The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.”
Poly Network first disclosed the hack on Tuesday, saying that the hacker, or hackers, had stolen crypto coins worth about $600 million at the time of the heist. The thousands of tokens included $270 million on the Ethereum blockchain, $250 million on the Binance Smart Chain, $84 million on the Polygon network, and a smattering of other smaller coins, like Tether, Shiba Inu, and Matic.
Poly Network operates a platform that allows people to move tokens between different blockchains, using smart contracts that help to automate the process. The hacker exploited a vulnerability in one of Poly Network’s smart contracts, the company said in a tweet. That smart contract required a large amount of liquidity so that transactions between different blockchains could be completed quickly and efficiently.
How and why
The hacker apparently exploited a vulnerability in the way Poly Network verified smart contracts to change a list of public keys to match the hacker’s private keys, according to an analysis of the hack tweeted by Kelvin Fichter. Once those keys were changed, the hacker was able to reroute funds to personal wallets.
In an exclamation point-laden, all-caps Q&A found within one of the transactions, the hacker gave some insight into the motivation behind the hack. (We cannot verify the authenticity of the statements, though one expert said they were linked to the hacker’s account. Also, we’ve changed the passages to sentence case to make them more readable.) “When spotting the bug, I had a mixed feeling,” the hacker wrote. “Ask yourself what [would you] do had you fac[ed] so much fortune. Ask the project team politely so that they can fix it? Anyone could be the traitor given one billion!”
The hacker also gave a reason for returning the funds, claiming, “That’s always the plan! I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
Though the hacker wasn’t going to pass up on some extra cash, of course. “In the meanwhile, depositing the [stable coins, like Tether,] could earn some interest to cover potential cost so that I have more time to negotiate with the Poly team,” the hacker said.
Shortly after Poly Network revealed the breach, it posted a note to the hacker on Twitter. “The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you do to any further transactions.”
This negotiating tactic—along with Tether freezing $33 million of its coins on Poly Network—seems to have worked. The difficulty in moving that amount of cryptocurrency anonymously likely also posed a challenge for the hacker, said Joel Kruger, a currency strategist at LMAX Group, to The Wall Street Journal. “You’re going to have to find a way to get it out to cash in—it becomes a greater impossibility given how things are tracked from wallet to wallet and exchange to exchange,” he said.
Less than a day after the note was posted, the hacker began sending the stolen cryptocurrency back to the company.
In the Q&A, the hacker attempt to pose as a white hat, writing, “I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP, or so called fingerprint, which were untracable [sic].”
The hacker capped off the answer with what may be a sarcastic wink at the crypto community: “I prefer to stay in the dark and save the world.”