Orbit Bridge Suffers $81.54 Million Security Breach
Summary #
On December 31, 2023, Orbit Chain, a South Korean cross-chain project, experienced a significant security breach involving their Orbit Bridge. The attacker exploited the Orbit Bridge through a private key compromise and drained approximately $81.54 million worth of assets from the Orbit Bridge’s ETH Vault. The stolen funds were converted into ETH and DAI and then distributed across several addresses.
Attackers #
The identity of the attacker remains unknown. However, some experts have linked the incident to the Lazarus Group, a North Korean hacking syndicate. The following Ethereum addresses was used to carry out the attack: - 0x9263e7873613ddc598a701709875634819176aff - 0x70462bfb204bf3ccb0560f259072f8e3a85b3512
Losses #
Orbit Bridge lost approximately $81.54 million in total:
- 30,000,000 USDT
- 9,530 ETH
- 10,000,000 DAI
- 10,000,000 USDC
- 230.879 WBTC
Timeline #
- December 31, 2023, 04:59 PM UTC: The attack commenced on the Ethereum network. The attacker received 9.93 ETH from TornadoCash, that was used to perform malicious actions.
- December 31, 2023, 08:52 PM UTC: The first malicious transaction was executed with 30 ETH being transferred.
- December 31, 2023, 09:43 PM UTC: Twitter user Kgjr shared suspicions about the bridge being drained.
- January 1, 2024, 02:25 AM UTC: Developer at MetaMask and blockchain expert, Taylor Monahan, suggested the attack linked to DPRK.
- January 1, 2024, 07:39 AM UTC: Orbit Chain confirmed the hack on their Twitter.
- January 4, 2024, 08:11 AM UTC: The Orbit Chain team
sent on-chain message to the exploiter, calling to discussion:
… we have found a trail you left behind when making XRP transactions at an Exchange ‘C’. Rest assured, we will find more.
Security Failure Causes #
Private Key Compromise: The attacker managed to compromise the private keys of the Orbit Bridge, leading to the security breach. Independent crypto researcher @officer_cia suggests that the root cause is the wallet compromise of 7 out of 10 multisig signers.