incurred from the attack and has successfully resolved all related issues.”
Throughout 2023, crypto exchanges have grappled with a wave of cyberattacks, with many attributed to the North Korean-affiliated Lazarus Group. This group has reportedly amassed $40 million in Bitcoin from various attacks during the year.