The hacker of the decentralized finance (DeFi) interoperability protocol Poly Network has returned more than half (in USD terms) of the stolen funds so far.
Per the latest data provided by Poly Network, as of August 12, almost USD 342m of assets has been returned. This includes:
- On Binance Smart Chain: USD 252m
- On Polygon: USD 85m
- On Ethereum: USD 4.6m.
They added that there is still USD 268m on Ethereum to be returned. This amounts to some USD 610m in stolen funds.
As reported, Poly Network suffered an exploit on August 10, with the attacker stealing more than a massive USD 600m. The attack happened on Binance Smart Chain (BSC), Ethereum (ETH), and Polygon (MATIC).
The hacker has started returning the funds yesterday, though it is not exactly clear why, or if there has been any sort of agreement between Poly and the attacker, or even if the attacker plans to return every last bit of it.
An ‘interview’ with the attacker may offer some explanation, at least from their side of the story.
Embedded in Ethereum transactions sent from the account controlled by the hacker, and shared on Twitter by Tom Robinson, the chief scientist and co-founder of the blockchain data tracker Elliptic, the hacker posted a Q&A, claiming that they were “forced to play the game.”
The hacker said that they hacked the protocol “for fun,” and that “cross-chain hacking is hot,” hence the choice of Poly, but that they transferred the tokens to keep them safe.
They further argued that upon spotting the bug, they “had mixed feelings” as they didn’t know if alerting anybody, the team included, would result in the funds being stolen. They said they “should’ve stopped” then but wondered “what if [the team] patch the bug secretly without any notification.”
“The only solution I can come up with is saving it in a trusted account while keeping myself anonymous and safe,” they wrote.
Not wanting to cause panic, they said, they took only the “important” coins, “except for Shib” and did not sell any.
As for why they went on to sell/swap the stablecoins, they replied “I was pissed by the Poly team for their initial response.”
Per the messages, this person is not an insider, but they said they “take the responsibility” to expose the vulnerability before any insider could exploit it in secret.
They also claim that they haven’t been exposed and that they “prefer to stay in the dark and save the world.” Additionally, returning the funds was allegedly always the plan.
The hacker further claims that this event was an attempt to strengthen “a well designed system” that “will handle more assets” like Poly. They claim to have been communicating with the Poly Network team, and that they’re returning the funds slowly so as to be able to talk with the team, “prove [their] dignity” while keeping their identity secret, and get rest in the meantime.
Lastly they said that “being the crowdsourced hacker” was their bad joke after seeing so many beggars asking for the stolen money to be shared, as well as that being “the moral leader” is the “coolest hack” they could ever achieve.