Poly Network Suffers Major Crypto Heist, Hackers Haul Away USD 600 Million!

It’s no surprise that cybercriminals are working their fingers to the bone to gain ground in the cyberspace. Fanning the flames is the COVID-19 pandemic that has become a fertile ground for malicious actors to perpetuate their attacks.

Ransomware attacks on Kaseya, meat giant JBS and Colonial Pipeline are some of the most notorious works of cybercriminals amid the pandemic. And they are pulling out all the stops to gain worldwide notoriety.

Recently, cybercriminals exploited a vulnerability in Poly Network, a cross-chain decentralized finance (DeFi) firm specializing in cryptocurrency transfers. The hackers hauled away digital coins worth USD 600 million in what appears to be one of the biggest cryptocurrency heists ever.

“After the preliminary investigation, we located the cause of the vulnerability. The hacker exploited a vulnerability between contract calls,” said Poly Network.

The company uses contract calls to transfer assets between different blockchains.

Biggest in Crypto History!

In the tweet addressing the hackers, Poly Network said, “The amount of money you hacked is the biggest in defi history.”

Notably, the stolen assets of Poly Network far outstripped the entire criminal losses of USD 474 million registered by the DeFi sector between January and July 2021.

The theft even superseded the record USD 530 million worth of digital coins stolen from Tokyo-based exchange Coincheck in 2018.

The Poly Network crypto heist comes at the moment when losses from fraud in the DeFi sector hit an all-time high, according to crypto intelligence company CipherTrace.

The Strong Retort!

The Strong Retort!

When it learned about the attack, Poly Network didn’t retreat. Instead, the company retorted firmly.

In the message to the hackers, the DeFi organization threatened legal actions and urged them to return the assets.

“We will take legal actions, and we urge the hackers to return the assets,” tweeted Poly Network.

“Law enforcement in any country will regard this as a major economic crime, and you will be pursued. It is very unwise for you to do any further transactions. The money you stole is from tens of thousands of crypto community members, hence the people,” warned the company.

However, Poly Network offered the hackers the chance to hammer out a solution.

“You should talk to us to work out a solution,” said the crypto firm.

The DeFi platform also publicized addresses used by the hackers and alerted the “miners of affected blockchain and crypto exchanges to blocklist tokens” coming from them.

Benevolent or Timid?

In a strange turn of events, the attacker has initiated the return process.

Sending a message embedded in a cryptocurrency transaction to Poly Network, the hacker said he was “ready to return” the funds.

Without further ado, the company responded requesting the transfer of assets to three crypto addresses.

So far, the hacker have returned USD 342 million. Another USD 268 million is pending.

“USD 342 million of assets had been returned – Ethereum: USD 4.6M, BSC: USD 252M, and Polygon: USD 85M. The remaining is USD 268M on Ethereum,” tweeted Poly Network.

Though the hacker, dubbed as Mr. White Hat by the company, has transferred almost all of the haul, the last USD 268 million of assets has been transferred to a multi-signature wallet. A multisig wallet is an account that requires passwords from both the parties, in this case, hacker and Poly Network.

“As our communication with Mr. White Hat is going on, the remaining user assets on Ethereum are gradually transferred to the multi-signature wallet requested by Mr. White Hat,” tweeted Poly Network.

“All the remaining user assets on Ethereum had been transferred to the multi-signature wallet controlled by Mr. White Hat and Poly Network team,” reiterated the DeFi company.

A USD 500K Bounty!

After recovering almost all of its lost assets, Poly Network had offered the hacker a USD 500,000 bug bounty.

Thanking Mr. White Hat for his corporation, the network also hoped that the hacker would contribute to the blockchain industry’s development upon accepting the reward.

However, the company didn’t specify the form in which it would pay the bounty amount.

Just for Fun!

Hacker claiming to be behind the Poly Network attack said he did it “for fun” and wanted to “expose the vulnerability” before anyone could exploit it, according to the crypto tracking firm Elliptic.

“It was always the plan to return the tokens. I am not very interested in money,” wrote the purported hacker.

However, Tom Robinson, Co-founder of Elliptic, said that the hacker had returned the money, citing the difficulties in laundering the stolen crypto assets of such volume.

“Even if you can steal crypto assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain and the broad use of blockchain analytics by financial institutions,” opined Robinson.

“In this case, the hacker concluded that the safest option was just to return the stolen assets.”

Long-planned, Organized Attack

Cyber Criminals

Researchers at security company SlowMist said that the hack was “likely to be a long-planned, organized and prepared attack.”

Once the attack came into the limelight, the SlowMist security team immediately started tracking possible identification clues related to the hackers.

SlowMist said that its researchers “have grasped the attacker’s mailbox, IP, and device fingerprints” and are “tracking possible identity clues related to the Poly Network attacker.”

The security team even discovered that the attacker’s “initial source of funds was Monero (XMR), which was then exchanged to BNB / ETH / MATIC on the exchanges.”

Contact Us

More Articles: