Crypto platform Poly Network rewards hacker who stole $610 million with $500,000 bug bounty

Poly Network, the cryptocurrency platform which lost $610 million in a hack earlier this week, confirmed on Friday it had offered the hacker or hackers a $500,000 ‘bug bounty’.

In a statement it thanked the hacker – who it dubbed a ‘white hat’, sector jargon for an ethical hacker who generally aims to expose cyber vulnerabilities – after he returned the bulk of the funds for ‘helping us improve Poly Network´s security’.

The network also said it hoped ‘Mr. White Hat’ would contribute to the blockchain sector’s continued development upon accepting the $500,000 reward, which it had offered as part of negotiations around the return of the digital coins.

The statement did not specify the form in which it would pay the $500,000. It said the hacker had responded to the offer but did not say if it was accepted.

Though nearly all of the stolen crypto has been returned, about $268 million worth now sits in a joint-custody account that can only be accessed with keys from both the hacker and Poly Network.

The hacker, in a message embedded in a digital currency transaction, said they would ‘provide the final key when _everyone_ is ready.’

On Thursday, the hacker appeared to speak out in digital messages embedded in transactions, shared on Twitter by Tom Robinson, chief scientist and co-founder of crypto tracking firm Elliptic.

They showed a person claiming to have perpetrated the hack had said Poly Network offered him the bounty to return the stolen assets.

The hacker claimed that they had carried out the breach ‘for fun’ and in order to ‘save the world’ and had always planned to return the funds.

Typically, white hat hackers notify companies directly when they discover vulnerabilities, rather than use them to steal vast sums. 

But the hacker, who did not appear to be fully fluent in English, explained that they feared an insider at the company would exploit the vulnerability for themselves, and claimed the funds had been stolen to keep them ‘safe’.

A lesser-known name in the world of crypto, Poly Network is a decentralized finance (DeFi) platform that facilitates peer-to-peer transactions with a focus on allowing users to transfer or swap tokens across different blockchains.

The as-yet unidentified hacker or hackers appear to have exploited a vulnerability in the digital contracts Poly Network uses to move assets between different blockchains, according to blockchain forensics company Chainalysis.

According to Friday’s statement, the hacker has returned $340 million worth of assets and transferred the bulk of the rest to a digital wallet jointly controlled by them and Poly Network.

The remainder, held in tether, was frozen by the cryptocurrency firm behind the stablecoin.

‘After communicating with Mr. White Hat, we have also come to a more complete understanding regarding how the situation unfolded as well as Mr. White Hat’s original intention,’ Poly Network said, without giving further details.

Poly Network announced the hack on Tuesday, but the following day said the hackers had begun returning the digital coins they had taken.

The hackers said in digital messages shared by Elliptic that they had perpetrated the attack for fun and that it was always the plan to return the tokens.

Some blockchain analysts have speculated however they might have found it too difficult to launder stolen cryptocurrency on such a scale.