Multichain victims search for answers in $1.5B exploit as new evidence emerges
On July 14, developers of the $1.5-billion Chinese cross-chain protocol Multichain confirmed users’ worst fears. The protocol’s CEO, identified only as “Zhaojun He,” was arrested by Chinese authorities in Kunming on May 21 after months of repeated denials on official communication channels. Also allegedly arrested was Multichain’s core team, which was operating in Shanghai.
It was never disclosed why Zhaojun had been arrested or what the charges were. However, evidence suggests that Multichain funds may have been seized as part of an anti-money laundering operation in the context of a greater crackdown on crypto by Chinese authorities. In addition, an alleged fake ID used by the CEO to register Multichain’s operations only draws more questions.
Multichain co-founder Alfred Xu assured that the development team was doing “just fine” on May 24 | Source: Telegram
Victims demand answers
Despite their previous assurance of decentralization, the Multichain team revealed that the protocol’s multi-party computation servers and private keys were all under the exclusive control of Zhaojun, which were handed over to police. Without access to such items, the protocol had to shut down, and its team members were nowhere to be found.
By the time of disclosure on July 14, $1.5 billion in total value locked on Multichain bridge remains inaccessible. An attempt to “rescue” users’ assets earlier that month also resulted in the arrest of Zhaojun’s sister, or so the development team says. Since the arrest began, funds on Multichain have been mysteriously swapped or bridged to unidentified wallets.
Crypto investor ArkRide, who claims to have over $9,000 stuck in the Multichain protocol, founded a victims group shortly after the incident. The group now has over 300 members.
ArkRide tells Cointelegraph that when the group formed, the members did not even know the names of key Multichain executives. Subsequently, one member shared a document from the Singapore government’s Accounting and Corporate Regulatory Authority alleged to be a Multichain business filing. The document lists “He Xiaokun,” a resident of Jiangsu Province, China, as the “Director” of the company. After seeing this document, some allege that “Zhaojun He” is in fact a pseudonym for “He Xiaokun.” (Chinese family names are written first.)
A Singaporean business filing for the principal business entity behind Multichain. Source: Telegram
Several Multichain victims reached out to Chinese embassies and the police in their home countries in an attempt to get further information, but received no response.
Around the same time as user investigations, they were contacted by the Fantom Foundation, one of the largest users of the Multichain bridge prior to its collapse. Through several Telegram messages, sources at Fantom claimed that it has hired attorneys within China to assist in the recovery process and confirmed Multichain co-founder Zhaojun had been detained by Chinese police.
“We’ve been gathering info from different parties and have contacted a Chinese law firm to get advice moving forward,” the source also claimed that some of the Multichain funds have been frozen by centralized exchanges and stablecoin issuers and that the foundation is attempting to get these funds distributed to victims. When asked about the possibility of a rug pull, the source wrote: “I do not believe the MC team misappropriated funds.”
On July 14, Fantom co-founder Andre Cronje stated that “Multichain was a big blow” to the network, as much of its total value locked consisted of Multichain derivative stablecoins. Stablecoin issuers Circle and Tether have frozen over $65 million in assets associated with the hack, according to blockchain data.
Cointelegraph reached out to the Fantom Foundation for comments but did not receive a response by the time of publication.
In a conversation with Cointelegraph, freelance content creator PJ Krypto claimed that he has lost a full month’s paycheck from a client as a result of his funds getting stuck inside the Multichain protocol. According to him, this happened on Aug. 1, nearly a month after the team had announced that the protocol should not be used.
Multichain’s user interface gave no warning that it shouldn’t be used. (Aug. 23, 2023)
After his transfer took an unusually long time, PJ checked Multichain’s block explorer and noticed that it had an abnormally large amount of pending transactions. Alarmed, he then checked the protocol’s social media accounts.
“Nearly, my jaw dropped to the ground when I started reading everything,” he stated, continuing:
“I don’t know, I guess, sometimes, you just kinda get comfortable. You’ve used something before, and it just works. And you get a little lackadaisical, and I think that’s where I got victimized […] the silly thing is, I could have just sent it to a centralized exchange.”
The content creator stated that his paycheck is still stuck in the Multichain protocol. As a result, he has been unable to pay his team for subcontracted work they performed for him in July and will likely have to catch up these payments out of revenue from August. “It was a tough pill for them to swallow. I mean, they have bills, right? And I’m behind now on my bills for my content creation.”
ArkRide lost over $9,000 worth of crypto in Multichain on July 15 under similar circumstances. He expressed relief that his loss from the hack was small and stated that he has met others who fared much worse:
“My amount that I lost on Multichain is not as much as some people that I talked to lost because there were people who lost nearly half a million. I talked to a couple of guys who lost like $100K each, and there were some people who literally couldn’t stand from their beds, they told me they wanted to commit suicide or something like this.”
