$139M BXH Exchange Hack Was the Result of Leaked Admin Key

The hack might have been the work of one of BXH’s own employees, CEO says.

Nov 1, 2021 at 11:28 a.m. UTC
Updated Nov 1, 2021 at 2:43 p.m. UTC

A hack on Boy X Highspeed (BXH), a decentralized cross-chain exchange, that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk

  • Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said.
  • The hacker either broke into the keyholder’s computer or might have been one of BXH’s technical staff, Wang said. The team is looking into the possibility the hacker set up a virus on BXH’s own site that the administrator clicked on, giving the attacker access to his computer and eventually the key, the CEO said.
  • BXH announced the hack in a tweet on Sunday. BXH user funds on Ethereum, Huobi ECO Chain and OKEx OEC are safe, the team said. BXH halted withdrawals until the issue is resolved.
  • The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO.
  • Wang attributed these findings to PeckShield, a blockchain security company that is working on the case with BXH. He said he is confident that with the support of PeckShield and Chinese authorities the hacker will be tracked down.
  • If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said.
  • BXH is offering a $1 million bounty to any teams that help retrieve the funds, and will give the hacker an unspecified reward if the money is returned.
  • PeckShield confirmed the leaked admin key theory in a tweet early on Monday, without providing details.
  • BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said.
  • The hack is one of several attacks on DeFi projects in the last couple months. Just days before the attack on BXH, Cream Finance suffered $130 million in losses. August saw the largest hack in DeFi history when cross-chain protocol Poly Network lost $600 million, which was eventually returned.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Eliza Gkritsi is CoinDesk's crypto mining reporter based in Asia.