The Poly Network hacker has returned over half of the $600 million that they stole to the cross-chain decentralized finance (DeFi) protocol. They went on to do a question-and-answer session which explained how the initial hack happened.
Over $300 million worth of stolen crypto assets have so far been returned, and the hacker alleges that they want to keep the rest of the funds safe while they negotiate with Poly. In what is now described as the biggest DeFi attack to date, the Poly Network suffered a $612-million exploit on August 10 that saw the cybercriminal steal assets from Binance Chain, Ethereum, and the Polygon Network.
The chief scientist at blockchain analytics firm Elliptic, Tom Robinson, told Forbes on August 11 that the hacker has now returned more than half worth of funds to Poly so far, with $272 million yet to be returned.
I like how the PolyNetwork Exploiter is having an AMA right now… what a ridiculous space. pic.twitter.com/FBQieZqdQW
— Sam MacPherson (@hexonaut) August 11, 2021
The attacker said that they are ready and willing to return the stolen funds multiple times, which has resulted in suggestions that it might have been a type of a white hat hack to teach Poly a majorly expensive lesson about its security loopholes and flaws.
Nevertheless, this view was not essentially shared by Robinson, who said that the returning of funds:
“demonstrates that even if you can steal crypto-assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain.”
The hacker has even done an Ask Me Anything (AMA) using embedded short messages in the Ethereum transactions. While these messages appear to have come from a non-native English speaker, what has been lost in translation is their grand plan.
When they were asked why they hacked the Poly protocol, in particular, the hacker said they did it “for fun” and because “cross-chain hacking is hot.”
Despite these answers, they went on to say that the hack was done for noble causes. The hacker explained that they have since been transferring tokens between the addresses just to keep the funds safe:
“When spotting the bug, I had a mixed feeling. Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.”
The hacker added:
“Now everyone smells a sense of conspiracy. Insider? Not me, but who knows? I take the responsibility to expose the vulnerability before any insiders hiding and exploiting it!”
Twitter users noted that the hacker was requesting guidance on how to deposit the funds into Tornado Cash, a decentralized protocol that supports private Ethereum transactions.
Hacker is literally begging for help. pic.twitter.com/JvoshUNfu2
— Sam naique03012009 (@Shane_Naique7) August 10, 2021
The attacker was also asked why they had been swapping and selling some of the stolen stablecoins, to which they responded:
“I was pissed by the Poly team for their initial response.”
Earlier on Wednesday, the Poly team posted an open letter addressing the hacker urging them to return the stolen funds as:
“law enforcement in any country will regard this as a major economic crime and you will be pursued.”
The hacker went on to state that “they urged others to blame me and hate me before I had any chance to reply!” The hacker insists that they do not have any intentions to launder the money:
“In the meanwhile, depositing the stables could earn some interest to cover potential cost so that I have more time to negotiate with the Poly team.”