- Hackers return over a third of the US$600 million (A$814 million) they stole in potentially the biggest crypto heist in history
- The hackers exploited a vulnerability in the Poly Network decentralised finance platform to gain access to the funds
- Poly Network is urging the hackers to return the funds, claiming tens of thousands of people are impacted by the attack
- Bizarrely, the hackers are listening, with some US$260 million (A$353 million) worth of assets returned as of Thursday morning
- Blockchain security specialist SlowMist says it has found the hacker’s IP address, email and device fingerprints
Hackers pulled off a US$600 million (A$814 million) crypto heist this week, then soon after returned over a third of the pilfered digital coins.
The hackers targeted decentralised finance, or DeFi, platform Poly Network and made away with hundreds of millions of dollars worth of ether and other digital tokens.
Poly Network announced the hack in a series of tweets, claiming tens of thousands of crypto community members were affected.
Important Notice:
— Poly Network (@PolyNetwork2) August 10, 2021
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
The DeFi platform shared the hackers’ digital addresses and urged them to return the stolen funds.
“The amount of money you hacked is the biggest one in the DeFi history,” Poly Network wrote in an unconventional open letter to the hacker via Twitter.
“Law enforcement in any country will regard this as a major economic crime and you will be pursued.
“It is very unwise for you to do any further transactions,” the statement said, before urging the hackers to establish communication with the Poly Network team to return the funds.
In perhaps the strangest turn of events of the Poly Network scenario, the hackers started returning the funds to their rightful owners not long after Poly Network’s tweets.
“Always the plan” to return the funds
As of Thursday morning, Australian time, Poly Network said some US$260 million (A$353 million) of assets had been returned, leaving the remaining US$340 million (A$461 million) unaccounted for.
$260 million (As of 11 Aug 04:18:39 PM +UTC) of assets had been returned:
— Poly Network (@PolyNetwork2) August 11, 2021
Ethereum: $3.3M
BSC: $256M
Polygon: $1M
The remainings are $269M on Ethereum, $84M on Polygon
According to Reuters, a person claiming to be behind the hack told crypto tracking firm Elliptic and crypto software specialist Chainalysis the hack was just “for fun” and a way to expose the vulnerability of the Poly Network platform before others could exploit it.
The purported hacker allegedly said it was “always the plan” to return the stolen tokens.
Reuters said the identity of the hacker or hackers has not been identified, and it could not verify the authenticity of the messages.
How did Poly Network get hacked?
Poly Network is not a cryptocurrency exchange or digital wallet platform like Coinbase or Digital Surge.
Rather, it helps facilitate crypto transfers between different blockchains without a middle-man. Essentially, it’s a way for people to use their cryptocurrency across various different networks.
Poly Network said the hacker exploited a vulnerability between the digital contracts used to move assets between blockchains to gain access to the millions of dollars in crypto held within the Poly Network platform.
Blockchain security specialist SlowMist said based on the information it could gather about the attack, it seems the hack had been planned for some time.
However, SlowMist added that it had found the hacker’s IP address, email, and device fingerprints.