Orbit Bridge

avoid.net/orbit-bridge→10/100·100% conf.

[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

10/100

[CRITICAL]100% conf.

Summary

Orbit Bridge is a cross-chain interoperability protocol developed by South Korean blockchain firm Ozys that suffered one of the largest bridge exploits in crypto history on December 31, 2023, losing approximately $81.5 million in ETH, WBTC, USDT, USDC, and DAI. The attacker allegedly compromised seven of ten multisig signatories after a former chief information security officer allegedly weakened the company firewall before departing, and blockchain analysts have linked the attack's patterns to North Korea's Lazarus Group, though no formal attribution has been confirmed by authorities. As of 2025, the majority of stolen funds remain unrecovered, with the attacker having laundered over 17,000 ETH through Tornado Cash.

Connected Entities

1 entities

Organizations

□Orbit Bridge

Relationships

+ 2 more

Have evidence about Orbit Bridge?

Timeline(13 events)

2023-11-20

Orbit Bridge's CISO submits voluntary resignation request to Ozys.

2023-11-22

Alleged: Former CISO makes unauthorized changes to Ozys internal firewall policies, weakening security posture (alleged by Ozys; unproven in court).

2023-12-06

Former CISO formally departs Ozys without disclosing firewall changes.

2023-12-31

Exploit begins at 21:08 UTC. Five unauthorized withdrawals drain 9,500 ETH, 231 WBTC, 30M USDT, 10M USDC, and 10M DAI from Orbit Bridge's Ethereum vault across approximately 17 minutes.

2023-12-31

Bridge contract deactivated at approximately 22:21 UTC to prevent further losses.

2024-01-01

Orbit Chain publicly confirms the exploit. National Intelligence Service notified by 10:35 a.m. KST.

2024-01-02

ChainLight engaged for forensic analysis. Orbit Chain attempts on-chain communication with attacker. Requests to exchanges to freeze stolen assets submitted.

2024-01-03

Match Systems publishes report alleging the Orbit attacker used tools and patterns consistent with Lazarus Group, and may have also conducted the Atomic Wallet, CoinsPaid, and CoinEx hacks.

2024-01-10

South Korea's NIS, National Police Agency, and KISA confirm joint investigation is underway. NIS states no direct North Korea link confirmed but possibility is being examined. Negotiations with attacker reported to have failed.

2024-01-25

Ozys publicly alleges former CISO deliberately weakened company firewall prior to the hack. Civil lawsuit and police petition filed against the unnamed former employee.

2024-02-14

Ozys publishes draft Asset Recovery and Ecosystem Normalization Plan, targeting $82M recovery over two years through company capital, partner grants, and new business revenue.

2024-06-08

After approximately five months of dormancy, attacker moves 12,932 ETH across seven transactions, routing approximately $48 million through Tornado Cash.

2025-01-01

Attacker transfers an additional 4,320 ETH (approximately $18.81 million) through Tornado Cash. Total laundered through Tornado Cash reaches 17,242 ETH (approximately $66.35 million). Attacker reported to still hold approximately 9,511 ETH and 20M DAI.

Provenance & Audit Trail

Anchored on Solana Verify on-chain src:defillama

Decision Log

#1publish⛓ anchored · slot 4210147265/20/2026, 3:41:10 PM
hash: 9Rr5BR22K2tkSie5fpq2gFrHyHRFEhKMVUqnvuuEohWr

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

full audit log →version history →

model: claude-sonnet-4-6

generated: 5/4/2026, 2:54:36 AM

last updated: 5/20/2026, 3:41:10 PM

avoid.net — verified advice for a post-truth world