Two weeks ago, the hacker started returning the funds.
After stealing crypto coins worth $600 million from Poly Network, the hacker has completed returning them (via CNBC). Poly Network says in a blog post that it’s now beginning the process of returning the stolen assets, including Ethereum, Binance tokens, and Dogecoin, to their rightful owners. Poly Network says that there’s still work for it to do — it’s working on getting approximately $33 million worth of assets unfrozen and is continuing to restore the functionality of its Poly Bridge service, which lets users transfer crypto between blockchains.
After the attack, the hacker said that he’d stolen the funds to keep them safe, saying that putting the coins in a “trusted account” was a way to highlight the bug without allowing someone else to make away with them. Poly Network has had a fairly constant banter with him; even calling him “Mr White Hat” was the hacker’s title in Poly Network’s series of updates. Poly Network invited the hacker as their chief security adviser. The hacker (seemingly jokingly) accepted the invitation, sending a message to the company stating, “your chief security advisory.” Chainalysis also points out that it can be difficult to spend stolen funds due to blockchain tech’s transparency.
“THANKS TO MR. WHITE HAT’S COOPERATION, POLY NETWORK HAS OFFICIALLY ENTERED THE FOURTH PHASE OF OUR ROADMAP ‘ASSET RECOVERY.'”
After the hack occurred earlier this month, there was speculation about how the hacker had carried it out, with some analysts suggesting that he had even been able to obtain Poly Network’s private keys. The further analysis seems to show that this wasn’t the case — instead, the hacker was able to exploit a security flaw in the Poly Network that allowed him to execute transactions that he shouldn’t have been able to.
“SORRY FOR THE INCONVENIENCE!” It MUST BE ONE OF THE WILDEST ADVENTURES IN OUR LIFE.
Embedded in one of the final transactions from the hacker is a long note, in which he apologizes for the inconvenience he’s caused, calls the hack and process of returning the funds a “wild adventure,” and promises to return more money than he originally stole (which he requests be distributed to “survivors,” seemingly referring to those who had their money stolen). The hacker claims that the additional funds from the $500,000 bounty Poly Network paid him to find the security flaw. He also claimed that the hacker received a stream of donations since then (and continues to receive, according to his wallet transaction records).
“DISTRIBUTING EXTRA ASSETS TO ‘SURVIVORS” WOULD BE THE LAST REQUEST OF THIS MAN.
Poly Network said in another blog post that it would start a $500,000 bug bounty program to encourage researchers to find (and responsibly disclose) other vulnerabilities in its software. Currently, the company’s bug bounty listing on Immunefi says that the maximum bounty is $100,000.
As for when Poly Network’s users will see the returned funds hit their wallets, the company says it’s working on returning them “within the shortest time frame possible.”