Crypto Hacker Returns Most of Funny Money Stolen from Poly

The hacker who stole $600 million of imaginary money from Poly Network has started to give it back. At the time of publication, about 56% is back in the hands of the decentralized finance (DeFi) platform.

Some say the hacker is a legitimate security researcher who exploited the bug to illustrate the problem. Others say the perp was simply incapable of laundering the fake money quickly enough.

Whoever it is, it’s yet another illustration of cryptocurrency’s brittleness. In today’s SB Blogwatch, we drive over in our Fiat.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stefani vs. Diddy’s Kong Quest.

DeFi Deflagration Debate:

What’s the craic? Wolfie Zhao reports—“Poly Network attacker returns $256 million of the stolen cryptocurrency”:

Largest DeFi hack
The attacker of the $611 million Poly Network exploit has started returning the stolen crypto assets, less than a day after their ID information was reportedly obtained by blockchain security firm SlowMist. … Seven minutes prior to sending the first transaction returning some of the funds, the hacker created a token called “The hacker is ready to surrender” and sent this token to the designated Polygon address.

The attacker’s move came less than a day after the initial exploit, which was the largest DeFi hack to date. The stolen assets included $273 million of Ethereum tokens, $253 million in tokens on Binance Smart Chain and $85 million in USDC on the Polygon network.

Weird. Tom Wilson adds—“Over half of crypto tokens stolen in $610 mln hack now returned”:

Too difficult to launder
Poly Network, which allows users to transfer or swap tokens across different blockchains, said on Tuesday it had been hit by the cyberheists, urging the culprits to return the stolen funds. … The theft illustrated the risks of the mostly unregulated … DeFi sector. DeFi platforms allow users to conduct transactions, usually in cryptocurrency, without traditional gatekeepers such as banks or exchanges.

Poly Network … did not immediately respond to questions on … whether any law enforcement agency was involved. … Blockchain analysts said they might have found it too difficult to launder stolen cryptocurrency on such a scale.

And it keeps trickling back. The latest update fromPoly Network—@PolyNetwork2—says:

$342 million
$342 million (As of 12 Aug 08:18:29 AM +UTC) of assets had been returned:
Ethereum: $4.6M
BSC: $252M
Polygon: $85M

The remaining is $268M on Ethereum.

So what happened? The SlowMist security team blog anonymously—“Analysis and Q&A”:

Monitor the transfer of stolen funds
This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the address specified by the attacker by the keeper of the EthCrossChainData contract.

[Our] anti-money laundering tracking system will continue to monitor the transfer of stolen funds, block all wallet addresses controlled by attackers, and remind exchanges and wallets to strengthen address monitoring to prevent related malicious funds from flowing into the platform.

Clear as mud? How about lglethal’s summary?

Highlight their security failures
“Hey what happens if I do this? … Ha, I just stole some of their Coins!

“I wonder how much I could steal? … That’s a lot of money. Um, how do I turn that into cash?”

“Ohhhh ****! This is not good. Everyone is trying to track me down. … And none of my attempts to turn it into cash have worked. Everything is getting blocked. And oh no they’re publishing the wallet details.”

“If I give it back and pretend I was just doing it to highlight their security failures, maybe people will stop looking for me.”

But Papaspud ain’t buying it:

Shady actors
Even if they get 90% back, it means these guys made off with $60 million. Not a bad day’s haul.

These crimes are going to become more common. … Don’t tell me other shady actors aren’t watching this carefully.

Time for a colorful metaphor? phealy looks at it sideways:

Imagine if someone robbed a bank—and suddenly the cash in your wallet is now worth 60% of what it was worth yesterday.

But how did Poly persuade the hacker to give it back? srg33 has a go:

I’ll try to explain. The original tokens had some … value. Maybe analogous to bank checks.

Normally, that would be no problem to deposit at another bank. However … if the originating bank notified other banks (blacklisted those checks) then other banks would not accept … the checks: worthless.

Why can’t law enforcement do something? orwelldesign doesn’t think they should:

If you do an end-run around the law
**** ’em. Really. You want to make up your own bull**** outside of society? You get to live with the consequences.

As with all speculative investments, sometimes you just lose all your money. Why is that society’s problem? We’ve got a perfectly reasonable lawful framework around money and investment. If you do an end-run around the law, why in blue figgity-**** should the law step in to help you?

Meanwhile, doesnothingwell does this well:

Dumb criminals. Rule one: … Don’t **** where you eat.

And Finally:


Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Suzy Hazelwood (via Pexels)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 517 posts and counting.See all posts by richi