Harmony Villains

Family!

I’m torn between dropping the entire wallet map, amounts, and fiat off ramps here and remaining somewhat quiet. I see the value in not making all of the progress of the investigation known, but I also can see how much the lack of communication from core team and the contributors is hurting the community. I know that Daniel P. and Li J. are working tirelessly to get professional investigators and law enforcement the evidence that they need in order to track and hopefully freeze the assets. Ideally this leads to prosecution, but we should face the facts and accept that we also may never see the 100M again. And that is okay. Moreso, we need strong leadership, excellent communication that comes from the top down, and clear plans that are actionable and which empower the community to build build build. Hopefully today was crunch day and a portion of the core team can be dedicated to communication moving forward.

All that being said, I can say this as a summary of today’s events thus far:

This is a basic outline of the stolen assets flowing from the Harmony Bridge Exploiter (0x0d04) to a shell wallet, and then being split up into new 1/3 to be pushed through Tornado.cash in 100 ETH increments (for the most part). As the day progressed, I was able to sift through every Tornado.cash tx to identify which ones are most likely originating from the stolen funds and to organize them by their new wallets. In some cases, the assets were swapped and sent out via various fiat offramps/ exchanges. In total, there are more than 45 wallets that contain the stolen assets (and counting). That’s over 12,000 ETH, valued at more than 14.5M usd, the majority of which is parked in new wallets. As of this writing, I believe that around $900,000 usd has been sent out to exchanges, some of which have been confirmed as reported. This number is speculative, as a major tx valued at over $670,000 is still being considered (it was obfuscated through Ren.BTC app).

I have been tracking today for 13 hours and plan to continue until this batch of 18,036. 3 ETH is distributed through Tornado.cash.

That being said, I do believe in our leadership and I hope that the community can remain strong, resilient, and hopeful in what we can build. There are so many talented teams on this chain and I strongly consider this to be a chain worth fighting for.

UPDATE: Unfortunately the next round of 18,036.3 ETH has been sent out. I expect the cycle of tornado cash to renew.
tx: 0xface937c945feff9010c6ffc795cd2745c5557ba7f8b9d1853cf3cc70cb76d44

18 Likes

Again, thank you so much for your dedication and hard work. God bless you :pray: :pray: :pray:

1 Like

My biggest respect but not sure about the investigation on Tornado. That’s not that easy to track special because of zK and private hash you don’t see.
What if still is everything inside Tornado and he will cash out in days, weeks or months?

2 Likes

The hacker is obviously not zk-savvy enough to understand how to best use Tornado to their advantage. The 100ETH pool with low volume makes it super easy to track…

4 Likes

Thanks for what you are doing! A request. Please date the updates so we know when you got the latest news. I know there are ways to see but if it is just there it would help I think. Thanks again!

3 Likes

Hey fam!

Pulled another long day logging and considering the data. Honestly, pretty repetitive day that mostly followed yesterday’s pattern of asset movement through Tornado.cash (ETH 100). While tracking and logging I reached out to the team at https://www.breadcrumbs.app/ for their support in visualization, but unfortunately their software doesn’t handle obfuscation very well and they are working on a fix. That being said, I could create a visual montage manually, but that would probably take weeks if I consider the amount of tx. It would also look like this, lol:

As most of you have heard by now, Harmony is working with not only the FBI, but also ChainAnalysis! Good news, and they do think that this is the work of DPRK (N. Korea), according to their latest tweet: https://twitter.com/chainalysis/status/1541560089420652545?s=20&t=_ruB6SLdhBLqLg8uPMhzFA

These guys are the professionals, so will leave speculation to them. I simply analyze the blockchain data available. However, I will say that we still have a handle on where the funds are ending up after hitting the tornado (they go to new wallets and do not move for the most part). As of right now (June 29, 2022 06:15 am UTC) about 33,000 ETH has been received through tornado.cash ($40M usd). These are still on chain and have mostly not been exchanged to fiat.

Surprisingly, a new batch of ETH has not been sent out to dummy wallets either. Not quite sure what to make of that, but they did break yesterday’s timing for deployment (Jun-28-2022 03:58:50 AM +UTC).

16 Likes

Thanks for all your work, looking forward to mtop

4 Likes

if we get out of this, we all will be advocating to set up this bounty programme and make you one prime example of it!

1 Like

Great job, thanks!!!

2 Likes

Hey fam,

Another long day of tracking, logging, and organizing the stolen assets. Thanks to @Elanu in the MtopSwap discord for his amazing assistance today I was able to come up with a excel tool that pulls live wallet data and compare that with my previous wallet balances to determine when the assets are moved! For the most part they are parked, but there are outliers that I have annotated and reported to the team.

Another shoutout to @0xStorm for their support in tracking. We work independently and compare our notes periodically to maintain accuracy and discuss the pattern-breakers. They have been a valuable asset to the effort and I want to thank them for their time and attention!

Midday the Harmony team sent out a message to the hacker, increasing the bounty to 10m in return for the remaining 90m and sanctuary from future legal/ criminal action. We have yet to see a response via blockchain at this time, but I remain hopeful as it does not seem that they have the skill in obfuscation necessary to throw the trail. There are over 100 tracked wallets at this time that hold every single missing asset, which have been shared with the Harmony team and their professional partners.

Otherwise, about 42,500 ETH has been received from Tornado.cash at this time ($52M usd), as deployment of the funds was slow today. I used much of the time to cleanup my data and to work on helpful tools such as the one mentioned above and another that allows wallet trackers to compare their findings and display the differences between the two.

