Cryptocurrency heist hacker returns $260m in funds

The hacker behind one of the largest ever cryptocurrency heists has returned almost half of the $600m (£433m) stolen assets.

Yesterday, blockchain platform Poly Network wrote a letter on Twitter, asking the individual to get in touch “to work out a solution”.

The website said the amount of money hacked was “biggest” incident so far in the decentralised finance industry.

But at 18:28 BST on Wednesday, Poly Network said it had received $260m.

Poly Network posted on Twitter that it had been sent digital tokens relating to three crypto-currencies, including $3.3m worth of Ethereum, $256m worth of Binance Smart Chain (BSC) and $1m worth of Polygon.

A total of $269m in Ethereum tokens and $84m in Polygon tokens has yet to be recovered.

Messages on the blockchain

The hacker also took to one of the blockchains to publish a three-page-long Q&A session, where he essentially “interviewed himself”, according to Tom Robinson, co-founder of Elliptic, a London-based blockchain analytics and compliance firm.

The hacker said that he decided to return the stolen assets because he is “not very interested in money”.

“I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” he wrote in the notes posted to the blockchain.

The hacker added that it had taken him all night to find a vulnerability to exploit. He said he was worried that Poly Network would patch the security flaw quietly without telling anyone, so he decided to take millions of dollars in cryptocurrency tokens to make a point.

But he stressed that he did not want to cause a “real panic [in] the crypto-world”, so he only took “important coins”, leaving behind Dogecoin, the cryptocurrency that started off as a joke.

“Either they just intended to commit theft and steal the assets, or they were acting like a white hat hacker to expose a bug, to help Poly Network make themselves more strong and secure,” Mr Robinson, who routinely advises governments and law enforcement agencies about crypto-related crimes, explained to the BBC.

He added that the nature of blockchain technology makes it hard for cyber-criminals to profit from stealing digital currencies, because everyone can see the money being moved across the network into the hackers’ wallets.

“I wonder whether this hacker stole the funds, realised how much publicity and attention they were getting, realised wherever they moved the funds they would be watched, and decided to give it back,” said Mr Robinson.

“The blockchain itself has operated here flawlessly, but the problem is on blockchains like Ethereum, you can write your own smart contracts. Various services have started offering this, including Poly Network.

“So whenever a human being writes code, there’s a chance they will make a mistake.”

How it works

A blockchain is a ledger, or log, of every single transaction made of a cryptocurrency, such as Bitcoin. The ledger is distributed to all the users in the network to verify all new transactions when they occur, instead of being held by any one single authority.

Poly Network’s platform works by facilitating movement between several blockchains when people trade one crypto-currency for another, such as trading BSC for Ethereum.

“The Poly Network is the thing that facilitates the movement between these chains – ultimately, it’s software, it’s code, and code always has imperfections and defects in it,” James Chappell, co-founder of London-based cyber-security firm Digital Shadows told the BBC.

“And that’s true of banks, or any financial system. Unfortunately, what seems to have happened here is a party has spotted a weakness in the implementation and exploited it to fool the network into transferring these tokens incorrectly.”

Similar attacks to the Poly Network case have occurred in the last 12 months to several other services, including Yearn Finance, which had $11m stolen by hackers in February; Alpha Finance, which had $37m stolen in the same month; and Meerkat Finance, which was drained of $32m by hackers in March.

What a rollercoaster 24 hours for the crypto community.

As the hacker posted online: “The pains suffered is temporary but memorable.”

The hacker’s, or hackers’, claim that it was all an elaborate way to force Poly Network to fix security failings is being treated with scepticism.

Why the taunting and boasting online, if the motive was honourable?

There’s some suggestion that the net may have been closing in, as one cyber-security company says it was close to working out the identity of the cyber-criminal.

It might have been the case that the hacker bit off way more than they could chew and got scared, so returned the money.

The authorities will still no doubt be working hard to capture them, regardless of the swift refund.

But what this story mostly points to is just how powerful hackers can be and how powerless the unregulated, decentralised cryptocurrency network is when someone swipes a large fortune from under its nose.