BXH Exchange Hack — October 29 / November 1, 2021
Overview
On October 29, 2021 (publicly disclosed November 1), BXH (BOY X HIGHSPEED), a cryptocurrency exchange operating primarily on Binance Smart Chain, was exploited for approximately $139 million in tokens.
Technical Root Cause
According to BXH CEO Neo Wang and based on consultation with an external security team:
• The exploit was the result of a leaked administrator private key.
• The attacker gained control of an admin key for BXH's Binance Smart Chain (BSC) wallet/contract and used it to drain the exchange's BSC pools.
• This was not a smart-contract vulnerability — it was an off-chain operational/key-management failure.
Possible Attack Vectors Considered
The BXH team identified multiple plausible vectors for how the admin private key was leaked:
1. Direct compromise of the key-holder's computer — the attacker may have broken into the personal machine of the BXH staff member who held the admin key.
2. Malware planted on BXH's own website — the admin may have clicked on a malicious link/file, giving the attacker access to the machine and ultimately the key.
3. Inside job — Wang noted on-chain analysis suggested the attacker operated from inside China, where most of BXH's technical team is based.
Financial Impact
• ~$139 million drained from BXH's BSC liquidity pools.
• Initial estimates were lower (~$130M) but were revised upward as the team completed the investigation.
Response & Remediation
• BXH filed a case with China's network security police (the special unit that investigates digital crime).
• BXH offered a $1 million bounty to any team that helped retrieve the funds.
• BXH offered the attacker an "unspecified reward" if the funds were returned.
• The exchange paused affected operations.
• No public confirmation of large-scale fund recovery was reported.
Notable Sources Located (not directly fetchable in this run)
• https://rekt.news/bxh-rekt/ (HTTP 500 at fetch time)