Decentralized finance (DeFi) trading platform BXH continues to work with its security partners to trace the whereabouts of stolen funds after it suffered an exploit first estimated at US$130 million, and has reported the case to the police in China, as most of the affected users appeared to be there, the company’s CEO said.

Neo Wang, BXH’s CEO, told Forkast.News today in an interview the company immediately called China’s cyber police as soon as it was aware of the attack, and the police have now entered the company’s office to help investigate the incident.

“According to the possibility at the moment, the hackers are likely in China, so we chose to call the police in China,” Wang said. “The team which is participating in the investigation is the Chinese cyber security police team. They are very experienced, and they also have found some clues and evidence.”

Wang added that the public security department is taking the hack very seriously given the massive amount of stolen funds involved.

BXH announced on Saturday that it was being attacked on Binance Smart Chain, resulting in the theft of about US$130 million. It said that assets on other chains are safe and not affected, and it has locked BXH contracts on OEC and HECO chains for asset security reasons.

Wang said today the loss amounted to an estimated US$139 million.

As PeckShield, one of BXH’s security partners, has pointed out, the exploit was likely caused by a leaked single admin key, used to drain funds. Wang said the attacker might have hacked into an employee’s computer or implanted a virus that an administrator clicked on to set off the attack. The team is also investigating the possibility of an inside job.

BXH said it will offer a bonus of US$1 million to any white hat team that could help retrieve users’ assets. “To the exploiters again, please return the funds to the fund pool immediately and we will recognize your actions as white hat and offer [a] bonus,” the company said in a tweet.

Wang said that BXH will put together a repayment plan if the security team eventually fails to track down the hacker.

The BXH’s exploit is just one of a series of DeFi attacks that occurred over the past few months. Just last week, Cream Finance suffered a flash-loan attack and lost about US$130 million worth of tokens.

In August, another DeFi platform, Poly Network, suffered a US$600 million hack, though the hacker later returned the stolen assets. In the same month, Japanese crypto exchange Liquid suffered a loss of over US$90 million in an attack, which siphoned Bitcoin, Ethereum, Tron and XRP tokens from the exchange. Liquid obtained a US$120 million loan from fellow exchange FTX to cover losses.