The Poly Network attacker has been returning funds after managing to pull of the largest DeFi theft ever.
On, August 10, 2021, an unidentified attacker had managed to steal around $612 million worth of virtual currency from cross-chain DeFi protocol Poly Network, making this the largest ever theft from a decentralized finance protocol. Surprisingly, the attacker now seems to be returning the funds to Poly Network just a day after the hack.
The attacker appears to have pulled off the online heist by “taking advantage of an exploit in the smart contracts Poly Network uses to carry out cross-chain transactions,” the team at Chainalysis explains while noting that the Ethereum programmer Kelvin Fichter shared out a detailed breakdown of how exactly the exploit worked.
As noted in an update from Chainalysis, the attacker stole funds in the following digital currencies:
- Ethereum (ETH)
- Wrapped Ethereum (WETH)
- Wrapped Bitcoin (WBTC)
- Uniswap (UNI)
- RenBTC
- Tether (USDT)
- Circle (USDC)
- Stablecoin DAI
- SHIB token
- FEI token
- Binance Coin (BNB) and various BEP-20 Tokens
Poly Network “publicly identified three addresses” that Chainalysis has confirmed are controlled by the attacker:
- Attacker Address 1: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 (ETH)
- Attacker address 2: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 (BSC)
- Attacker address 3: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 (POLYGON)
Chainalysis has also shared some notes on how the attack was orchestrated, how much the attacker has so far returned (as of August 11, 2021) to Poly Network, and the current balances of the hackers’ crypto addresses.
Notes on the initial fund movements from Chainalysis:
- “We came across a few interesting insights while analyzing the attacker’s initial movements of stolen funds. (You may check out the Chainalysis Reactor graph here – which shows Attacker Address 1 receiving 2,857.59 ETH — worth $274,461,628.15 USD — from Poly Network in the initial theft).
- “We can see that the day before, the attacker withdrew 0.47 ETH from Hoo.com, which was used to pay for gas fees on transactions associated with the hack. Additionally, the attacker appears to have sent 13.37 ETH to a user known as Hanashiro.eth, who sent an Ether transaction to the attacker with a message warning them that the USDT they’d stolen from Poly Network had been frozen.”
- “Apparently, the Poly Network attacker is willing to pay good money for good information.”
The attacker also “stole 673,227 DAI and 96,389,444 USDC from Poly Network,” and the attacker sent the full amounts of both “to the Curve DeFi protocol in order to mint 95,269,796 3CRV tokens.” Within an hour, “the attacker burnt those 3CRV tokens to receive 96,942,061 DAI,” the Chainalysis team confirmed.
They also mentioned that they suspect the attacker’s goal was “to exchange their holdings of a centralized stablecoin, USDC, for a decentralized one like DAI in order to decrease the chances of the funds being frozen.”
Chaianlysis comments on: Return of stolen funds and current balances
- “Amazingly, the attacker now seems to be in the process of returning the stolen funds to Poly Network at their request. Starting today, they began to send funds back to three Poly Network addresses”:
- 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f
- 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc
- 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17
- “So far, the attacker has returned roughly $260.97 million worth of cryptocurrency in the following coins”:
- POLYGON USDC
- Binance-Peg BTCB
- Binance-Peg BUSD
- Binance-Peg USDC
- FEI
- SHIB
- Binance-Peg ETH
- BNB
- RenBTC
As noted by Chainalysis:
“The attacker communicated with Poly Network via Ether transaction note during this process, voicing their intention to start by returning altcoins and asking if their stolen USDT could be unlocked in return for returning stolen USDC.”
According to Chainalysis, It’s possible this is “a ruse to make off with the unstolen USDT, but so far nothing suggests the attacker won’t continue to return the stolen funds.”
As of noon ET on August 11, 2021, the attackers’ three addresses “hold the following balances” (according to Chainalysis’ investigation):
- Attacker Address 1: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
- ETH – 28,954.32
- WBTC – 1,032.12
- UNI – 43,023.75
- USDT – 33,431,213.72
- USDC – 13.89
- DAI – 96,942,061.86
- Attacker address 2: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
- This address is now empty.
- Attacker Address 3: 0x5dc3603C9D42Ff184153a8a9094a73d461663214
-
- USDC – 84,079,620.88
Crypto security firm Slowmist claims to have “identified the attacker’s mailbox, IP address, and device fingerprints, suggesting they could be close to identifying them, but as of now we have no information to confirm this.”
For their part, the attacker is “dismissing the possibility of being identified in a Q&A they’re holding via Ether transaction notes, where they also explain some of their motivations for hacking Poly Network.” It remains to be seen “whether or not the attacker’s confidence here is warranted,” the blockchain analysis firm noted.
Cryptocurrency hacks are getting harder, according to Chainalysis
The Poly Network hack and then the quick return of funds indicates that it’s becoming a lot more challenging to successfully carry out “large-scale cryptocurrency theft,” Chainalysis noted while adding that this may seem “counterintuitive given that this $600 million theft represents the biggest DeFi hack of all time, and that the fast-growing DeFi ecosystem is uniquely vulnerable to hacks.”
But crypto theft is “more difficult to get away with than theft of fiat funds,” Chainalysis explained while adding that “this is due in part to the inherent transparency of blockchains.”
The blockchain analysis firm further noted:
“Whereas criminally obtained fiat currency can be moved through shady bank accounts, with authorities relying on subpoenas and cooperation of financial institutions to trace its path, anyone in the world can view cryptocurrency transactions made on public blockchains.”
They added:
“The growing, highly-engaged cryptocurrency community is constantly enhancing the power of cryptocurrency’s transparency. Within minutes of the hack, crypto twitter was ablaze with updates from countless industry operators, reporters, and anonymous sleuths tracking the attacker’s movement of the funds.”
They also mentioned that it would have been “virtually impossible for the attacker to move the funds anywhere without somebody broadcasting it.” According to Chainalysis, this “paints a promising picture for future cryptocurrency hack responses.”
The company further noted:
“With the inherent transparency of blockchains and the eyes of an entire industry on you, how could any cryptocurrency hacker expect to escape with a large cache of stolen funds? In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”
They added:
“While we certainly don’t expect every cryptocurrency hack to end with the attacker returning the stolen funds, in this case, it appears Poly Network will get its money back and has also learned about an important vulnerability its team can now patch up. Ultimately, the ecosystem will be stronger for this. All addresses associated with the Poly Network hack have now been labeled in our products. We’ll continue to track the movement of the stolen funds and provide updates of any significant changes.”