The hacker behind the over $600 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has now returned nearly all of the stolen coins amid the project stating that their hacking actions constituted “white hat behavior.”
Based on an August 12 update on the attack from the Poly Network, all of the $610 million in funds stolen in an exploit that used “a vulnerability between contract calls” have now been securely transferred to a multisig wallet that is controlled by the project and the hacker.
The only tokens that remain are $33 million in Tether (USDT) that were frozen quickly after news about the attack emerged. The hacker said:
“The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back.”
Since the incident, the hacker has been communicating with the Poly Network team and other involved parties via embedded messages in Ethereum transactions. They appeared to have not planned to transfer these funds after successfully stealing, and purported to do the mega hack “for fun” because “cross-chain hacking is hot.”
Nonetheless, after communicating with the project and users, the hacker returned around $258 million of the funds on August 11. Poly Network said that it believes that the attack appeared to display “white hat behavior” and offered the hacker, whom it called “Mr. White Hat,” a $500,000 bounty:
“We assure you that you will not be accountable for this incident. We hope that you can return all the tokens as soon as possible […] We will send you the 500k bounty when the remainings are returned except the frozen USDT.”
The hacker said:
“The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back.”
With all the other funds except the frozen USDT already returned, the largest hack in the decentralized finance world appears to be coming to an end. Although the hacker’s identity is yet to be revealed to the public. Chinese cybersecurity firm SlowMist updated moments after the news of the hack broke, claiming that its analysts had managed to identify the attacker’s IP address, email address, and device fingerprint.
