Hackers have siphoned $611 million worth of cryptocurrencies from a blockchain-based financial network in what's believed to be one of the largest heists targeting the digital asset industry, putting it ahead of breaches targeting exchanges Coincheck and Mt. Gox in recent years.
Poly Network, a China-based cross-chain decentralized finance (DeFi) platform for swapping tokens across multiple blockchains such as Bitcoin and Ethereum, on Tuesday disclosed unidentified actors had exploited a vulnerability in its system to plunder thousands of digital tokens such as Ether.
"The hacker exploited a vulnerability between contract calls," Poly Network said.
The stolen Binance Chain, Ethereum, and Polygon assets are said to have been transferred to three different wallets, with the company urging miners of affected blockchain and centralized crypto exchanges to blocklist tokens coming from the addresses. The three wallet addresses are as follows -
- Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 ($273 million)
- Binance Smart Chain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 ($253 million)
- Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 ($85 million)
In an open letter, the protocol maintainers urged the thieves to "establish communication and return the hacked assets."
"The amount of money you have hacked is one of the biggest in DeFi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. [...] The money you stole are from tens of thousands of crypto community members, hence the people," the team said.
Tether's Chief Technology Officer Paolo Ardoino tweeted that the stablecoin company froze $33 million worth of its tokens that were taken in the haul.
"We are aware of the poly.network exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can," Binance CEO Changpeng Zhao said in a tweet.
The identity of the hacker remains unclear, although blockchain security firm SlowMist claimed it was able to trace the attacker email address, IP address, and device fingerprint and that their initial source of funds were in Monero coins, which were then exchanged for ETH, MATIC, and other currencies.
Update: Poly Network on Wednesday said the unknown culprit behind the attack had sent back $261 million worth of crypto assets that were stolen from the platform (Ethereum: $3.3 million, BSC: $256 million, and Polygon: $1 million). While the motive behind returning the stolen digital funds remains unknown, in a "Q&A" held via Ether transaction notes, the hacker claimed it was "for fun."
"The Poly Network hack and subsequent return of funds shows that it’s becoming more difficult to pull off large-scale cryptocurrency theft," Blockchain analysis platform Chainalysis said. "That may sound counterintuitive given that this $600 million theft represents the biggest DeFi hack of all time, and that the fast-growing DeFi ecosystem is uniquely vulnerable to hacks. However, cryptocurrency theft is more difficult to get away with than theft of fiat funds. This is due in part to the inherent transparency of blockchains."