Since rebranding from Huobi to HTX in September 2023, Justin Sun’s cryptocurrency exchange HTX has faced two significant hacking incidents, raising concerns within the crypto community. These incidents form part of a series of attacks targeting Sun’s crypto platforms over a two-month period, indicating a pattern of security vulnerabilities.
The first hack of HTX occurred shortly after its rebranding from Huobi on September 13, 2023. This initial breach took place on September 24, 2023, resulting in the loss of nearly $8 million in cryptocurrencies. The attackers successfully stole approximately 5,000 Ether (ETH) from the exchange. In response to this incident, Justin Sun, the de-facto owner of HTX, assured that the platform had covered the losses and resolved related issues. He described the amount as minor compared to the $3 billion held by HTX users, equating it to only two weeks of the platform’s revenue. Furthermore, Sun offered a 5% reward ($400,000) to the hacker as a white hat incentive if the funds were returned within seven days, a strategy that led to the hacker eventually returning all funds. In return, HTX paid a white hat bonus of 250 ETH, equivalent to $506,000 at that time.
The second and more significant hacking incident occurred on November 22, 2023, involving both HTX and its HECO Chain bridge. This breach resulted in a cumulative loss of $97 million across various tokens, with the HECO Chain bridge alone being drained of $86.6 million. The attack compromised three of HTX’s hot wallets, leading to the loss of 1,240 ETH, 7.3 million USDT (Tether), 1.78 million USD Coin (USDC), and 62,200 Chainlink LINK 1.08% (LINK), among other assets. Justin Sun confirmed this attack and assured that HTX would fully compensate for the losses. He temporarily suspended deposits and withdrawals on the platform to secure the remaining funds. Preliminary analysis suggested the hack was due to a suspected private key leak, enabling the attackers to access and transfer tokens between the HECO Chain and Ethereum ETH -0.05%. Despite the breach, Sun stated that the exchange and blockchain protocol operate independently.
These incidents have led to a total combined loss of around $208 million across Justin Sun’s crypto platforms, including other entities such as Poloniex and the HTX Eco Chain (HECO) bridge. In the wake of these events, some crypto enthusiasts have urged caution regarding transactions with Poloniex and HTX, with speculation about the parties responsible for the hacks. A spokesperson for the crypto security firm Hacken noted that all attacks targeted Justin Sun’s projects, suggesting the possibility of an insider leaking information or private key compromises. The representative emphasized the need for these projects to improve their procedures for storing sensitive information like private keys and to keep a portion of their funds in cold wallets if large amounts of liquidity are unnecessary.