The threat actor who hacked Poly Network’s cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds.
As the Chinese decentralized finance (DeFi) platform Poly Network shared two hours ago, the hacker has already returned almost $260 million worth of stolen cryptocurrency.
In total, the attacker has transferred back $256 million Binance Smart Chain (BSC) tokens, $3.3 million in Ethereum tokens, and $1 million in USD Coin (USDC) on the Polygon network.
To send back all the stolen funds, the hacker still has to return another $269 million on Ethereum and $84 million on Polygon.
Motives behind returning the stolen assets unknown
The threat actor explained the motivation for the hack by embedding Q&A messages in transactions (as Elliptic Chief Scientist and Co-founder Tom Robinson found), the motives behind their decision to give back the stolen cryptocurrency are not yet known.
However, it could have been prompted by blockchain security firm SlowMist’s claims that it traced the attacker’s email address, IP address, and device fingerprint.
SlowMist also discovered that the assets used to fund the attack were Monero (XMR) exchanged to BNB, ETH, MATIC, and other tokens.
In a weird twist of events, Poly Network also urged the hacker to return the cryptocurrency stolen from “thousands of crypto community members” to avoid landing on law enforcement’s radar.
— Poly Network (@PolyNetwork2) August 10, 2021
The biggest cryptocurrency hack ever
Following a preliminary investigation of the attack, Poly Network said the threat actor exploited a vulnerability between contract calls which allowed them to gain ownership of funds and transfer them to attacker-controlled wallets:
“This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function,” SlowMist further explained.
“Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract.”
After Poly Network disclosed the attack, Binance CEO Changpeng Zhao said the company was coordinating with security partners to remediate the situation.
— Poly Network (@PolyNetwork2) August 12, 2021