HTX suspended withdrawals as they investigated the hack, and wrote that the company would "fully compensate for HTX's hot wallet losses". Security firm Cyvers said they believed the theft was enabled by a private key leak.
HTX (fka Huobi) and Heco Chain hacked for $115 million
Justin Sun confirmed that HTX (formerly Huobi) and its related Heco Chain protocol were hacked for a combined $115 million. It's been a rough few weeks for Sun, whose Poloniex exchange was hacked for around $120 million on November 10, and a rough few months for HTX, which was hacked for $8 million in late September.
UK's Financial Conduct Authority warns of Huobi and KuCoin
The United Kingdom's Financial Conduct Authority (FCA) has added another 146 entries to its "warning list" of unauthorized firms, including the crypto exchanges Huobi and KuCoin. The additions pertained to new regulations that require crypto firms who want to run promotions in the country to register with the FCA, and comply with regulations aiming to prevent misleading advertisements.
The warning list was created to notify potential users of these firms, and to inform them that losses related to the use of those platforms won't be covered by the UK's compensation scheme.
Huobi has claimed they don't operate or promote in the UK, while KuCoin gestured towards adjusting its practices in the UK. Firms on the warning list may be subjected to more serious enforcement actions in the future, including fines or even prison time.
Huobi exchange hacked for $8 million
Justin Sun confirmed on September 25 that his crypto exchange Huobi (recently rebranded to "HTX") had been hacked for 5,000 ETH ($8 million) the prior day. He reassured customers that the exchange would be covering the shortfall, and that "all user assets are #SAFU".
Sun offered a bounty to the hacker to return 95% of the funds, also promising to hire them as a "security white hat advisor" for the exchange. Otherwise, he threatened to go to law enforcement.
Two weeks later, the thief returned the funds, with a note that their hot wallet key had leaked. Huobi paid the $410,000 bounty.
Rumors swirl that Huobi executives have been arrested, exchange is insolvent
Hong Kong crypto news outlet Techub cited two insiders when reporting on August 5 that "at least three executives" at Huobi had been detained by Chinese police for investigation. The report sparked panic, and the exchange has seen net outflows of more than $73 million in the past week. Huobi's stablecoin balances are down 33% over the same period. Investor and crypto analyst Adam Cochran tweeted of "likely Huobi insolvency", citing Binance's bulk Tether sales, paused "audit" reports, and "weird balance shifts" at the exchange.
Huobi and related people have been busy refuting the rumors, with Huobi's social media head dismissing them as "baseless malicious attacks". Huobi "advisor" Justin Sun tweeted "4".
Huobi patches massive vulnerability after researcher allegedly tries for a year to disclose it
After the Huobi crypto exchange (finally) fixed a massive vulnerability, researcher Aaron Phillips published a blog post explaining what he had found. According to Phillips, two years ago, the exchange accidentally published a file containing Amazon Web Services (AWS) credentials, which could have allowed a bad actor to modify content on their websites and in their CDN, distribute malicious versions of their Android app, access user data and "whale reports" on high-value users, access OTC trade records and user data for OTC traders, and "carry out the largest crypto theft in history". "I had full control over data from almost every aspect of Huobi's business," wrote Phillips.
According to Phillips, it took months before he was able to get in touch with Huobi and convince them to act on the leak. Phillips first notified Huobi of the leak in June 2022, and after repeated efforts to contact the company, the credentials were only revoked in June 2023.
Huobi has tried to downplay the hack, first stating that the user data leak was "on a small scale (4,960 individuals)" and "does not involve sensitive information and does not affect user accounts and fund security". They also claimed the leaked OTC data was test data. "The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused," they wrote.
According to CoinGecko, Huobi is the seventeenth-largest cryptocurrency exchange by volume.
Huobi Token flash crashes by 90%
Huobi Token, the token tied to the Huobi cryptocurrency exchange, experienced a flash crash in which the token price tumbled 90% from $4.60 to around $0.31 within about a ten-minute span. HT does not have a ton of liquidity, and so Huobi-linked executive Justin Sun reported that a "few users trigger[ed] a cascade of forced liquidations in the spot and HT contract markets".
Sun also announced that he had transferred $100 million to Huobi to provide more liquidity. He also announced that "Huobi will bear all leverage-through position losses on the platform resulted from this market volatility event of HT."
Although the token recovered quickly, the flash crash sparked rumors that Huobi was insolvent.
Huobi performs 20% layoff, reportedly requires employees to take salary in stablecoins
The major cryptocurrency exchange Huobi confirmed they planned to lay off 20% of employees, shortly after Huobi's advisor and somewhat its public face, Justin Sun, denied any layoffs were planned.
Crypto reporter Colin Wu has also reported that the company is requiring all employees to begin accepting their salaries in Tether or USDC stablecoins, or face dismissal. Rumors on Twitter emerged that internal communications channels had been shut down to quell dissent over the change.
Some crypto advocates commenting on the change maintained that there should be no difference to employees if they receive salaries in stablecoins vs. real money, but none seemed able to elucidate any legitimate reason that an exchange might find itself unable to pay salaries except in stablecoins.
At least they're not being asked to take salaries in USDD, the Tron-based stablecoin associated with Justin Sun. USDD depegged even further from its peg (which has been unstable since around October 2022), dipping to around $0.97.
Huobi exchange announces $18.1 million is locked on FTX, mostly customer funds
Huobi announced to shareholders that they had $18.1 million in crypto assets on the FTX exchange, where they can't be withdrawn. They reported that approximately $13.2 million of those funds were customer assets. They announced that they would be taking an unsecured loan of up to $14 million from controlling shareholder Li Lin to cover the client assets.
Gala Games tokens drained by project claiming to help them; Huobi claims the project profited
There was some brief panic on November 3 as someone minted a huge number of $GALA tokens in what appeared to be an exploit. $GALA is the native token of Gala Games, a platform for distributing blockchain-based games. It turned out that the pNetwork project had discovered a vulnerability in the pNetwork bridge, which could have allowed someone to drain the entire pool. pNetwork decided to undertake their own "white hat" attack, draining the funds before a malicious exploiter could do so.
However, the Huobi crypto exchange has claimed that pNetwork's actions were not white hat, and that they profited $4.5 million from their actions. pNetwork rebutted that they had not made any money from the operation, and threatened to sue Huobi over the accusations.
Some traders who attempted to "buy the dip" and profit from the plunge in value of the GALA tokens were also upset with Huobi, when they found that the exchange had replaced their tokens with new, worthless $pGALA tokens.
HUSD stablecoin depegs
HUSD, a stablecoin linked to the Huobi crypto exchange, lost its peg and dropped to around $0.85. HUSD is a cash-backed stablecoin intended to be pegged to the US dollar, but the coin lost its peg due to "liquidity issues". HUSD later tweeted that, "We had made the decision to close several accounts in specific regions to comply with legal requirements, which included some market maker accounts. Due to the time difference in banking hours, this resulted in a short-term liquidity problem". The stablecoin restored its peg on August 18.
Several weeks earlier, major crypto exchange FTX announced that they had removed HUSD from their USD basket, meaning they would not be able to be used as collateral.
Huobi worked to distance itself from HUSD as the coin de-pegged, emphasizing that the token is maintained by a different entity and claiming to have exited their stake in that entity in April. However, the token was originally launched by Huobi in 2018, and Huobi has continued to run promotions involving the token as recently as July.