The investigation continues
The Chinese national ID system reveals concerning information on who is the actual director of Multichain. A Chinese national ID is a 15- or 18-digit number containing an individual’s residing jurisdiction, date of birth and gender.
A query revealed that the individual listed as “He Xiaokun” in Multichain’s Singaporean registration documents was born on May 10, 1955. The same search for “Yang Qiumei,” another director listed on the Multichain registration file, reveals the said individual to have been born on July 20, 1957. Xu Ruduo, the third director of Multichain — possibly referring to co-founder Alfred Xu — registered using a different type of ID. Alfred Xu has been unreachable since the arrest of his colleague.
The ID search query revealed that “He Xiaokun,” an individual listed as a Multichain director, is currently 68 years ago and lives in a village in Jiangsu. Source: ID Search
By inspection, Zhaojun appears far too young to fit the profile of either “He Xiaokun,” age 68, or Yang Qiumei, 66. Both individuals had been indicated as residing in the same address at a rural Chinese village.
A photo of Zhaojun circulated during his participation in the crypto project Fusion, circa 2017, and was previously his profile picture of his official Twitter account. Dejun Qian, co-founder of Fusion, confirmed Zhaojun was in charge of Multichain during the time of the incident. The two were previously involved in a business dispute regarding Multichain, when it was formerly known as Anyswap.
Zhaojun He as listed in Fusion’s developer team. His biography reads: “More than 10 years of experience in secure Linux R&D. Former technical director of Chinese leading security operating system. Received bachelor of software engineering, Dalian University of Technology.” Source: Fusion
Sources reviewed by Cointelegraph claim that from the very beginning (May 21), Chinese authorities accused Zhaojun of “money laundering” by bridging tainted assets from users via the Multichain protocol. As a result, the police have attempted to seize all protocol assets, user, enterprise or tainted alike, as proceeds of crime. Although some of these seizures were prevented when centralized exchanges or stablecoin issuers froze the funds, the rest have passed into the hands of Chinese authorities, these sources claim.
Wuwei Liang, a former staff member of crypto exchange CoinXP, claims that in 2019, the firm’s entire development team was apprehended by Chinese police, along with the confiscation of protocol funds and shutdown of all relevant operations. Liang Liang, the firm’s CEO, was subsequently charged with operating a “multi-level marketing operation” and a “pyramid scheme,” which could result in the criminal seizure of the projects’ users’ and enterprise’s assets al if convicted.
During the trial this July, some sources claim that key witnesses and defense attorneys were threatened with legal intimidation. A presiding judge also reportedly stated, “Presumption of innocence until proven guilty” is “not a correct principle” within Chinese law. The trial has been adjourned.
CoinXP trial participants allegedly being apprehended by police | Source: Liang Liang
In a similar incident on May 29, Chinese crypto exchange BKEX suspended withdrawals citing the need to cooperate with police on charges of “money laundering.” The exchange has not been active since, and, like Multichain, its team members are nowhere to be found. Social channels, too, have gone cold. Its website is also offline.
Crypto exchange BKEX’s last message to users before halting withdrawals.
In yet another incident, the entire development team of offshore Hong Kong dollar and Chinese yuan stablecoin issuer Trust Reserve disappeared in May after its office was raided by police. Local sources say that Trust Reserve developers had been detained. Again, the charges are unknown.
Allegations of corruption
In each of these instances, police have neither informed investors of the charges against protocol developers nor of what process investors can go through to recover their funds. CoinXP’s Liang claims that this is because police are using the legal system as a means of corruption to embezzle investors’ capital for their own benefit:
“Defense lawyers would persuade the parties and their families [of arrested crypto executive] to comply, shut down servers, hand over [private] keys, and cooperate in pleading guilty, claiming that this will result in leniency. Little do they know that this makes it easy for law enforcement to profit from unlawful conduct, ‘legally’ pushing the parties towards prison and, at the same time, ‘legally’ taking away the digital assets that belong to the users, investors and founding team.”
Whatever the reason, the Chinese government has not yet answered investors’ questions of where the funds have gone and why they have not been returned to users.
Users such as ArkRide, PJ Krypto and others in the “Multichain Scam” group have so far been unable to get answers as to where their hard-earned money went. But one thing is certain: The Multichain exploit will go down as one of the worst crypto hacks of 2023. Across the world, Multichain users’ assets have mysteriously disappeared. Although some of the funds may be recovered, many are still experiencing the trauma it caused them.
Cointelegraph Editor Zhiyuan Sun contributed to this story.
Magazine: Should we ban ransomware payments? It’s an attractive but dangerous idea