clock menu more-arrow no yes

Filed under:

Poly Network hacker gave back more than $600 million in stolen crypto

New, 7 comments

The hacker began returning the funds almost two weeks ago

Illustration by Alex Castro / The Verge

The hacker that stole around $600 million worth of crypto coins from Poly Network has now finished returning them after starting the process nearly two weeks ago (via CNBC). Poly Network says in a blog post that it’s now beginning the process of returning the stolen assets, which include Ethereum, Binance tokens, and Dogecoin, to their rightful owners. Poly Network says that there’s still work for it to do — it’s working on getting approximately $33 million worth of assets unfrozen and is continuing to restore the functionality of its Poly Bridge service, which lets users transfer crypto between blockchains.

After the attack, the hacker said that he’d stolen the funds to keep them safe, saying that putting the coins in a “trusted account” was a way to highlight the bug without giving someone else the opportunity to make away with them. He’s had a somewhat continuous banter with Poly Network, who even took to calling him “Mr. White Hat” in their series of update notes. Poly Network also invited the hacker to act as the company’s chief security advisor, which the hacker has (seemingly cheekily) acknowledged, signing off a message to the company with “your chief security advisor.” Chainalysis points out that the transparency of blockchain tech can make it difficult to get away with spending stolen funds.

After the hack occurred earlier this month, there was speculation about how the hacker had carried it out, with some analysts suggesting that he had even been able to obtain Poly Network’s private keys. Further analysis seems to show that this wasn’t the case — instead, the hacker was able to exploit a security flaw in the Poly Network that allowed him to execute transactions that he shouldn’t have been able to.

Embedded in one of the final transactions from the hacker is a long note, in which he apologizes for the inconvenience he’s caused, calls the hack and process of returning the funds a “wild adventure,” and promises to return more money than he originally stole (which he requests be distributed to “survivors,” seemingly referring to those who had their money stolen). According to the hacker’s note, the extra funds come from the $500,000 bounty that Poly Network paid him for finding the security flaw, as well as from the stream of donations that he’s received since the hack (and is still receiving, according to his wallet’s transaction records).

Poly Network said in another blog post that it would start a $500,000 bug bounty program to encourage researchers to find (and responsibly disclose) other vulnerabilities in its software. Currently, the company’s bug bounty listing on Immunefi says that the maximum bounty is $100,000.

As for when Poly Network’s users will actually see the returned funds hit their wallets, the company says it’s working on returning them “within the shortest time frame possible.”