Zephyr18 | iStock | Getty Images
The hacker behind the biggest cryptocurrency heist of all time has granted access to the final tranche of stolen funds.
Poly Network, a platform in the decentralized finance or “DeFi” space, was hit by a major attack this month which saw the hacker, or hackers, steal more than $600 million worth of digital tokens. The thief exploited a vulnerability in Poly Network’s code which allowed them to transfer the funds to their own accounts.
In a strange twist, the Poly Network hacker didn’t run off with the haul. Instead, they opened a dialogue with the organization that was targeted, promising to return all the funds. And, sure enough, the hacker gave back nearly all of the money — with the exception of $33 million of tether, or USDT, which was frozen by its issuers.
There was a catch, however. More than $200 million of assets was trapped in an account that required passwords from both Poly Network and the hacker. For some time, the hacker refused to hand over their password, simply saying they would only do so once “everyone is ready.”
Poly Network pleaded with the hacker, which it is calling “Mr. White Hat,” to return the remaining funds. The platform promised to grant the unidentified person a $500,000 bounty for helping it identify a flaw in its systems, and even offered them a job as “chief security advisor.”
Now, the hacker has finally given Poly Network access to the final tranche of stolen funds. In a blog post Monday, the firm said Mr. White Hat shared the so-called private key needed to regain control of the remaining assets.
“At this point, all the user assets that were transferred out during the incident have been fully recovered,” Poly Network said. “We are in the process of returning full asset control to users as swiftly as possible.”
It’s one of the most bizarre stories about cryptocurrencies in a long time. The theft was thought to be the biggest crypto heist ever, surpassing the $534.8 million stolen from Japanese digital currency exchange Coincheck in a 2018 attack and the estimated $450 million worth of bitcoin that went missing from Tokyo-based Mt. Gox in 2014.
Last week, Japanese crypto exchange Liquid said it was hit by a cyberattack that saw hackers make off with a reported $97 million worth of digital coins.
In Poly Network’s case, though, the attacker maintained a public conversation with their victim, ultimately restoring the assets they stole. Security experts said it was likely the attacker realized it would be difficult for them to launder the money and cash out, since all transactions are recorded on the blockchain, the public ledgers that underpin most major digital currencies.
In a message embedded in a crypto transaction, an anonymous person claiming to be the hacker said they were “(quitting) the show.”
“Keep calm and this is the happy ending!” the person said. “I have to admit that my wild or mad behaviors have led to crises to your project, your team and even your lives. Sorry for the inconvenience! It must be one of the most wild adventures in our lives.”
“My actions, which may be considered weird, are my efforts to contribute to the security of the Poly project in my personal style,” they added. “The consensus was reached in a painful and obscure way, but it works. Some people even suspect that the whole story is a PR stunt.”
Poly Network said its team “confirmed that the private key is genuine.”
“As of now, Poly Network has regained control of the $610 million (not including the frozen $33 million USDT) in assets that were overall affected in this attack. Once again, we would like to thank Mr. White Hat for keeping his promise, as well as the community, partners and the multiple security agencies for their assistance.”