Heco Loses $87 Million to Hack Attack

Every week, ISMG rounds up cybersecurity incidents involving digital assets. This week, Heco lost $87 million to a hack attack, criminals stole $25 million from Kronos, the U.S. Securities and Exchange Commission filed charges against Kraken, the U.S. Department of Justice charged three people with stealing $10 million theft and also seized a separate $9 million linked to a pig butchering scam, and a security company found a potential validator bug that could impact $1 billion worth of cryptocurrency.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

HTX-run cross-chain protocol Heco Chain suffered a hack attack resulting in an $87 million loss in various tokens. Justin Sun, an investor in the exchange, confirmed the breach and said victims will be fully compensated. HTX temporarily suspended deposits and withdrawals to secure the remaining funds and launched an investigation to determine what happened, after which services will resume, he said. Blockchain security firm Cyver earlier flagged $85 million in suspicious transfers and reportedly attributed the attack to a suspected private key leak that allowed unauthorized access to the Heco bridge.

The Heco hack is the second security lapse in a blockchain project associated with Sun, coming weeks after the $100 million Poloniex exploit.

Taipei-based trading and venture capital firm Kronos Research reported unauthorized access to its API keys, with potential losses described as “not a significant portion of our equity.” Blockchain researcher ZachXBT flagged more than $25 million in ether outflows from a wallet, suggesting the theft amount. Kronos halted all trading, impacting Woo X, the exchange it incubates. Woo X said its client funds were safe, but temporarily paused certain asset pairs due to liquidity loss from Kronos’ pause. Later, it resumed spot and perpetual trading, along with withdrawals.

The SEC charged Payward and Payward Ventures, collectively known as Kraken, for operating an unregistered securities exchange, broker, dealer and clearing agency on its crypto trading platform. The SEC also alleged that Kraken unlawfully facilitated the trading of crypto asset securities, accumulating hundreds of millions of dollars since at least September 2018. Its alleged poor business practices, deficient internal controls and inadequate recordkeeping practices posed significant danger to customers, and risked losing investor funds by commingling their funds with its crypto assets, the complaint said. The SEC is seeking injunctive relief, conduct-based injunctions, disgorgement of ill-gotten gains, interest and penalties from the company.

The U.S. Attorney’s Office for the Southern District of New York, in collaboration with the FBI, arrested and charged Zhong Shi Gao, Naifeng Xu and Fei Jiang for allegedly orchestrating a scheme that stole more than $10 million from U.S. banks and financial institutions. The accused face a potential combined 82-year sentence for converting the stolen funds into cryptocurrency and transferring them to foreign crypto exchanges, the DOJ statement said.

The indictment shows that from 2018 to 2022, Gao, Xu and Jiang recruited individuals, often foreign nationals from China and Taiwan residing in the U.S., to open bank accounts. The scheme involved orchestrating fraudulent wire transfers between accounts they controlled, accompanied by filing false reports claiming unauthorized transfers. This prompted banks to temporarily credit the accounts, allowing the perpetrators to swiftly withdraw funds as cash or convert them into cryptocurrency on foreign exchanges before the banks realized that the reports were fraudulent. The accused face charges including bank fraud conspiracy, wire fraud conspiracy, money laundering conspiracy and aggravated identity theft.

The Justice Department seized nearly $9 million in Tether, aka USDT a U.S. dollar-pegged cryptocurrency, connected to an organization involved in a pig butchering scam that victimized more than 70 people in the country. Pig butchering scams are also called romance scams and cryptocurrency confidence schemes. The seized amount is likely part of Tether’s “proactive and voluntary” freezing of approximately $225 million worth of USDT held in self-custody wallets linked to the international human trafficking group in Southeast Asia. The action marks the largest USDT freeze to date, the company said.

Blockchain security firm dWallet Labs exposed a potential vulnerability that may impact up to $1 billion worth of Ether, Aptos, BNB and Sui cryptocurrencies. The vulnerability, located in validators hosted by an infrastructure provider called InfStones, could allow attackers to gain control of hundreds of validators on multiple major networks, as well as run code and extract private keys from them. InfStones reportedly disagreed the scale of the impact, with a spokesperson telling Cointelegraph that the potential vulnerability could only affect a “fraction below 0.1% of the live nodes.” The company said that the bug had been fixed in collaboration with dWallet Labs.