Poly Network attack: Here’s what happened to biggest DeFi hack in history

In what amounts to the biggest DeFi hack in history and one of the largest the digital asset industry has ever seen, a hacker has stolen more than $611 million in funds from the cross-chain Poly Network.

The Poly Network allows users to swap tokens across multiple blockchains, including Ethereum, Binance Smart Chain, Polygon, and others. Poly Network announced the attack on Twitter on August 10.

How much was stolen? Who did it?

Poly Network was attacked on Ethereum, Binance Smart Chain, and Polygon. Blockchain firm Slow Mist claims the attackers’ initial funds were in Monero and were switched into BNB, ETH, and MATIC for the attack.

In total, at least $611 million in funds were stolen. This sum includes:

  • $273 million on Ethereum
  • $253 million on BSC.
  • $85 million on Polygon.

Assets stolen include WETH, WBTC, RenBTC, DAI, UNI, SHIB, and FEI. The hacker later attempted to deposit USDC and DAI to the DeFi platform Curve.

While it’s as yet unknown who the attacker is, blockchain security firm Slow Mist claimed to have uncovered their email account, IP address, and device fingerprint. This would be enough for law enforcement to locate the individual(s) if it’s accurate information.

Poly Network calls for wallet freezes and legal help

Departing from the “it’s all decentralized, and nobody can do anything about it” narrative that the digital currency space lives by, Poly Network pleaded with exchanges and miners to freeze the attackers addresses and prohibit them from moving the stolen funds.

Tether was one of the first to respond to the call, freezing $33 million worth of USDT on Ethereum just before the attacker tried to launder it through Curve.

Binance CEO Changpeng Zhao stuck to the decentralization line and responded that nobody ultimately controls Binance Smart Chain. He claimed he would do what he could with “no guarantees.”

Poly Network also claimed it would take legal action to recover the stolen funds. This is an interesting development in an industry that has so far lambasted, criticized, and mocked Dr. Craig Wright and others for taking the same approach to recover stolen funds and settle other matters.

The need for regulatory compliance becomes crystal clear

As tends to happen when massive events like this rock the digital currency space, armchair investigators from across the world began researching the history of the attackers’ wallets. Some noticed that it had interacted with several centralized exchanges such as Binance and FTX.

Is it possible that the attacker previously sent funds to or from KYC verified exchange accounts? If so, this will surely lead to their downfall. Even if not, it underscores the importance of exchanges knowing who is signing up to use their platforms.

Industry compliance with AML/KYC regulations would make attacks like this almost impossible as exchange accounts and wallets with large balances would be linked to verified identities. This would immediately expose thieves and criminals using public blockchains for illegal purposes such as moving stolen funds or money laundering.

Update: hacker begins returning stolen funds

On August 11, Poly Network updated its Twitter account to announce that the hacker had returned over $4.7 million in funds.

It’s unclear if the attacker intends to return everything now that they have potentially been identified, but they did a transaction back to one of their wallets, claiming the hack could have been worth over $1 billion and that they were now considering returning some of the coins or leaving them in the stolen addresses.

Watch: CoinGeek Zurich panel, Blockchain Law & Policy

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[10]
[10]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
['on' + event]
['on' + event]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[i]
[i]
[results[1]]
[results[1]]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[10]
[10]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
['on' + event]
['on' + event]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[i]
[i]
[results[1]]
[results[1]]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]