Official Statement Regarding ‘Orbit Bridge Exploit’

Hello, Orbit Chain Community.

This is Jinhan Choi, CEO of Ozys, developer of Orbit Bridge Service.

We deeply regret for the unexpected exploit that occurred on the Orbit Bridge Ethereum vault on January 1, 2024, at approximately 5:52 a.m. (KST), and as the developer, we sincerely apologize for any inconvenience this may have caused our community.

To the best of our abilities, we would like to outline what we have learned so far from our own investigation, an audit conducted by the security firm Theori, and investigations conducted by the National Intelligence Service, the National Police Agency, and the Korea Internet Security Agency.

We would like to first note that we are currently conducting a thorough investigation in order to figure out the exact cause of the exploit. Upon our ability to do so, we intend to publish a transparent issue report in collaboration with law enforcement. Our apologies once again for any inconvenience this may have caused, and we appreciate your understanding.

In six incidents between 5:52 a.m. and 6:25 a.m. on January 1, an unidentified attacker stole approximately $81.5M(based on at the time of exploit) in five assets (ETH, WBTC, USDT, USDC, and DAI) from the Orbit Bridge Ethereum vault. The stolen assets were swapped to ETH and DAI, distributed to eight wallets, and have remained unmoved since then.

At 7:05 a.m., our development team first learned of the incident through validators group channel and conducted an initial response. The Ethereum vault was shut down at 7:21 a.m. to prevent further damage, and Theori and Ozys started a joint response and tracking process around 9:00 a.m. By 10 a.m., we notified the Seoul Metropolitan Police. At 10:20 a.m., we identified the stolen funds’ movement, and by 10:35 a.m., we had notified KISA.

After multiple reports indicating that the attack methodology resembled that of Lazarus, allegedly a DPRK related hacking group, we notified the National Intelligence Service. As a result, a full investigation is being carried out in order to determine the attack and the potential group behind.

As far as we know, the exploit did not result from a vulnerability in the Orbit Bridge smart contract or the theft of a validator key. In order to clearly define the cause, Ozys is reviewing all possible routes of attack including potential vulnerabilities in the code/external solutions, relevance of recent attacks on other networks and services both domestic and abroad, and whether this attack was carefully examined over a long period of time etc.

The National Intelligence Service’s National Cyber Security Center, the National Police Agency’s Cyber Terror Investigation Unit, KISA’s Internet Incident Analysis Division, and various security companies are still actively investigating and examining various possibilities, and we are closely cooperating with them throughout the process.

Meanwhile, on January 10, 2024, while reviewing existing firewall policies with a maintenance provider for the design of a new security network, it was discovered that on November 22, 2023, Ozys’ former Chief Information Security Officer had arbitrarily changed firewall policies.

Two days after his voluntary retirement decision (November 20), the information security specialist who led Ozys’ efforts to become an ISMS-certified organization, abruptly made the firewall vulnerable and left the company on December 6, without any verbal or written communication during the handover process.

It was less than a month later, on January 1, 2024, that the Orbit Bridge exploit took place. A security expert with 25 years of experience could not have overlooked the potential damage of his actions. It has come as a great shock to our employees, and we are currently taking the necessary civil and criminal measures. Due to the nature of the matter, we were unable to disclose the possibility of legal action in advance.

Ozys has always placed a high priority on security in the development of all of our services, not just as a value, but by investing a significant amount of budget into enhancing security. Our services have always been audited by multiple security experts including Theori, before both launch and when new features are introduced. Especially for Orbit Bridge, a cross-chain service, we have used a variety of monitoring tools to ensure security.

Ozys is not obligated to acquire ISMS(Information Security Management System), but we have taken the initiative to make our service environment even more secure and safe. After more than a year of preparation, Ozys received KISA certification and incorporated anti-phishing solutions in line with such efforts.

As have previously shown through incident recoveries on our services, we will share details on the reopening of the Orbit Bridge and recovery plan for the loss of bridge assets as soon as they are finalized.

Lastly, we will continue to mobilize all of our resources to identify the attackers and ultimately freeze and retrieve the stolen assets, regardless of how long it takes.

Our sincere apologies go out once again to all users who have suffered inconvenience and hardship following the Orbit Bridge exploit, as well as to all ecosystem participants who have trusted Ozys and used its services.

Thank you.

January 25, 2024
CEO of Ozys, Jinhan Choi