On August 10, a cyberattack that targeted the decentralized finance platform Poly Network resulted in more than $600 million worth of cryptocurrency being stolen in what is considered to be one of the biggest crypto heists of all time. While security experts were still trying to figure out what happened, Poly Network disclosed the attack on Twitter the next day, even requesting the hacker to return the hacked assets. And apparently, in a strange turn of events, the hacker returned nearly all of the amount stolen, claiming to be not interested in the money and having done it for fun.
What is Poly Network?
Decentralized Finance (DeFi) platform Poly Network is a protocol launched by the Chinese network Neo and uses peer-to-peer networking to allow users to transact across multiple blockchains. A decentralized finance system makes this easier since there are no intermediaries or middlemen. In addition to lending, exchanging, and borrowing money, DeFi also allows people to trade digital currencies, speculate on the stock market, and earn interest, all without a financial intermediary such as a bank or brokerage.
Poly Network was developed in an effort to create the next generation of internet infrastructure by facilitating interoperability among many blockchains. It has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain into its ecosystem, with more on the way.
Poly Network’s message to the hacker stated that the amount of money stolen in this heist was the biggest ever in the history of decentralized finance.
How and why was the hack executed?
In essence, Poly Network’s platform facilitates movement between multiple blockchains when people trade one cryptocurrency for another. In other words, it allows users to swap tokens between various blockchains through peer-to-peer networking,
BlockSec, a blockchain security company based in China, says the hack was initiated by releasing a private key that was used to sign the cross-chain message. According to their initial attack analysis report, another possible cause is a bug in Poly’s signing mechanism, which may have been “abused” to sign the message. Because DeFi works on code, it isn’t surprising that these codes will have bugs. Although it is possible to free bugs in the code, it is very challenging and expensive.
As a form of self-interview, the hacker also created a three-page Q&A session in which he explained he always intended to return the tokens and said he only intended to reveal weaknesses in the Poly Network software through the hack.
In addition, he claimed he spent the entire night looking for a weakness to exploit. In order to make a point, the hacker took millions of dollars in cryptocurrency tokens in order to make sure Poly Network wouldn’t patch the security flaw silently.
How much was stolen in the hack?
Poly Network was attacked on three blockchains: Ethereum, Binance Smart Chain, and Polygon. According to blockchain firm Slow Mist, the attackers initially had Monero funds but later switched to BNB, ETH, and MATIC. Moreover, Slow Mist also reported that, based on the combined flow of funds and multiple fingerprint information, the heist was likely a long-planned, organized, and prepared attack.
In total, at least $611 million in funds were stolen as follows:
- $273 million on Ethereum
- $253 million on BSC.
- $85 million on Polygon.
Among the stolen assets were cryptocurrencies, stablecoins, and other tokens. Because stablecoins have a built-in failsafe that permits their issuers to freeze certain accounts, Tether was one of the first to respond to Poly Network’s call for help when it asked exchanges and miners to freeze addresses and prevent the attackers from moving stolen funds. Just before the attacker tried to launder USDT through the DeFi platform Curve, Tether froze about $33 million worth of USDT on Ethereum.
Why was the stolen money returned?
The Poly Network attack comes at a time when fraud and theft related to DeFi are at an all-time high. Poly Network’s open message to the hacker said: “Law enforcement in any country will regard this as a major economic crime, and you will be punished.” Legal processes have accelerated globally in order to recover lost or stolen assets, and with new legislation, there seem to be fewer places for hackers to hide.
According to Tom Robinson, co-founder of Elliptic, the difficulties involved in laundering stolen crypto on such a large scale may have influenced the hacker’s decision to return the money. “Even if you can steal crypto-assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain and the broad use of blockchain analytics by financial institutions,” said Robinson.
Additionally, because blockchain technology allows everyone to see how money moves across the network, it is difficult for cybercriminals to profit from stealing digital currency. “I wonder whether this hacker stole the funds, realized how much publicity and attention they were getting, realized wherever they moved the funds they would be watched and decided to give it back,” Mr. Robinson said.
Probably, these reasons may have been what prompted the hacker to return a large part of the stolen assets, if not the entire sum. The very next day after the hack, the hacker began publishing messages by sending transactions to himself (from the Ethereum account where some of the stolen assets were held). Most notably, the text stated: “READY TO RETURN THE FUND!”
In response, Poly Network requested that the hacker return the funds to three accounts – one on each of the affected blockchains.
Except for $33 million in USDT that was frozen by Tether, all the stolen funds have been returned as of the time of writing.
Disclaimer: Cryptocurrency is not a legal tender and is currently unregulated. Kindly ensure that you undertake sufficient risk assessment when trading cryptocurrencies as they are often subject to high price volatility. The information provided in this section doesn't represent any investment advice or WazirX's official position. WazirX reserves the right in its sole discretion to amend or change this blog post at any time and for any reasons without prior notice.