Hacker Behind Biggest Cryptocurrency Heist Ever Returns Stolen Funds

The threat actor who hacked Poly Network’s cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds.

AAs the Chinese decentralized finance (DeFi) platform Poly Network shared two hours ago, the hacker has already returned almost $260 million worth of stolen cryptocurrency.

In total, the attacker has transferred back $256 million Binance Smart Chain (BSC) tokens, $3.3 million in Ethereum tokens, and $1 million in USD Coin (USDC) on the Polygon network.

To send back all the stolen funds, the hacker still has to return another $269 million on Ethereum and $84 million on Polygon.

Motives behind returning the stolen assets unknown

The threat actor explained the motivation for the hack by embedding Q&A messages in transactions (as Elliptic Chief Scientist and Co-founder Tom Robinson found), the motives behind their decision to give back the stolen cryptocurrency are not yet known.

Also Read: Vulnerability Management For Cybersecurity Dummies

However, it could have been prompted by blockchain security firm SlowMist’s claims that it traced the attacker’s email address, IP address, and device fingerprint.

SlowMist also discovered that the assets used to fund the attack were Monero (XMR) exchanged to BNB, ETH, MATIC, and other tokens.

In a weird twist of events, Poly Network also urged the hacker to return the cryptocurrency stolen from “thousands of crypto community members” to avoid landing on law enforcement’s radar.

The biggest cryptocurrency hack ever

Following a preliminary investigation of the attack, Poly Network said the threat actor exploited a vulnerability between contract calls which allowed them to gain ownership of funds and transfer them to attacker-controlled wallets:

• Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
• Binance Smart Chain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
• Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

“This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function,” SlowMist further explained.

“Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract.”

After Poly Network disclosed the attack, Binance CEO Changpeng Zhao said the company was coordinating with security partners to remediate the situation.

Also Read: Compliance With Singapore Privacy Obligations, Made Easier!

OKEx, Tether, and Huobi also added that their security teams were working on freezing cryptocurrency assets identified as stolen in the attack.