Poly Network attacker returns $256 million of the stolen cryptocurrency

Quick Take

  • Poly Network attacker has started returning the funds that were stolen in the largest DeFi hack to date.
  • The move came less than a day since the attacker’s ID information was reportedly obtained by blockchain security firm Slowmist.

The attacker of the $611 million Poly Network exploit has started returning the stolen crypto assets, less than a day after their ID information was reportedly obtained by blockchain security firm Slowmist.  They have now sent back $256 million in tokens out of the haul.

Seven minutes prior to sending the first transaction returning some of the funds, the hacker created a token called "The hacker is ready to surrender" and sent this token to the designated Polygon address.

Then they elected to send back $1 million in USDC on the Polygon blockchain. They did so in three transactions in incrementally increasing amounts (10, 10,000 and 1 million). They also handed back 23.8 BTCB ($1.1 million), a bitcoin-pegged token on Binance Smart Chain, as well as 259.7 billion shiba inu (SHIBA) tokens, worth $2 million, and $600,000 in FEI, a stablecoin.

A few hours later, after speaking to the Poly Network team in encoded messages, the hacker sent back nearly all of the assets on Binance Smart Chain. They sent over 1,000 more BTCB ($46.4 million), 26,629 ETH ($86 million) and $119 million in the stablecoin BUSD. The only assets remaining on this chain are 6,613 BNB ($2.6 million).

The biggest DeFi hack so far

The attacker's move came less than a day after the initial exploit, which was the largest DeFi hack to date. The stolen assets included $273 million of Ethereum tokens, $253 million in tokens on Binance Smart Chain and $85 million in USDC on the Polygon network.  Since then, Tether was the only entity that was swift enough to blacklist the stolen USDT on Ethereum worth about $33 million.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

But hours after the heist, blockchain security firm Slowmist claimed that they already tracked down the attacker's IP and email information while the investigation on other ID intel relating to the attacker continued. Slowmist's Weibo post on Tuesday suggested that the attacker used a little known Chinese crypto exchange Hoo when putting together the funds for the attack, hinting at how their digital footprint was trailed at the beginning. Other crypto sleuths also found details relating to other exchanges that may help to identify them.

Around 4:00 UTC time on Wednesday, the attacker wrote "Ready to return the fund!" in an Ethereum transaction that was sent from the PolyNetwork Exploiter address to itself. That message was followed by another one that reads: "Failed to contact the Poly. I need a secured multisig wallet from you."

About 20 minutes later, the team behind the Poly Network responded to the exploiter address through a transaction that it is "preparing a multi-sig address controlled by known Poly addresses." In a follow-up transaction, the Poly Network team identified three addresses that they hoped the attacker returns the funds to. The money is currently being sent to these addresses.

For more breaking stories like this, make sure to subscribe to The Block on Telegram.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Wolfie joined The Block’s news team in 2020 and switched to the research side in 2021 to focus on crypto mining analysis. Prior to The Block, he had been a journalist at CoinDesk for three years. Wolfie has a background in financial journalism.