Hackers behind one of the biggest ever cryptocurrency heists have returned more than half of $613 million in digital coins they stole, the company at the centre of the hack has revealed.
Poly Network, a decentralised finance platform that facilitates peer-to-peer transactions, said on Thursday that $342 million of the stolen funds had been returned but that $268 million was outstanding.
The company, which allows users to swap tokens across different blockchains, said on Tuesday it had been hacked and urged the culprits to return the stolen funds, threatening legal action.
The hackers exploited a vulnerability in the digital contracts Poly Network uses to move more than a dozen different crypto-assets between different blockchains, according to blockchain forensics company Chainalysis.
A person who claimed to have perpetrated the hack said they did it “for fun” and wanted to “expose the vulnerability” before others could exploit it, according to digital messages shared by Elliptic, crypto tracking firm, and Chainalysis.
It was “always the plan” to return the tokens, the purported hacker wrote, adding: “I am not very interested in money.”
The hackers or hacker have not been identified, and the authenticity of the messages could not be verified.
Money-laundering ‘headache’
Tom Robinson, co-founder of Elliptic, said the decision to return the money could have been prompted by the headaches of laundering stolen crypto on such a scale.
An executive from cryptocurrency firm Tether said on Twitter the company had frozen $33 million connected with the hack, and executives at other crypto exchanges told Poly Network they would also try to help.
“Even if you can steal crypto-assets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the broad use of blockchain analytics by financial institutions,” Robinson explained.
Poly Network did not respond to requests for more details. It was not immediately clear where the platform is based, or whether any law enforcement agency was investigating the heist.
The size of the theft was comparable to the $530 million in digital coins stolen from Tokyo-based exchange Coincheck in 2018. The Mt. Gox exchange, also based in Tokyo, collapsed in 2014 after losing half a billion dollars in bitcoin.
The Poly Network attack comes as losses from theft, hacks and fraud related to decentralised finance (DeFi) hit an all-time high, according to crypto intelligence company CipherTrace.
At $600 million, however, the Poly Network theft outstripped the $474 million in criminal losses CipherTrace said were registered by the entire DeFi sector from January to July. The thefts illustrated risks of the mostly unregulated sector and may attract the attention of regulators.
DeFi platforms allow parties to conduct transactions, usually in cryptocurrency, directly without traditional gatekeepers such as banks or exchanges. The sector has boomed over the last year, with platforms now handling more than $80 billion worth of digital coins.
Proponents of DeFi say it offers people and businesses free access to financial services, arguing that the technology will cut costs and boost economic activity. But technical flaws and weaknesses in their computer code can make them vulnerable to hacks.
Scepticism over claim
Cryptocurrency security firm SlowMist said on its website that it has identified the attacker’s mailbox, internet protocol address, and device fingerprints, but the company has not yet named any individuals.
SlowMist said the heist was “likely to be a long-planned, organised and prepared attack.”
Despite the purported hacker posing as a so-called “white hat”, an ethical hacker who aimed to identify the vulnerability for Poly Network and had planned to give the money back, according to the messages published by Chainalysis, some crypto experts are sceptical.
Gurvais Grigg, chief technology officer at Chainalysis and former FBI veteran, said it was unlikely that white hat hackers would steal such a large sum. He said they had probably returned some of the funds because it had proved too difficult to convert them into cash.
“It’s hard to know the motivation … Let’s see the if they return the whole amount,” he added.
• Reuters and Jim Pollard
This story was updated on August 12.