HECO Bridge & HTX Drain

On November 22, 2023, attackers drained roughly $87 million from the HECO Bridge — the cross-chain bridge connecting Huobi's HECO sidechain to Ethereum — and within hours took another ~$12 million from hot wallets at HTX (formerly Huobi Global, the operator's affiliated exchange).

What happened

HECO Bridge was secured by an operator-controlled multi-sig — a small set of privileged keys authorised cross-chain withdrawals from the Ethereum-side bridge contract. The attacker obtained at least the quorum of those keys, then drained the bridge's reserves of USDT, HBTC, SHIB, UNI, USDC, LINK, ETH and TUSD into externally owned accounts.

Almost immediately afterward, the HTX exchange suffered a related drain: attackers used signing access to extract roughly $12M in additional assets from HTX hot wallets. The proximity in time and the overlap in attacker addresses strongly suggested the same operator and the same root compromise — likely a shared key-management system controlling both bridge operations and exchange custody for Justin Sun's affiliated infrastructure.

Aftermath

• Justin Sun publicly confirmed the breaches and committed to fully compensating affected users from corporate reserves.
• HECO Bridge was paused and operations migrated.
• Stolen funds were laundered through Tornado Cash, with later analysis showing more than $145M in laundering volume linked to this attacker over the following weeks.

Why it matters

HECO is one of several incidents (Multichain earlier the same year, FTX-adjacent collapses, multiple Bybit-era examples) that illustrated the same lesson at the infrastructure-shared-by-affiliated-businesses layer: when one operator runs the bridge, the exchange, and the chain, a single key-management compromise can take all three down at once. The industry-standard mitigation — hardware-isolated key stores per service, with no shared signing authority — became visibly more common in operator playbooks after this period.