Halborn Logo

// Blog

Explained: Hacks

Explained: The Orbit Bridge Hack (December 2023)


Rob Behnke

January 8th, 2024

On the last day of 2023, cybercriminals closed out the year with a bang. Orbit Bridge suffered a hack in which an estimated $82 million was withdrawn from the protocol’s wallets.

Inside the Attack

The Orbit Bridge hack occurred in the last few hours of 2023, and is believed to be the result of compromised private keys; however, other theories exist as well. While the protocol used multisig wallets to secure its assets — which is best practice for protecting hot wallets — the attackers were able to generate transactions to transfer various assets from these wallets. In total, the stolen assets included:

  • 9.5k ETH

  • 30M USDT

  • 10M USDC

  • 231 WBTC

  • 10M DAI

The nature of the attack suggests that it might have been performed by the Lazarus Group. The Lazarus Group is a cybercrime group likely affiliated with the government of North Korea. They have performed numerous high-profile hacks both inside and outside of the crypto space.

The potential links to the Lazarus Group are based on a couple of factors. A major one is that the group has demonstrated deep expertise in social engineering attacks. Tricking employees or team members into handing over a private key — or a password that gives access to a private key — is one of their classic techniques. A hack like this one that involves compromising multiple private keys is well within their capabilities.

Lessons Learned from the Attack

The Orbit Bridge hack involved a theft of millions in crypto via compromised private keys. The protocol had multisig wallets in place, making it much more difficult for an attacker to gain the access required to steal the tokens. However, the attackers — potentially the Lazarus Group — managed to pull it off.

Further investigation of the hack might reveal security lapses. For example, if all of the private keys for the multisig wallet are stored on the same system or protected via the same password, then they provide little additional security. Alternatively, a single employee may have had access to them all and was the target of the hack.

The Orbit Bridge hack demonstrates that importance of strong security policies for crypto projects. For hot wallets, multisigs are best since they raise the bar for attack. When using a multisig wallet, it’s also important to implement separation of duties so that no single person, system, etc. has the ability to access all private keys and unilaterally drain a project’s wallets.