Poly Network Crypto Heist – Biggest In History – Happened “For Fun”

While cryptocurrency hacks never happen on a small scale, the recent crypto heist at the Poly Network is huge. The cyberattack happened to pilfer $610 million worth of crypto assets. Besides being “huge”, it’s “strange” too as the attacker(s) have begun to return the stolen money.

Poly Network Crypto Heist Of $610 Million

On Tuesday, Poly Network suffered the worst cryptocurrency theft yet happened, losing $610 million worth of digital assets.

The news surfaced online after Poly Network disclosed the crypto heist via a tweet from its official account. As revealed, the hacker(s) targeted three blockchains – Binance Smart Chain (BSC), Ethereum, and Polygon – to pilfer the money.

It turned out that the attackers actually pilfered more than initially anticipated. Precisely, the stolen money summed up to $273 million on Ethereum, $253 million on BSC, and $85 million on Polygon.

Alongside announcing the hack, the exchange also requested all miners and cryptocurrency exchanges to block any tokens from the hackers’ wallet address on the affected blockchains.

Also, the exchange explained that the attack happened due to a vulnerability that allowed a cross-chain attack.

Moreover, a security firm SlowMist further explained the vulnerability and the attack pattern in a separate post. As summarized in their post,

This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.

Hacker(s) Returning The Stolen Money

SlowMist further claimed to have tracked down the hacker via the IP address and device fingerprints.

Poly Network also urged the attacker to return the money and be a “white hat” hacker.

Eventually, the attackers seemed to have agreed as the stolen amount began to move back to Poly Network’s wallet addresses.

Besides returning, the attacker also explained the apparent reason for the attack – to teach a lesson to Poly Network.

… I DECIDED TO LET THE SHOW GO ON! WHAT IF THEY PATCH THE BUG SECRETLY WITHOUT ANY NOTIFICATION?”

In a quick Q&A on an Ethereum transaction site, the attacker explained how he spotted the bug and went ahead to exploit it before an adversary would do. He also claimed that he never intended to keep the amount.

Besides, he elaborated on how he wanted to exploit all four blockchains – the fourth being Heco. However, the latter didn’t let him through.

As for his traceability, the hacker stated,

I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON’T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.

He also confirmed to be in communicating with Poly Network, something that the exchange also confirmed.

Since he had posted the Q&A publicly, uses could easily share them on social media.

Until the time of writing this article, the attacker had returned $342 million worth of assets.

It currently remains unclear if the hacker has stated the truth or returned the amount, fearing traceability.

For now, Poly Network awaits full recovery of the assets from “Mr. White Hat” hacker.

Let us know your thoughts in the comments.

Related posts

Halliburton Cyberattack Update: Losses Worth $35 Million Hit The Firm

Microsoft Released November 2024 Patch Tuesday With ~90 Fixes

Google Cloud To Implement MFA as a Mandatory Feature