Last, thank you @dpagan-harmony for engaging directly with the community in tonight’s Twitter Space, hosted by Tim and Jim (JCR Validator and SMH). That’s exactly what the community needs and I personally hope that we can keep up the momentum and discussion moving forward. We’re a family regardless of pegs and price action, we just need to stay strong together and rebuild. We can last.

18 Likes

Always glad to help ! Keep up your awesome work man !

4 Likes

Thanks for the update and all your efforts.

4 Likes

Thanks for the update

2 Likes

So… Another day and even more of our dollars drained from the main scam wallet through Tornado.cash. We’re at about 60,000 ETH received across 140-ish wallets post-tornado. That leaves us with about 15,000 ETH remaining to flow from the Bridge Exploiter Wallet to the recipient addresses. What next, as this will happen with near 100% certainty and in the same fashion that we have witnessed this past week…

My hope is that they slip up on movement after the funds have been ‘mixed’ through the tornado. Also, once the funds have completely been distributed it will be clearer which transactions and wallets that have been logged are false positives, as we will end up with slightly more balance than sent. This is because there are times when transactions are sent at the same time pre-tornado, which does not provide enough indication until the pattern is broken. Once the pattern breaks (meaning funds are sent out immediately, or re-compiled and exchanged, mostly) the wallet is annotated for later inspection. So there are still plenty of things to do after the funds are completely distributed.

Beyond funds, the habits today were also usual:

Deposit Stop Jun-30-2022 08:12:41 PM +UTC
Deposit Start Jun-30-2022 11:57:41 PM +UTC

I log these types of details to help with potentially locating where the actors are operating from.

Otherwise, it has been a relatively quiet Thursday. I still hold steadfast in my faith that the core team can lead us through this and do right by the community in the long-term. My greatest hope is for the success of the chain and the wellness of our family! Tracking these funds is just my small way of contributing and I hope to see you all on the other side, better off and looking back to these turbulent times with an easy-going smile.

Again, very special thanks to @0xstorm and @Elanu for their dedication to providing the information and tools necessary to fight back.

13 Likes

Thanks for the info man!!!

1 Like

Thank you for the update! Much appreciated ~ITCBTC

1 Like

Hey fam!

Today went slower than expected, as the hacker needed a break during a large portion of today’s wakeful hours (USA PST). Right now we are about 73,000 ETH received through Tornado cash ($90M). This is all as expected and is within our grasp at this time in terms of monitoring.

That out of the way, I am happy to say that the core team really stepped up their game today. They have committed to staking a minimum of 200M ONE tokens to validators to further support the decentralization and stability of our network! Furthermore, they will engage with the community in order to determine the best way to employ the staking rewards received from such a large delegation of funds.

The core team also announced their partnership with Miracle Universe, a Web3 game publisher lead by Monte Singman, whom brings 36-years of game dev experience to our chain! See here for more details.

Another elephant was addressed in a more nondescript fashion- the team is working vehemently on ‘potential ways to restore funds for as many bridge users’ as they can. They highlight this as being a priority in their planning as they continue to navigate both the market and recent events.

On a side note, the Community DAO (CDAO) held a Twitter Space today for it’s potential governors to introduce themselves to the community and to give voice to their concerns and how they might go about addressing them. Please remember that these people are stepping up to these leadership roles in order to represent us, the users and community of the chain. Your support and engagement with these people could change the space, for better or worse.

Last, I made a short video to walk you through the deployment process and to shed a little bit of light on what the day to day has looked like this past week!

9 Likes

Amazing to have you keep posting updates here. Keep working and will happily contribute to the CDAO in the future (as in feedback etc).

one for all, lets maintain this transparency :fire:

1 Like

Happy Saturday!

Today marks the end of the initial distribution of the Bridge exploit and therefore a rest for my eyes. It has been a stressful week for all of us, full of anticipation, anxiety, and unrest. However, I can firmly say that the leadership intends to move on from this difficult period and to restore the chain. Yes, there are funds to repeg, leaders to establish, and a massive amount of users to onboard. But… we still have a dedicated community of deeply entrenched and loyal users that seek to build. I count myself as one of such believers.

Today, in a rare fashion, we heard from founder Stephen Tse in video format. He addressed core issues brought forth from our community and has established an initial sense of belief from the top down- a much needed piece of interaction here on the Harmony chain. Day by day we have seen our leadership commit to a degree of responsibility and presence towards our community and the future of the chain itself. What does this amount to?

-We should see a more detailed update on the Harmony talk forum soon regarding the best moves to rebuild and secure our network and its users’ assets.

-The core team is committed to the future and success of the chain. We should seek to build, grow, and regain the trust of a larger community.

-Moving forward it is all hands on deck- we are driven to onboard new users and to further analyze user growth metrics.

A bit wordy, but I do believe that the topmost echelon of leadership for Harmony is steadfast. The bridge exploit has the potential to make or break our home, yet its users and leaders remain. I personally have dedicated my time to focus on the longevity and perseverance of the ecosystem in my limited capacity. Today I have committed to become a validator and will rapidly deploy a node to support the decentralization and security of Harmony. To me, this is a space of community, friendships, involvement, and hope for a better future. I strongly feel that we can establish ourselves here and find success in Web3/ DeFi.

I am not paid to say these things. My interests lie in the potential of this space and the security of our opportunity as users.

13 Likes

Ever since I found Harmony and it’s community I have tried to bring people from other chains, they could not believe me until I showed them what a nice and friendly community really is.
I will continue doing this because I think this chain has the best people. Funniest smartest and friendlier.

4 Likes