A hacker pulled off one of the biggest cryptocurrency heists in history by transferring $831 million worth of cryptocurrency off the Poly Network platform, only to start giving the assets back the next day.
Poly Network announced the attack on Tuesday night, saying it had been attacked on the Binance Smart Chain, Ethereum, and Polygon networks, tweeting the addresses the hacker transferred the nearly $1 billion worth of cryptocurrency to.
“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” Poly Network said in a twitter thread.
“We will take legal actions and we urge the hackers to return the assets.”
Poly Network is a decentralised finance (DeFi) platform designed to enable cryptocurrency transfer across different blockchains.
But the race was quickly on as the attacker tried to move large sums of stolen money through the cryptosphere, all while the crypto community carefully watched transactions take place over the public blockchain for anyone to see.
The hacker even bought a Cryptopunk NFT for 42,000 ETH (over $180 million).
Poly pleaded with the attacker to give the money back, posting an open letter that comically began with “Dear Hacker”.
“The amount of money you hacked is the biggest one in the defi [sic] history,” the letter said.
“Law enforcement in any country will regard this as a major economic crime and you will be pursued.
“The money you stole are from tens of thousands of crypto community members, hence the people”.
— Poly Network (@PolyNetwork2) August 10, 2021
Tether, the company operating stablecoin USDT, heeded Poly Network’s call and blacklisted the wallet addresses of what blockchain scanning websites had labeled the PolyNetwork Exploiter, just as they were transferring around $40 million into the distributed exchange, Curve.
Seeing the blacklist happen, a cryptocurrency user named Hanashiro sent a blank Ethereum transaction to the Exploiter warning: “don’t use your USDT Token, you’ve got [sic] blacklisted”.
Half an hour later, the hacker sent Hanashiro 13.37 ETH (worth around $57,000) as a thank you – some of which Hanishiro then sent to charity organisations like Archive.org.
That led to a flurry of activity on the Ethereum network as other would-be accomplices began sending messages to the account of the hacker, ranging anywhere from money laundering advice to pleas for some charity from the Exploiter.
A massive cryptocurrency heist
Successive analyses of the attack from BlockSec explained how the PolyNetwork Exploiter used malicious cross-chain transactions to trigger functions to gain public key addresses, bypass verification processes, and siphon the mass of cryptocurrency from PolyNetwork.
By Wednesday afternoon, the attacker had just under $670 million still sitting in three addresses on the Ethereum, Binance Smart Chain and Polygon networks.
Most of that money was in the form of cryptographic tokens typically used in distributed finance and included: $123 million in Ethereum, $115 million in USDC, $113 million in Binance-Peg ETH, $63 million in Wrapped BTC, $62 million in Binance-Peg BTCB, $44 million in USDT, and $2.7 million worth of the meme coin Shiba Inu.
It was an unbelievable haul, and the Exploiter was seemingly at a loss for what to do with it all.
“It would have been a billion hack if I had moved remaining shitcoins,” the Exploiter said in a message encoded in an Ethereum transaction, referring to small-capitalisation cryptocurrency tokens commonly known as ‘shitcoins’.
“Not so interested in money, now considering returning some tokens or just leaving them here.”
They even considered creating a distributed autonomous organisation (DAO) to let the public decide how to spend the money, all the while printing their thought process on the indelible Ethereum blockchain.
“What if I make a new token and let the DAO decide where the tokens go?” the hacker asked in one Ethereum transaction.
But before long, the fun was over and the Exploiter said they were “ready to return the fund [sic]”.
Come Thursday morning, the Exploiter had emptied their Binance Smart Chain and Polygon wallets and Poly Network had confirmed the return of $350 million worth of assets.
$260 million (As of 11 Aug 04:18:39 PM +UTC) of assets had been returned:
— Poly Network (@PolyNetwork2) August 11, 2021
Ethereum: $3.3M
BSC: $256M
Polygon: $1M
The remainings are $269M on Ethereum, $84M on Polygon
The attacker said it never asked for bounty from Poly Network and all the communication between the parties took place through blockchain transactions.
Ask a hacker anything
With the attack over, and $350 million back in the hands of Poly Network, the Exploiter started a question and answer session through the Ethereum blockchain.
They explained how they orginally planned a larger take-over attack but couldn’t make a proper test environment.
While testing, some of the blockchain’s relay systems didn’t work as intended, ruining their plan for a “cool blitzkrieg”.
“I should have stopped at that moment, but I decided to let the show go on,” the hacker said.
They said they had “mixed feeling[s]” after initially spotting the bug in Poly Network’s code.
“Ask yourself, what [would you] do had you [faced] so much fortune? [Ask] the project team politely so that they can fix it?
“I can trust nobody! The only solution I can come up with is saving it an a trusted account while keeping myself anonymous and safe."
The Poly Network Exploiter said the attack was an important lesson for the cryptocurrency community: “you can trust nobody but the code and yourself”.