The hacker behind the largest-ever cryptocurrency theft ever recorded has paid back nearly half ($260m) of the money to the victim organization, Poly Network.
Earlier this week, it was reported that hackers exploited a vulnerability in Poly Network, a company that implements interoperability between different blockchains, that enabled them to change the address of the “keeper role” of a blockchain contract and “construct any transaction at will and withdraw any amount of funds from the contract.”
This enabled the hacker to transfer $610m to three different addresses.
Following the incident, Poly Network took to Twitter to urge the attackers to return the money, stating: “We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto currency members, hence the people.
“You should talk to us to work out a solution.”
The hacker subsequently posted a three-page ‘Q&A’ in which they provided more details on how they carried out the heist and claimed to have ethical motives, stating it was “always the plan” to return the funds and that they “not very interested in money.” The hacker added: “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
Poly Network has since revealed that $260m of “assets” have been returned via three types of cryptocurrencies: $3.3m worth of Ethereum, $256m worth of Binance Coin and $1m worth of Polygon. However, $269m worth of Ethereum and $84m worth of Polygon are still not recovered.
Commenting on the story, Arseny Reutov, head of the application security research team at Positive Technologies, said: “When such a massive hack occurs, everyone’s attention is fixed on a particular cryptocurrency address. Although DeFi is non-custodial, some protocols can blacklist any address, for example, USDT stablecoin, which blacklisted the attacker’s address preventing him or her from moving the funds.
“Withdrawing such a large amount of money is a challenge in cryptocurrency. Although there are some cryptocurrency mixers that can complicate the tracking of the funds, it appears the hacker quickly realized he or she didn’t have a plan for this, which likely led to the decision to transfer the stolen funds back.”