It’s estimated that over $600 million worth of cryptocurrency has been stolen as the result of a hack on a protocol called the Poly Network. And now, whoever stole it seems to be in the process of returning it, according to CNBC and Chainalysis. According to Bloomberg, it’s quite possibly one of the largest hacks in the decentralized finance, or DeFi, space.
The Poly Network is a protocol that lets people transfer cryptocurrencies between blockchains. And because of that role as a bridge, the stolen assets come in the form of hundreds of different types of tokens — from Ethereum to Binance’s BNB to Dogecoin.
The Poly Network cites the massive amount of money stolen in a message to the hacker, which it posted on Twitter. The message begins “Dear Hacker” and goes on to talk about how the attacker would be in trouble with law enforcement for stealing from “the people.”
The message may have worked. The hacker posted a string of messages (by embedding text in transactions sent to themselves), saying they were ready to return the stolen funds but needed some way to send them back to Poly Network. Poly Network provided addresses to send the crypto to, and the coins have started to flow.
As of 10AM ET on Wednesday, around $5 million have been returned, but it seems that the attacker is getting rid of the lower-value cryptos first. They embedded a message saying they were “DUMPING SHITCOINS FIRST.”
There have been multiple theories about how the attack was carried out. One security team says that, according to its initial analysis, either the attacker was able to sign transactions with a legitimate private key or they were able to exploit a bug to get a message signed. Poly Network has pushed back on that analysis, saying the attackers exploited an interaction between two contracts. Poly Network pointed to another security firm’s research that found similar results. Chainalysis has said that it will post a full analysis today.
It’s likely that we won’t know what really happened until a more thorough investigation has been done, and we won’t know how much the hacker actually got away with. It’s possible the crypto community will rally to blacklist the stolen tokens, making them essentially worthless — it’s already been done for around $33 million worth of tokens, but it wouldn’t be so easy for the rest of them. According to The Block, the frozen assets were USDT coins, which are under the control of a company called Tether. A lot of the other stolen coins though, are decentralized — meaning no one entity can decide what can or can’t happen with them, and there are no promises as to what the community will decide to do.
There’s also the question as to why the attacker has started returning the funds. Yesterday, they posted a message that read, in part “not so interested in money, now considering returning some tokens or just leaving them here.” Since then, they’ve posted a message saying that returning the money (or saving the world, as they put it) will make them “an eternal legend.” But another message they posted, asking for donations from those who support their decision to return the funds, calls the “not so interested in money” thing into question. Perhaps they’re simply returning the funds out of fear that they wouldn’t be able to use them or they got tired of the hundreds of people begging for a Robin Hood-esque redistribution.