$139M BXH Exchange Hack Was the Result of Leaked Admin Key

The hack might have been the work of one of BXH’s own employees, CEO says.

AccessTimeIconNov 1, 2021 at 11:28 a.m. UTC
Updated May 11, 2023 at 6:26 p.m. UTC

A hack on Boy X Highspeed (BXH), a decentralized cross-chain exchange, that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk

  • Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said.
  • The hacker either broke into the keyholder’s computer or might have been one of BXH’s technical staff, Wang said. The team is looking into the possibility the hacker set up a virus on BXH’s own site that the administrator clicked on, giving the attacker access to his computer and eventually the key, the CEO said.
  • BXH announced the hack in a tweet on Sunday. BXH user funds on Ethereum, Huobi ECO Chain and OKEx OEC are safe, the team said. BXH halted withdrawals until the issue is resolved.
  • The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO.
  • Wang attributed these findings to PeckShield, a blockchain security company that is working on the case with BXH. He said he is confident that with the support of PeckShield and Chinese authorities the hacker will be tracked down.
  • If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said.
  • BXH is offering a $1 million bounty to any teams that help retrieve the funds, and will give the hacker an unspecified reward if the money is returned.
  • PeckShield confirmed the leaked admin key theory in a tweet early on Monday, without providing details.
  • BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said.
  • The hack is one of several attacks on DeFi projects in the last couple months. Just days before the attack on BXH, Cream Finance suffered $130 million in losses. August saw the largest hack in DeFi history when cross-chain protocol Poly Network lost $600 million, which was eventually returned.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Eliza Gkritsi

Eliza Gkritsi is a CoinDesk contributor focused on the intersection of crypto and AI.