Getting your Trinity Audio player ready...
|
In what amounts to the biggest DeFi hack in history and one of the largest the digital asset industry has ever seen, a hacker has stolen more than $611 million in funds from the cross-chain Poly Network.
The Poly Network allows users to swap tokens across multiple blockchains, including Ethereum, Binance Smart Chain, Polygon, and others. Poly Network announced the attack on Twitter on August 10.
Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker's following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71— Poly Network (@PolyNetwork2) August 10, 2021
How much was stolen? Who did it?
Poly Network was attacked on Ethereum, Binance Smart Chain, and Polygon. Blockchain firm Slow Mist claims the attackers’ initial funds were in Monero and were switched into BNB, ETH, and MATIC for the attack.
In total, at least $611 million in funds were stolen. This sum includes:
- $273 million on Ethereum
- $253 million on BSC.
- $85 million on Polygon.
Assets stolen include WETH, WBTC, RenBTC, DAI, UNI, SHIB, and FEI. The hacker later attempted to deposit USDC and DAI to the DeFi platform Curve.
While it’s as yet unknown who the attacker is, blockchain security firm Slow Mist claimed to have uncovered their email account, IP address, and device fingerprint. This would be enough for law enforcement to locate the individual(s) if it’s accurate information.
Poly Network calls for wallet freezes and legal help
Departing from the “it’s all decentralized, and nobody can do anything about it” narrative that the digital currency space lives by, Poly Network pleaded with exchanges and miners to freeze the attackers addresses and prohibit them from moving the stolen funds.
Tether was one of the first to respond to the call, freezing $33 million worth of USDT on Ethereum just before the attacker tried to launder it through Curve.
Binance CEO Changpeng Zhao stuck to the decentralization line and responded that nobody ultimately controls Binance Smart Chain. He claimed he would do what he could with “no guarantees.”
Poly Network also claimed it would take legal action to recover the stolen funds. This is an interesting development in an industry that has so far lambasted, criticized, and mocked Dr. Craig Wright and others for taking the same approach to recover stolen funds and settle other matters.
The need for regulatory compliance becomes crystal clear
As tends to happen when massive events like this rock the digital currency space, armchair investigators from across the world began researching the history of the attackers’ wallets. Some noticed that it had interacted with several centralized exchanges such as Binance and FTX.
Is it possible that the attacker previously sent funds to or from KYC verified exchange accounts? If so, this will surely lead to their downfall. Even if not, it underscores the importance of exchanges knowing who is signing up to use their platforms.
Industry compliance with AML/KYC regulations would make attacks like this almost impossible as exchange accounts and wallets with large balances would be linked to verified identities. This would immediately expose thieves and criminals using public blockchains for illegal purposes such as moving stolen funds or money laundering.
Update: hacker begins returning stolen funds
On August 11, Poly Network updated its Twitter account to announce that the hacker had returned over $4.7 million in funds.
So far, we have received a total value of $4,772,297.675 assets returned by the hacker.
ETH address: $2,654,946.051
BSC address: $1,107,870.815
Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS— Poly Network (@PolyNetwork2) August 11, 2021
It’s unclear if the attacker intends to return everything now that they have potentially been identified, but they did a transaction back to one of their wallets, claiming the hack could have been worth over $1 billion and that they were now considering returning some of the coins or leaving them in the stolen addresses.
Watch: CoinGeek Zurich panel, Blockchain Law & Policy