The hacker behind one of the largest cryptocurrency heists returned almost half of the $600m stolen assets
On Tuesday, the firm affected, Poly Network wrote a letter
on Twitter, asking the individual to get in touch "to work out a
solution".
The hacker then posted messages pledging to return funds,
claiming to be "not very interested in money".
On Wednesday, Poly Network said it had received $260m back.
The company, a blockchain platform which lets users swap
different types of digital tokens, posted on Twitter that it had been sent back
three cryptocurrencies, including $3.3m worth of Ethereum, $256m worth of
Binance Coin and $1m worth of Polygon.
A total of $269m in Ether tokens and $84m in Polygon tokens
has yet to be recovered.
A blockchain is a ledger, or log, of every single
transaction made of a cryptocurrency, such as Bitcoin.
The ledger is distributed to all the users in the network to
verify all new transactions when they occur, instead of being held by any one
single authority.
Software flaws
The hacker published a three-page-long Q&A session on
one of the blockchains essentially in the form of a self-interview, according
to Tom Robinson, co-founder of Elliptic, a London-based blockchain analytics
and compliance firm.
The hacker claimed to have always planned to return the
tokens and said the heist was carried out to highlight vulnerabilities in Poly
Network software.
"I know it hurts when people are attacked, but
shouldn't they learn something from those hacks?" the hacker wrote in the
notes embedded on the Ethereum blockchain.
The hacker claimed to have spent all night looking for a
vulnerability to exploit. They said they were worried that Poly Network would
patch the security flaw quietly without telling anyone, so they decided to take
millions of dollars in cryptocurrency tokens to make a point.
But they stressed that they did not want to cause a
"real panic [in] the crypto-world", so they only took "important
coins", leaving behind Dogecoin, the cryptocurrency that started off as a
joke.
"Either they just intended to commit theft and steal
the assets, or they were acting like a white hat hacker to expose a bug, to
help Poly Network make themselves more strong and secure," Mr Robinson,
who routinely advises governments and law enforcement agencies about
crypto-related crimes, told the BBC.
He added that the nature of blockchain technology makes it
hard for cyber-criminals to profit from stealing digital currencies, because
everyone can see the money being moved across the network into the hackers'
wallets.
"I wonder whether this hacker stole the funds, realised
how much publicity and attention they were getting, realised wherever they
moved the funds they would be watched, and decided to give it back," said
Mr Robinson.
"The blockchain itself has operated here flawlessly,
but the problem is on blockchains like Ethereum, you can write your own smart
contracts. Various services have started offering this, including Poly Network.
"So whenever a human being writes code, there's a
chance they will make a mistake."
Poly Network's platform works by facilitating movement
between several blockchains when people trade one cryptocurrency for another,
such as trading Binance Coin for Ether.
"The Poly Network is the thing that facilitates the
movement between these chains - ultimately, it's software, it's code, and code
always has imperfections and defects in it," James Chappell, co-founder of
London-based cyber-security firm Digital Shadows, told the BBC.
"And that's true of banks, or any financial system.
Unfortunately, what seems to have happened here is a party has spotted a
weakness in the implementation and exploited it to fool the network into
transferring these tokens incorrectly."
Similar attacks have happened to several other services in
the last 12 months. These include:
Yearn Finance, which had $11m stolen by hackers in February;
Alpha Finance, which had $37m stolen in the same month;
and Meerkat Finance, which was drained of $32m by hackers in
March.
Comments
Post a Comment