Wit - stock.adobe.com

Hacker makes off with $600m in world’s largest crypto-heist

Despite bagging $600m worth of cryptocurrency in what has been described as the biggest decentralised finance hack, the hacker has already started returning the funds

Hackers have stolen $600m worth of cryptocurrency from decentralised finance platform (defi) Poly Network, but the blockchain records show they have already started to return the funds.

About $267m in Ethereum currency, $253m in Binance coin and $85m in USDC tokens were taken during the crypto-heist on 10 August 2021, according to wallet addresses posted by Poly Network on Twitter announcing the hack.

In a separate Tweet, Poly Network said this was the largest amount stolen in the industry’s history, and urged the perpetrators to return the hacked assets.  

“We want to establish communication with you and urge you to return the hacked assets,” it wrote in its statement. “The amount of money you hacked is the biggest in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued.

“It is very unwise for you to do any further transactions. The money you stole is from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution.”

Before the hack, the largest theft of cryptocurrencies occurred in 2018, when $530m in digital coins was stolen from Tokyo-based exchange Coincheck.

Poly Network also urged others in the crypto community to backlist assets coming from the addresses it listed on Twitter.

In response to the hack, Binance CEO Changpeng Zhao said that while no one has control of the currencies, “we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can.”

However, it appears the hacker had started to return some of the stolen funds by the morning of 11 August. Just after noon UK time, Poly Network announced it had so far received a total value of $4,772,297.675 from the hacker.

The hacker also decided to embed messages in the transaction, including “ready to return the fund” and “it’s already a legend to win so much fortune – it will be an eternal legend to save the world”.

The hacker made a further request for a “secured multisig wallet from you”, which Poly Network later provided on Twitter with the message “hope you will transfer assets to addresses below”.

The returning of the assets follows researchers from blockchain security firm SlowMist claiming that they were able to track the attacker via a trail of digital evidence left behind.

“The SlowMist security team has grasped the attacker’s mailbox, IP and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker,” it wrote in a blog.

Read more about cryptocurrency and cyber attacks

  • Crypto infrastructure provider Binance provided assistance to law enforcement after finding its exchange was being used by cyber criminals to launder their ransomware profits.
  • The Lazarus Group, the advanced persistent threat (APT) group aligned to the interests of the North Korean government, is orchestrating a cyber attack campaign against organisations working in the cryptocurrency vertical located in Germany, Japan, the Netherlands, Singapore, the UK and the US, according to new research by F-Secure.
  • Apparent insider breach at Twitter saw so-called “blue tick” accounts of business people, politicians and celebrities hijacked to promote a Bitcoin scam.

“With the technical support of SlowMist’s partner Hoo and multiple exchanges, the SlowMist security team found that the hacker’s initial source of funds was Monero (XMR), which was then exchanged to BNB/ETH/MATIC on the exchanges.

“This is likely to be a long-planned, organised and prepared attack. Further tracking and detailed vulnerabilities and technical details are being analysed by the SlowMist security team.”

Poly Network, following a preliminary investigation, said that the hacker “exploited a vulnerability between contract calls”, which are a kind of test not intended to end up on the blockchain.

This is backed up by a deeper technical analysis of the hack from SlowMist, which also highlighted the contract vulnerabilities and said: “It is not the case that this event occurred due to the leakage of the keeper’s private key.”

Responding to the hack, Darktrace director of technology Andrew Tsonchev said that while most attacks involve monetising the stolen digital assets, attacks on cryptocurrencies might become much more popular because attackers can essentially steal cash directly without having to “convert” digital assets, for example through ransoms.

“We could see this grow in popularity as the cleanest and most direct way to commit theft in cyber land,” he said. “One of the appeals of decentralised finance is the need to circumvent centralised authorities as guarantors of trust or security of assets and transactions.

“But we are now seeing a growth in surrounding cryptocurrency ecosystems and exchanges being hacked, with the security of larger ‘decentralised systems’ not benefiting from the mathematical purity of blockchain systems.

“These components in the ecosystem can be hacked like traditional entities and, as such, they bear lots of the same risks and requirements that traditional centralised authorities like banks used to bear.”

Tsonchev said there was little law enforcement authorities could do after the hack to disrupt the attacker’s operation.

“Once a token/currency has been stolen, there is no way to recover it – it’s gone,” he said. “Cyber attacks damage trust, and as more institutions dip into the world of cryptocurrencies, the ecosystem around it must focus on disrupting the attacks before they happen, or risk losing trust that digital currencies are a secure option.”

Next Steps

Cryptocurrency cyber attacks on the rise as industry expands

Read more on Hackers and cybercrime prevention

Data Center
Data Management