A hacker stole over $600 million of crypto coins — now they might be giving it back

Illustration by Alex Castro / The Verge

It’s estimated that over $600 million worth of cryptocurrency has been stolen as the result of a hack on a protocol called the Poly Network. And now, whoever stole it seems to be in the process of returning it, according to CNBC and Chainalysis. According to Bloomberg, it’s quite possibly one of the largest hacks in the decentralized finance, or DeFi, space.

The Poly Network is a protocol that lets people transfer cryptocurrencies between blockchains. And because of that role as a bridge, the stolen assets come in the form of hundreds of different types of tokens — from Ethereum to Binance’s BNB to Dogecoin.

The Poly Network cites the massive amount of money stolen in a message to the hacker, which it posted on Twitter. The message begins “Dear Hacker” and goes on to talk about how the attacker would be in trouble with law enforcement for stealing from “the people.”

The message may have worked. The hacker posted a string of messages (by embedding text in transactions sent to themselves), saying they were ready to return the stolen funds but needed some way to send them back to Poly Network. Poly Network provided addresses to send the crypto to, and the coins have started to flow.

As of 10AM ET on Wednesday, around $5 million have been returned, but it seems that the attacker is getting rid of the lower-value cryptos first. They embedded a message saying they were “DUMPING SHITCOINS FIRST.”

There have been multiple theories about how the attack was carried out. One security team says that, according to its initial analysis, either the attacker was able to sign transactions with a legitimate private key or they were able to exploit a bug to get a message signed. Poly Network has pushed back on that analysis, saying the attackers exploited an interaction between two contracts. Poly Network pointed to another security firm’s research that found similar results. Chainalysis has said that it will post a full analysis today.

It’s likely that we won’t know what really happened until a more thorough investigation has been done, and we won’t know how much the hacker actually got away with. It’s possible the crypto community will rally to blacklist the stolen tokens, making them essentially worthless — it’s already been done for around $33 million worth of tokens, but it wouldn’t be so easy for the rest of them. According to The Block, the frozen assets were USDT coins, which are under the control of a company called Tether. A lot of the other stolen coins though, are decentralized — meaning no one entity can decide what can or can’t happen with them, and there are no promises as to what the community will decide to do.

There’s also the question as to why the attacker has started returning the funds. Yesterday, they posted a message that read, in part “not so interested in money, now considering returning some tokens or just leaving them here.” Since then, they’ve posted a message saying that returning the money (or saving the world, as they put it) will make them “an eternal legend.” But another message they posted, asking for donations from those who support their decision to return the funds, calls the “not so interested in money” thing into question. Perhaps they’re simply returning the funds out of fear that they wouldn’t be able to use them or they got tired of the hundreds of people begging for a Robin Hood-esque redistribution.

Comments

This is fishy as hell. Must be some agenda at play. Maybe to vilify decentralized coins? "Oh look, the coins with admin keys were able to be blacklisted and/or returned by the kind hacker, but those evil decentralized coins were dumped for profit."

Honestly though, just a guess. Who knows what is going on.

Will be pleasantly surprised if they end up returning the full amount, but $5 million returned is hardly noticeable considering the $600 million they got away with.

Inside job. What company makes a public plea to return stolen goods after they’ve been robbed? And what hacker gives the money back?

When was the last time a bank was robbed of $600 Million dollars? Answer: never. It’s been obvious for a long time that crypto is easier to steal than the money in a bank account. It also obvious that these crypto ponzi schemes have a few more years left in them.. Oh well it’s good enough news for now…

Probably because a lot of "money" in banks is fake, make-believe money that is nothing other than an entry in a ledger… money printer go brrrrrr

You know what banks are famous for? Facilitating money laundering (10 billion in fines on US banks alone in 2020… and that’s only the amounts they could find) AND getting hacked and losing customers’ personal data.

Probably because a lot of "money" in banks is fake, make-believe money that is nothing other than an entry in a ledger… money printer go brrrrrr

Oh man, wait until you hear about how all these cryptocurrencies are created…

All currency, even when it’s backed by a "precious" metal, only has whatever value we as society ascribe to it. Out of all the (decent) reasons to be against the modern banking system, this ain’t it.

Banks had fines " failure to adhere to anti-money laundering protocols was the leading violation.." You picked an ironic example of why you hate banks, given that crypto is used almost exclusively for money laundering and gambling???? Enjoy your ponzi scheme… Bernie Madoff’s scheme lasted almost 20 years before it crumbled … the fact is: there is no problem in the world’s financial system that crypto solves… but if you like gambling (gaming as they say in Vegas) then crypto is as good as roulette…. Soon enough the Federal Govt. is going to get directly involved in the crypto business and start taxing and regulating the gambling and the money laundry… That is the good news..

I don’t think he’ll send back all the money. Send back a small part to have time to find a way out (to be able to use them in own interest)

View All Comments
Back to top ↑