Breach, Content

Hacker Returns $600+ Million Haul in Poly Network Cryptocurrency Heist

A hacker atypically has returned all of the more than $600 million in digital coins they stole on Tuesday August 11, 20p21 from Poly Network, a decentralized financial (DeFi) platform, in what’s said to be one of the largest cryptocurrency heists in history.

For MSPs and MSSPs that are exploring potential cryptocurrency business moves, the hack represents a timely reminder that the crypto world comes with its own set of cyber risks.

Poly, whose platform enables the swapping of tokens across multiple blockchains, was apparently victimized by a hacker exploiting the digital contracts Poly uses to carry out cross-chain transactions. The company claims to have integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain.

Poly said it has informed its 16,400 Twitter followers that its system was breached on Tuesday, August 11, 2021.

The size of the theft compared favorably to the $530 million worth of cryptocurrency hackers pilfered from Toyko-based Coincheck exchange in January, 2018, one of the biggest digital heists recorded at that time. Immediately following the digital break-in, Poly posted this to the person claiming to be the perpetrator: (via Chainalysis)

Dear Hacker,

We are the Poly Network Team.

We want to establish communication with you and urge you to return the hacked assets.

The amount of money you hacked is the biggest one in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto community members, hence the people.

You should talk to us to work out a solution.

The hacker, in turn, issued a running series of posts embedded in a cryptocurrency transaction, in which they claimed they would return the funds and were ready to do so. Poly responded by directing the hacker to send the funds to three crypto addresses, reports said. The hacker has now returned nearly all of the $610 million stolen, a Reuters report said.

In the Q&A string that had some joie de vivre and introspection to it, the hacker said they exploited the Poly vulnerability “for fun” because cross chain hacking is “hot.” Still, the hacker admitted they had a “mixed feeling” about carrying out the attack. “Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it?...I take the resposibility (sic) to expose the vulnerability before any insiders hiding and exploiting it!”

The hacker claimed not to have left themselves open to exposure. “No, never. I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP or _so called_fingerprint which were untracable (sic). I prefer to stay in the dark and save the world.”

But blockchain security provider SlowMist said in a blog post that it has identified the attacker’s mailbox, IP, and device fingerprints and is tracking possible identity clues. Based on the flow of funds and fingerprint information, SlowMist speculated that the attacker had been readying the attack for some time.

As for Poly’s initial post, it aggravated the hacker. “They urged others to blame and hate me before I had any chance to reply!” The hacker always intended to return the funds, they posted. “I am not very interested in money. I know it hurts when people are attacked but shouldn’t they learn something from those hacks? I announced the returning decision before midnight so people who had faith in me should had a good rest ;)”

The hacker appeared to have a magnanimous side, perhaps indirectly making a case for themselves as a "white hat" hacker by posting that they would like to give Poly “tips on how to secure their network so that they can be eligible to manage the billion project in the future.” They went on to say that “figuing (sic) out the blind spot in the architecture of Poly Network would be one of the best moments in my life.”

A modicum of life philosophy also permeated the back and forth between the hacker and Poly. “I have been exploring the meaning of life for a while,” the hacker said. “To be honest I did have some selfish motives to do something cool but not harmful by leveraging the huge fund,” the hacker said. “Then I realized being the moral leader would be the coolest hack I could ever archive! (sic?) Cheers!”

The Poly heist further blew up what is already a difficult year to date for the DeFi segment in crime-related losses. According to a recently released report by CipherTrace, a Blockchain forensics analyst, from January to July, 2021 DeFi losses from hacks, fraud and thefts amounted to nearly $475 million, a figure the Poly attack alone exceeded. By comparison, before the Poly heist, through July this year, overall crime in the cryptocurrency market has totaled roughly $680 million as compared to the $1.9 billion recorded for all of 2020, the analyst said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.