Orbit Bridge Suffers $81.54 Million Security Breach

Summary

On December 31, 2023, Orbit Chain, a South Korean cross-chain project, experienced a significant security breach involving their Orbit Bridge. The attacker exploited the Orbit Bridge through a private key compromise and drained approximately $81.54 million worth of assets from the Orbit Bridge’s ETH Vault. The stolen funds were converted into ETH and DAI and then distributed across several addresses.

Attackers

The identity of the attacker remains unknown. However, some experts have linked the incident to the Lazarus Group, a North Korean hacking syndicate. The following Ethereum addresses was used to carry out the attack: - 0x9263e7873613ddc598a701709875634819176aff - 0x70462bfb204bf3ccb0560f259072f8e3a85b3512

Losses

Orbit Bridge lost approximately $81.54 million in total:

30,000,000 USDT
9,530 ETH
10,000,000 DAI
10,000,000 USDC
230.879 WBTC

Timeline

December 31, 2023, 04:59 PM UTC: The attack commenced on the Ethereum network. The attacker received 9.93 ETH from TornadoCash, that was used to perform malicious actions.
December 31, 2023, 08:52 PM UTC: The first malicious transaction was executed with 30 ETH being transferred.
December 31, 2023, 09:43 PM UTC: Twitter user Kgjr shared suspicions about the bridge being drained.
January 1, 2024, 02:25 AM UTC: Developer at MetaMask and blockchain expert, Taylor Monahan, suggested the attack linked to DPRK.
January 1, 2024, 07:39 AM UTC: Orbit Chain confirmed the hack on their Twitter.
January 4, 2024, 08:11 AM UTC: The Orbit Chain team sent on-chain message to the exploiter, calling to discussion:

… we have found a trail you left behind when making XRP transactions at an Exchange ‘C’. Rest assured, we will find more.

Security Failure Causes

Private Key Compromise: The attacker managed to compromise the private keys of the Orbit Bridge, leading to the security breach. Independent crypto researcher @officer_cia suggests that the root cause is the wallet compromise of 7 out of 10 multisig signers.