Multichain Bridge Suffers $126 Million Security Breach

Summary

On July 6, 2023, Multichain Bridge experienced a security breach due to a private key compromise. The total losses amounted to approximately $126 million, including wBTC, wETH, USDT, USDC, and other assets. The stolen assets were transferred to several addresses.

Attackers

The identity of the hackers who attacked Multichain is unknown.

Hacker ETH Wallets:

Losses

Multichain estimated the losses from the hack to be $126 million. The stolen assets included:

62,622,559 USDC
1029 wBTC (30,925,467 USD)
7,214 wETH (13,392,646 USD)
2,535,016 USDT
491,657 LINK (2,999,107 USD)
1,002,362 CRV (1,002,362 USD)
4,957,670 DAI
1,296,991 ICE (1,841,727 USD)
910,654 UNIDX (3,251,034 USD)
9,674,426 WOO (2,099,601 USD)
134 YFI (905,983 USD)

Timeline

May 21, 2023 Multichain CEO Zhaojun was taken away by the Chinese police from his home. Zhaojun’s computers, phones, hardware wallets, and mnemonic phrases were confiscated by the authorities.
July 06, 2023, 04:21:23 PM UTC: The first malicious transaction occurred.
July 06, 2023, 06:33:11 PM UTC: 30 million WBTC withdrawn from Multichain bridge.
July 06, 2023, 07:46:23 PM UTC: Multichain Moonriver bridge begins being drained.
July 06, 2023, 08:05:35 PM UTC: Multichain Dogechain bridge begins being drained.
July 07, 2023, 06:27 AM UTC: Multichain reported that the funds were transferred to an unknown address.
July 07, 2023, 11:57 AM UTC: Multichain has stopped working.

Security Failure Causes

Compromised Private Key: The primary cause of the security breach was the compromise of the private key. The attacker exploited this vulnerability to withdraw funds.

Insider threat: There is an opinion that this was an inside job.