Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 145Private Key Compromise

Multichain Collapse

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

Date
Victim
Multichain
Chain(s)
EthereumFantomBNB Chain
Status
Funds Stolen

On July 6, 2023, the cross-chain bridge protocol Multichain (previously known as Anyswap) experienced approximately $125 million in unauthorised withdrawals across its Fantom, Moonriver, Dogecoin and other bridge contracts. The incident sat on the line between "hack" and "rug pull" — and a Singapore court later concluded it was an inside job.

What happened

Multichain operated its cross-chain bridges using Multi-Party Computation (MPC) key sharding among a small team of operators. Trust in the bridge depended entirely on the integrity of the MPC participants and the secrecy of their key shares.

On May 21, 2023, Multichain CEO Zhaojun was arrested by Chinese police. In the weeks that followed:

  • The remaining team announced they had lost access to the MPC servers — which Zhaojun apparently operated personally — and so could not authorise routine bridge transactions.
  • Zhaojun's sister transferred remaining funds on the platform to two addresses she controlled, claiming "asset preservation".
  • She was then also taken into custody by Chinese police, severing the team's last contact with her.
  • On July 6, $125M in unauthorised withdrawals began flowing from the bridge contracts.

A Singapore court ruling in 2024 supported the view that the MPC keys had been controlled by Zhaojun alone and were used (by him or someone acting on his behalf) to drain the bridge — not stolen by an external attacker.

Aftermath

  • Multichain announced it had ceased operations within a week of the unauthorised withdrawals.
  • Affected protocols — Curve, Sushi, dozens of token issuers with wrapped assets on Multichain bridges — absorbed the losses or migrated wrapped representations to other bridge providers.
  • No recovery; no public legal resolution of the underlying status of Zhaojun.

Why it matters

Multichain is the case study for operator-key risk in bridges: a bridge that depends on a single individual to operate the MPC ceremony has the same security model as that individual's life and freedom. The incident accelerated the broader industry move away from team-operated MPC bridges toward public attestation committees with explicit slashing (LayerZero, Across, CCIP) and canonical-execution bridges that do not rely on signers at all.

Sources & on-chain evidence

  1. [01]blockworks.cohttps://blockworks.co/news/multichain-anyswap-exploit
  2. [02]chainalysis.comhttps://www.chainalysis.com/blog/multichain-exploit-july-2023/
  3. [03]dlnews.comhttps://www.dlnews.com/articles/defi/singapore-court-fuels-view-multichain-hack-was-inside-job/

Related filings