Yesterday, one of the largest cryptocurrency heists in history punctured through the defenses of a large blockchain site and stole over $600 million (£433 million).
According to an analysis by Slow Mist and verified by Poly Network (the site that was hacked), the attack exploited a vulnerability allowing them control over a large amount of cryptocurrency – including Ethereum, Bitcoin, and Polygon. They were then able to direct large sums to an address of their choice.
As it stands, this attack was one of the largest in decentralized finance history, and Poly Network posted a plea to Twitter urging the attackers to return the sum.
“Dear Hacker,” the team posted to Twitter.
“We want to establish communication with you and urge you to return the hacked assets. The amount of money you have hacked is one of the biggest in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions,”
"The money you stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution.”
Seems like a long shot, right? Well, somehow, it actually worked.
On Wednesday, Poly Network began stating they were receiving large sums of crypto back. So far, $342 million (£247 million) has been recovered into designated accounts released by the team for the hacker to deposit the stolen assets back into. The vast majority of the stolen assets returned so far was in Bitcoin, with $252 million worth returned, and an outstanding amount of $268 million worth of Ethereum remains unaccounted for.
The vulnerability has been fully identified by Poly Network. They and other experts have made it clear it was not a leak of private information that allowed the hacker access, but an exploit within contracts that the hacker used to change keepers of the cryptocurrency.
Perhaps even more surprising, the hacker then released a Q&A embedded in etherium transactions in which they explained their rationale, as well as why they returned the money.
In response to the question “Why returning [the money]?”, the hacker explained:
“That’s always the plan! I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks? I announced the returning decision before midnight so people who had faith in me should had a good rest."
Why did they do it? "For fun :)," says their reply.