During the incident, unknown individuals also managed to breach the Heco cross-chain bridge. It remains unclear how the hackers gained access to the private keys.

As a result, HTX exchange and Heco collectively lost around $100 million. Of this amount, over 64% of the losses were incurred by Heco. The BitOK team attempted to investigate where the stolen funds went.

Link to charts: Heco Bridge Exploit

According to our calculations, the Heco cross-chain bridge lost over $67.5 million in various cryptocurrencies during the attack. Specifically, the perpetrators managed to seize more than $42 million in the USDT ERC-20 stablecoin, over 10,144 ETH (approximately $22.8 million at the time of the investigation), as well as hundreds of thousands of dollars in various tokens such as Uniswap (UNI), Chainlink (LINK), and others.

The overall breakdown of losses for Heco is as follows:

● $42,110,000 USDT (~$42.1 million)
● 10,145.982 ETH (~$22.8 million)
● 489 HBTC (~$19.3 million)
● 346,867,120,000 SHIB (~$3.37 million)
● 173,200 UNI (~$1.09 million)
● 608,000 USDC (~$608,000)
● 42,399 LINK (~$640,000)

● 346,994 TUSD (~$346,000)

All the funds stolen from the Heco cross-chain bridge were directed to the same address: 0xFc146D1CaF6Ba1d1cE6dcB5b35dcBF895f50B0C4 (hereinafter referred to as 0xFc1…0B0C4).

The stolen USDT funds were transferred to the address 0xd20e8c4ee9f4464d60BddaF9eD2dfE8C7263e167 (hereinafter referred to as 0xd20…3e167).

It's noteworthy that handling the USDT funds proved to be more complex for the hackers. This complexity arises not only from multiple fractional transfers between addresses but also because unnamed services, presumably belonging to trading platforms, were observed for the first time in this context.

1) A significant portion of the USDT, totaling 35,858,086, was sent to addresses belonging to the decentralized exchange Uniswap. On this platform, the malicious actors exchanged USDT for Ethereum (ETH).

An example of a fund transfer: 0x0ea7ae689a8e246c3ffe412a9c0f1c5d02180af1546e312353fc4cd8f65ee003.

2) After the swap, the funds were withdrawn to the address 0xd20…3e167, from where they were subsequently sent to the address 0xe47e6dA16Bb83EB0FD26b3F29b15CE8Fab089B9e. This address is noteworthy because, in addition to the converted USDT, the hackers also transferred stolen ETH directly from Heco.

The converted ETH funds then settled in four addresses, where they still reside at the time of writing:

● 0x7bEfDBB89C21863E910310A36Da5058704552935;
● 0xEdBdCb1b763Ef7920978c700007Ab1F05b18b8f6;
● 0x8DC70E0305c0f19d926AC8F07b61C5C2cfb9Ab75;
● 0xB6baC5CAe1cD4b7e8137bFe5254dFB1CF1F36d0e.

3) The remaining funds from the address 0xd20…3e167 were directed to the addresses of two smart contracts:

● 0x77d5f03822f94B39ad6117F6a46761EC5879031b;

● 0x8571C129F335832F6BBC76D49414AD2B8371a422.

According to our data, these two aforementioned smart contracts may belong to unnamed services. Our assumption is based on an assessment of the number of transactions and the turnover of these addresses. We speculate that the smart contracts may also be associated with Uniswap or actively utilize this service.

As previously stated, in addition to the converted USDT, funds in ETH were also sent to the address 0xe47e6dA16Bb83EB0FD26b3F29b15CE8Fab089B9e, which the hackers directly stole from Heco.

These ETH funds were subsequently transferred to four addresses, following a similar pattern to the USDT stablecoin:

● 0x7bEfDBB89C21863E910310A36Da5058704552935;
● 0xEdBdCb1b763Ef7920978c700007Ab1F05b18b8f6;
● 0x8DC70E0305c0f19d926AC8F07b61C5C2cfb9Ab75;

● 0xB6baC5CAe1cD4b7e8137bFe5254dFB1CF1F36d0e.

The stolen UNI funds were withdrawn to the address 0x5843774Dc56c3331693fa969995844De1EFa7EeD. Subsequently, the unknown actors repeated the same scheme as with USDT, exchanging UNI for ETH through Uniswap.

The acquired ETH was withdrawn to the address 0x5843774Dc56c3331693fa969995844De1EFa7EeD and then further transferred to the address 0x945647F6225a44E35a0Ea50F9FE2b4321794aA29. The funds continue to remain at this address to this day.

In the case of the stolen USDC funds, the situation looked different. Here, the hackers withdrew the funds to the address 0x85388BD5233eCC8D3C74256Ce7474bC8C7e559Ae (hereinafter referred to as 0x853…559Ae), and afterward, they converted the funds not only on Uniswap but also on SushiSwap and MetaMask Swap. In all instances, USDC was converted into ETH and returned to the address 0x853…559Ae. Subsequently, the obtained ETH was entirely withdrawn to the address 0x7aBd8ddA6CcA1785Af2f812b171B98D6924ff5D2. The funds remain at this address to date.

The stolen LINK funds were also exchanged for ETH through Uniswap using the address 0xf59849a98F16BC4187E38E2287C9CCba2D02b6fF. Ultimately, all the funds settled at the address 0x493BB5E2a551aE8FA22EfF0F964820712Ed77Dcb, where they continue to remain as of the time of writing.

The stolen TUSD funds stood out among the others. In this case, an intermediary address, 0x9e1Ca4EBc06C760C210E618488272B966685049F, was used to direct the stolen funds not only to PancakeSwap but also to 1inch for swapping TUSD to ETH. Subsequently, the funds were withdrawn to the address 0x153D99836E197f92a8385bA80AfBB57b69de2cC1.

At the time of writing this investigation, it remains unclear who exactly gained access to the private keys of the Heco cross-chain bridge. In each instance, the perpetrators followed a similar pattern: they transferred stolen cryptocurrencies to an intermediary address and then sent the funds to decentralized exchanges.

In all cases, the hackers exchanged altcoins and stablecoins for Ethereum (ETH) and transferred them to specific addresses, where they are still stored to this day.