$139M BXH Exchange Hack Was the Result of Leaked Admin Key

The hack might have been the work of one of BXH’s own employees, CEO says.

AccessTimeIconNov 1, 2021 at 11:28 a.m. UTC
Updated May 11, 2023 at 6:26 p.m. UTC

A hack on Boy X Highspeed (BXH), a decentralized cross-chain exchange, that drained $139 million of funds was probably the result of a leaked administrator key, and possibly an inside job, CEO Neo Wang told CoinDesk

  • Based on a consultation with an external security team, BXH says the hacker was probably able to break into the exchange’s Binance Smart Chain address after getting hold of the administrator’s private key, Wang said.
  • The hacker either broke into the keyholder’s computer or might have been one of BXH’s technical staff, Wang said. The team is looking into the possibility the hacker set up a virus on BXH’s own site that the administrator clicked on, giving the attacker access to his computer and eventually the key, the CEO said.
  • BXH announced the hack in a tweet on Sunday. BXH user funds on Ethereum, Huobi ECO Chain and OKEx OEC are safe, the team said. BXH halted withdrawals until the issue is resolved.
  • The inside-job theory is supported by findings that indicate the attacker was in China, where most of BXH’s technical team is based, according to the CEO.
  • Wang attributed these findings to PeckShield, a blockchain security company that is working on the case with BXH. He said he is confident that with the support of PeckShield and Chinese authorities the hacker will be tracked down.
  • If the hacker is not found or returns the money, BXH will take full responsibility for the incident and figure out a user repayment plan, Wang said.
  • BXH is offering a $1 million bounty to any teams that help retrieve the funds, and will give the hacker an unspecified reward if the money is returned.
  • PeckShield confirmed the leaked admin key theory in a tweet early on Monday, without providing details.
  • BXH has also filed a case with China’s network security police, a special force that investigates digital crime, the CEO said.
  • The hack is one of several attacks on DeFi projects in the last couple months. Just days before the attack on BXH, Cream Finance suffered $130 million in losses. August saw the largest hack in DeFi history when cross-chain protocol Poly Network lost $600 million, which was eventually returned.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Eliza Gkritsi is CoinDesk's crypto mining reporter.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.