May 17, 2022

A weakness in Poly Network, a decentralized finance network, enabled hackers to steal $600 million in cryptocurrency in what is believed to be the industry’s largest heist.

“The amount of money you hacked is the biggest one in the defi history,” Poly Network wrote in a letter to the attacker it posted to Twitter. “The money you stole is from tens of thousands of crypto community members… you should talk to us to work out a solution.”

Poly Network advised other members of the cryptocurrency ecosystem to “blacklist” assets originating from the attacker’s siphoning addresses, which contained a mix of 12 different cryptocurrencies.

Poly Network established multiple addresses following the hack to which it said the attacker may return the cryptocurrency. And it appears as though the hacker is complying since Poly Network reported receiving almost $4.7 million back as of 7:47 a.m. ET Wednesday. By lunchtime, around $261 million had been recovered. All but the $268 million worth of Ethereum have been returned.

According to Chainalysis, the attacker claimed in notes attached to several of the transactions that the attack was carried out “for fun :)” and that the attack was taken as a challenge.

“I take the responsibility to expose the vulnerability before any insiders are hiding and exploiting it!” the attacker wrote. “I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP, or _ so-called_ fingerprint, which were untraceable. I prefer to stay in the dark and save the world.”

The explanation for the world’s largest cryptocurrency heist emerged on Thursday via a blockchain-based question-and-answer session conducted by the hack’s alleged perpetrator.

The hacker explained: “Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion!”

“I can trust nobody!” the hacker continued. “The only solution I can come up with is saving it in a _trusted_ account while keeping myself _anonymous_ and _safe_.”

On returning the money, the hacker said: “That’s always the plan! I am _not_ very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”