Decentralised finance platform Poly Network was the target in what could be one of the largest cryptocurrency hacks to date, losing $611m to a single attacker — but they might be about to return all of the money.
Poly Network claims to be able to link up different blockchains into one place, so users could send crypto tokens from one network to another. For example, a user could transfer bitcoin to an Ethereum address via its platform.
A hacker allegedly targeted a vulnerability between contracts on the platform’s Poly chain on 10 August, allowing its assets to be redirected to their private crypto address.
Poly Network later put out a call to the hacker to return the funds, which included $273m of Ethereum tokens, $253m in tokens on Binance Smart Chain and $85m in USDC on the Poly chain. The platform said it was the largest DeFi hack ever.
READ Four key takeaways from Coinbase’s quarterly earnings
DeFi has become a popular target for hackers as platforms and applications become more widespread, utilising blockchain technology to make general financial activities more efficient and secure.
In the first seven months of 2021, DeFi-related hacks almost tripled compared to the whole of 2020, according to data from CipherTrace, while fraud in the sector accounted for 54% of total crypto fraud volumes.
After a short back and forth between Poly and the hacker via messages sent over Ethereum, several coins have now made their way back to the network.
Poly Network created three addresses for the hacker to send the assets back to, and some have begun to appear. As of 1pm BST on 11 August, the platform said almost $5m had been returned across various tokens.
The return process had begun with a message sent via a token from the hacker to Poly’s designated addresses, which said “the hacker is ready to surrender”.
The news came as blockchain intelligence platform SlowMist said it had found the hacker by tracking their IP and email addresses through the crypto exchange and devices they had used, pinpointing the hacker’s identity several hours after the 10 August exploit.
“This is likely to be a long-planned, organised and prepared attack,” said SlowMist in a post on Chinese social media site Weibo on 10 August, prior to Poly Network’s call-out to the hacker.
READ Crypto, stablecoins and NFTs risk ‘Uberisation’ of money, warns Mark Carney
Poly Network has also asked platforms originating the stolen tokens to help “blacklist” them. So far only Tether has blacklisted around $33m in stolen USDC, according to Tether’s chief technology officer Paolo Ardoino.
Binance chief executive Changpeng ‘CZ’ Zhao said the platform was trying to freeze assets as they came back onto its exchange, but that the process was difficult.
“We do try to help,” he added in a follow-up tweet on 11 August. “While we can’t freeze funds on blockchains, if those funds land on our [exchange], we will (try to) freeze them. So, we have a lot of blockchain analysis to do. Nothing is easy. We try.”
To contact the author of this story with feedback or news, email Emily Nicolle