Hackers responsible for a $610 million attack on the decentralized finance (DeFi) platform Poly Network have returned most of the stolen funds, saying their actions constituted “white hat behavior”.
As the protocol runs on Binance Smart Chain, Ethereum, and Polygon blockchains, the attack affected them all. As a result, Tether froze about $33 million. Some addresses started panhandling digitally, asking the attacker for some money. It served as a reminder to some how early DeFi still is, but it did not dampen enthusiasm overall, especially after the hacker (who started the #DearHacker trend on Twitter) returned nearly all of the funds.
According to an update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used “a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. Only $33 million in Tether (USDT) remains, which were frozen immediately following news of the attack.
The hacker communicated with the Poly Network team and others through embedded messages in Ethereum transactions. Apparently, the hackers did not plan to transfer the funds after successfully stealing them, and stated that they did the hack “for fun” since “cross-chain hacking is hot.”
However, after speaking with the project and users, the hacker returned $258 million of the funds. Poly Network said it determined that the attack constituted “white hat behavior” and offered the hacker, whom it dubbed “Mr. White Hat,” a $500,000 bounty:
“We assure you that you will not be accountable for this incident. We hope that you can return all the tokens as soon as possible […] We will send you the 500k bounty when the remaining are returned except the frozen USDT.”
“The poly did offer a bounty, but I have not responded to them. Instead, I will send all of their money back,” said the hacker.
With the remainder of the funds, with the exception of the frozen USDT, now returned, the biggest hack in decentralized finance seems to be coming to an end. Although the hacker’s identity has yet to be revealed, Chinese cybersecurity firm SlowMist posted an update shortly after news of the hack broke. The company said analysts had identified the attacker’s email address, IP address, and device fingerprint.