Hacker Partially Returns Money Stolen in Cryptocurrency Heist

The hacker behind the largest-ever cryptocurrency theft ever recorded has paid back nearly half ($260m) of the money to the victim organization, Poly Network.

Earlier this week, it was reported that hackers exploited a vulnerability in Poly Network, a company that implements interoperability between different blockchains, that enabled them to change the address of the "keeper role" of a blockchain contract and "construct any transaction at will and withdraw any amount of funds from the contract."

This enabled the hacker to transfer $610m to three different addresses.

Poly Network took to Twitter after the incident to urge the attackers to return the money, stating: "We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto currency members, hence the people.

"You should talk to us to work out a solution."

The hacker subsequently posted a three-page 'Q&A' in which they provided more details on how they carried out the heist and claimed to have ethical motives, stating it was "always the plan" to return the funds and that they "not very interested in money." The hacker added: "I know it hurts when people are attacked, but shouldn't they learn something from those hacks?"

Poly Network has since revealed that $260m of "assets" have been returned via three types of cryptocurrencies: $3.3m worth of Ethereum, $256m worth of Binance Coin and $1m worth of Polygon. However, $269m worth of Ethereum and $84m worth of Polygon are still not recovered.

Commenting on the story, Arseny Reutov, head of the application security research team at Positive Technologies, said, "When such a massive hack occurs, everyone's attention is fixed on a particular cryptocurrency address. Although DeFi is non-custodial, some protocols can blacklist any address, for example, USDT stablecoin, which blacklisted the attacker's address preventing him or her from moving the funds. 

"Withdrawing such a large amount of money is a challenge in cryptocurrency. Although there are some cryptocurrency mixers that can complicate the tracking of the funds, it appears the hacker quickly realized he or she didn't have a plan for this, which likely led to the decision to transfer the stolen funds back."

Speaking to Infosecurity, BitK, technical ambassador at crowdsourced bug bounty platform YesWeHack, provided more insights into the possible motives of the hacker: "Incidents in which a hacker steals money, or cryptocurrency in this instance, and then returns what they stole is not something you see every day. It's clear the hacker intentionally targeted Poly Network and found a bug to exploit to their advantage. Whether they did this as a publicity stunt or to make a huge fortune is up for debate. There is no real way of knowing whether the intention was always to return the funds or if legal threats pressured them into doing so.  

"For businesses looking to avoid falling into the same predicament as Poly Network, one strong preventive method would be to work with ethical hackers in the context of a bug bounty program. This enables companies to identify flaws in advance, and thus prevent a malicious hacker from finding and exploiting them. However, in cases such as this which involve large sums of money or cryptocurrency, the bounty offered by the organization would have to be substantial enough to encourage the best hackers to participate and deter them from illegally taking the jackpot."

What’s Hot on Infosecurity Magazine?