How hackers stole $600 million in crypto – then returned it

The Biggest Heist in History… 

On the 10th of August, following the largest heist in history, Poly Network released a tweet confirming they had been hacked, and attempting to open a line of communication with the hackers directly: 

“Dear Hacker […]  

The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued [….] 

You should talk to us to work out a solution” 

Poly Network is a finance platform which operates with cryptocurrency blockchains. A blockchain is a cryptocurrency “wallet”, each digital coin has its own different and unique blockchain, and Poly Network aims to converge these with each other.  

The reason the sum of money is described as “defi” is because it was decentralized finance, in other terms a finance within the domain of blockchain cryptocurrency, untethered by a conventional exchange. 

… Or not? 

However, after pulling off the “greatest heist in history”, it seemed the hackers were ready to return the stolen assets a mere few days later.  

Perhaps influenced by the tweet put out by Poly Network urging them to communicate directly, the hackers responded via an embedded transaction to the developer, stating they were “ready to return” the money.  

Once more, Poly Network replied to the message publicly on Twitter, stating “hope you will transfer the assets to the addresses below” and sharing the links. 

On the 12th of August, just two days after their first tweet addressing the hackers, Poly Network confirmed on Twitter that “$342 million […] of assets had been returned […] The remaining is $268M on Ethereum”. 

This attack raises a lot of questions about the nature of cryptocurrency theft and its validity as a criminal enterprise, but also about the dangers it could pose as a purely destructive force if financial gain was removed as the primary driving force. 

Clearly, despite the complexity and success of the pre-planned organized attack on Poly Network, the hackers did not correctly discern the ease with which they would be able to launder and cash out their takings without being detected. Unlike other forms of online theft, cryptocurrency blockchain transactions are very transparent and traceable, and even following this attack, security company SlowMist were able to identify that the $610 million was transferred to three addresses, as well as identifying “the attacker’s mailbox, IP and device fingerprints”. 

Despite this, the suspects have not yet been apprehended, but Poly Network insists they will take legal action. Even though a large sum of the money has now been returned, perhaps due to fear of the authorities closing in, the hacker is yet to return the full amount, and the attack has left many users who have not yet been reimbursed by the site in financial ruin. One user replied to the latest Poly Network tweet stating “how will you return to the victims, I myself lost 152k USD and 8K XMR in Exodus wallet, these were my final savings”. 

A Rising Threat 

As reported by CipherTrace, decentralized finance (defi) related cyberattacks have increased nearly three times in the last 6 months comparatively to the year 2020. This attack did not end in ultimate success for the hacker, who upon realising he could not launder the takings without detection began returning it, but even so, people have been left in financial turmoil as they struggle to reclaim their stolen crypto wallets.  

This raises a very prominent and slightly daunting question – what if a hacker wanted to launch a similar attack, but wasn’t interested in laundering the money at all, simply just to cripple a corporation or create chaos? With such a new and ever evolving landscape such as cryptocurrency, vulnerabilities will be plentiful, and with defi attacks on the rise, it seems this history making heist may have only been the beginning of bigger things to come in the future.