On June 25, 2022, Harmony offered a bounty for the funds hacked one day prior by tweeting:
Almost immediately, responses to Harmony's tweet questioned the 'low-ball' amount of bounty offered in comparison to the amount hacked. "Compared to other high-profile exploits this year, Harmony’s bounty offer ranks low. The $10 million offered to the Rari Fuse attacker in May was 12.5% of the total stolen. The Beanstalk Finance team offered $7.6 million which was 10% of the total exploited from the protocol in April" [Newar, B. Harmony offers $1M bounty, but is it big enough?. (Accessed June 29, 2022)].
There was plenty of reaction from the crypto community, with many suggesting that the amount offered was too low. Others pointed out that providing bounties doesn’t solve the problem and, if anything, may even encourage hackers. 'Isn’t it funny to actually reward the hackers with $1M dollars for returning the fund when they can get away with $100M?' one commented before adding, 'even if they accept the offer, the same hackers will and again comprise another system? Problem isn’t solved'.
[Young, M. Harmony Protocol Offers $1M Bounty Following Massive Exploit. (Accessed June 29, 2022)].
Well .... it is now obvious that those questioning the low-ball bounty offered were correct as the hacker has started to launder the spoils.
As shown by Etherscan, the wallet responsible for last week’s Harmony exploit sent a little more than 18,036 ETH (a sum worth north of $21 million at today’s prices) to a secondary wallet. That secondary wallet then evenly split the sum between three tertiary wallets; at the time of writing, two of these tertiaries have sent ETH to a Tornado Cash router.
[Carreras, T. Harmony Hacker Begins Laundering Funds. (Accessed June 29, 2022)].
"The first and second wallets that received ETH from the exploiter’s primary wallet have completed mixing the coins and are now left with about 16.3 ETH collectively, an amount likely too small to bother with" [Akamo, A. Harmony Network Hacker Moves $21 Million of Stolen Funds to Tornado Cash. (Accessed June 29, 2022)]. And as of yesterday's date, the third wallet "was busy sending batches of 100 ETH to Tornado in eight-minute intervals and still had 2,800 coins remaining...." [Id].
It is important to recognize that:
Tornado Cash is an Ethereum protocol that leverages zero-knowledge technology to allow users to break the links in their on-chain activity. If used correctly, the protocol makes it impossible to track down transactions from one wallet to another. The protocol has been used by hackers in the past to cash in on their ill-acquired gains. Data from Nansen indicates that the Harmony exploiter, while having only sent about 12% of their loot to Tornado Cash, is already the fifth-biggest malicious user of the protocol (behind the Ronin, Fei, Beanstalk, and Parity exploiters).
[Carreras, supra].
Despite the forgoing, on June 28, 2022, Harmony tweeted a reaffirmation that they are working in conjunction with 'two highly reputable blockchain tracing and analysis partners and the U.S. Federal Bureau of Investigation to investigate this hack.
"About $80 million in ETH is still in the explorer’s primary wallet. They could possibly return a portion of the stolen funds to Horizon, or they may be taking a break as it has taken the exploiter over 13 hours to mix just $21 million" [Newar, supra].
Horizon is the latest in a growing list of token bridges that have been attacked. The largest token bridge to be hacked was Poly Network in 2021, which lost $610 million that was almost entirely returned. In total, over $1 billion has been extracted from the Meter, Wormhole, Ronin and now Horizon token bridges through nefarious means in 2022 so far.
[Id].