Hackers have stolen some $600 million in cryptocurrency from the decentralized finance platform Poly Network, in what it says is the largest theft in the industry’s history.
A vulnerability in Poly Network allowed the thief to make off with the funds, the platform said Tuesday, begging the attacker to return the money.
“The amount of money you hacked is the biggest one in the defi history,” Poly Network wrote in a letter to the attacker it posted to Twitter. “The money you stole are from tens of thousands of crypto community members… you should talk to us to work out a solution.”
Poly Network urged other members of the cryptocurrency ecosystem to “blacklist” the assets coming from addresses used by the attacker to siphon away the funds — which included a mix of various coins including $33 million of Tether, according to Tether’s CTO. (In a statement, Tether later said it froze the assets within 20 minutes of learning of the attack.) The cryptocurrency exchange Binance said it was “coordinating with all our security partners to actively help.” Poly Network links together the blockchains of multiple virtual currencies to create interoperability among them.
Following the hack, Poly Network established several addresses to which it said the attacker could return the money. And it appears the hacker is cooperating: As of 7:47 a.m. ET Wednesday, Poly Network said, it had received about $4.7 million back. It was not immediately clear who was behind the hack.
By noon, much more money, about $261 million, had been returned, according to the blockchain forensics firm Chainalysis. In notes appended to some of the transactions, Chainalysis said, the attacker claimed to have hacked Poly Network “for fun :)” and that he or she undertook the attack as a challenge.
“I take the responsibility to expose the vulnerability before any insiders hiding and exploiting it!” the attacker wrote. “I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP or _so called_ fingerprint, which were untraceable. I prefer to stay in the dark and save the world.”
Once the hack had gained the world’s attention, there was virtually no way for the hacker to safely withdraw the funds, Chainalysis said, because every transaction is recorded and traceable.
“With the inherent transparency of blockchains and the eyes of an entire industry on you, how could any cryptocurrency hacker expect to escape with a large cache of stolen funds?” the company wrote in its report. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”
Regulators have increased their scrutiny of crypto platforms as investors pour billions of dollars into digital currencies. Senator Elizabeth Warren recently asked SEC Chair Gary Gensler to investigate the SEC’s ability to oversee trading on crypto platforms.
In response, last week, Gensler said: “Right now, I believe investors using these platforms are not adequately protected.”
Clare Sebastian contributed reporting.