The $611M Poly Network exploit is the largest crypto hack to date in terms of mark-to-market value and all the stolen funds were returned, but the identity of the hacker is still unknown.
Dubbed “Mr. White Hat” by the Poly Network security team, the anonymous perpetrator of the biggest crypto hack to date gave all the stolen crypto assets back within 15 days of the incident.
But how was the hack carried out? Why did they return the funds? And how did they manage to remain anonymous? We’ll explore these questions, but first..
What is the Poly Network?
The Poly Network is a DeFi platform that enhances blockchain interoperability by enabling users to transfer information and cryptocurrencies between various blockchains. Using the Poly Chain consortium blockchain as its framework, the Poly Network deploys a series of smart contracts to establish bridges between Bitcoin, Ethereum, BNB Smart Chain, and more than 20 other blockchains.
In simplified terms, Poly Network lets blockchains talk to each other using smart contracts.
How the Poly Network Hack Happened
A comprehensive technical report by Kraken Security Labs less than 2 months after the incident revealed the mechanics of the attack. Through a series of data manipulation techniques in the high-level code of the Ethereum smart contract, the attacker was able to grant himself the necessary permissions to transfer all Poly Network funds on the Ethereum blockchain into his own wallet, which included 2,528 ETH valued at $267M at the time.
The same method was used to extract 6,610 BNB valued at $252M to the attacker’s BNB Smart Chain wallet, and again it was used to transfer roughly $85M worth of USDC into the attacker’s wallet on the Polygon network.
The stolen assets also included several million dollars worth of Shiba Inu, DAI, USDT, and BUSD, for a grand total of around $611M at the time of the attack and making it the biggest crypto hack as of October 2022.
The Axie Infinity Ronin Bridge Attack wasn’t the biggest crypto hack of all time.
Why did they Return the Funds?
Oftentimes “white hat” security experts will reveal vulnerabilities in networks by exploiting them first and answering questions later. This is how they ensure they’ll get paid for finding the bug, but it’s also risky because they could technically be breaking various laws. In the case of the Poly Network hack, countless international finance and cybercrime laws were broken, so it was imperative that the attacker remained anonymous.
In short, the attackers claim it was done with the intention of returning the funds the whole time. However, many in the cybersecurity community are skeptical of this claim, especially in light of the fact that the hacker started moving the funds around between various smart contracts and wallets immediately after the incident.
In a series of messages left by the hacker via Ethereum transaction notes, they said they had done the attack for fun, and also asked “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
It’s worth noting that the hacker was only able to return $340M worth of crypto initially, as the rest was frozen by Tether and other blockchain security firms, or locked in DeFi contracts, and the total amount was finally moved back into the Poly Network’s possession on Aug 25, 15 days after the attack. Blockchain-based security firm SlowMist also announced hours after the attack that they had identified the attacker’s email, IP address, and device fingerprints. This all drew speculation that they only decided to return the funds once they realized how difficult it would be to launder them.
The bug bounty offered to “Mr. White Hat” by Poly Network was a $500,000 reward, plus an offer to become their chief security advisor. It’s still unknown if they took the position.
How the Poly Network Hacker Managed to Remain Anonymous
While SlowMist did say they had identified the attacker’s email, IP address, and device fingerprint, a sophisticated hacker knows how to mask those properties and shield their true identity. It’s unlikely that any of these identifiers would reveal the precise location or true identity of the attacker. However, the smartest thing the attacker did was not try to reach any cashout points or make any withdrawals of the funds, because that’s the point at which digital identities collide with reality.
The attacker was able to remain anonymous by letting their pseudonymous digital identity be found, but never revealing any personal information through it. They would not have been able to cash out the funds without revealing their true identity.
This is yet another lesson taught to us by “Mr. White Hat”, which is that despite the headlines about massive smart contract exploits like this one, cryptocurrencies aren’t as private or as easily laundered as people think.
For over 30 years, Marin Ivezic has been protecting financial services and critical infrastructure against financial crime, cyber, and regulatory risks. He previously held multiple interim CRO, CISO and technology leadership roles in Global 2000 companies. Since 2013 he has been advising institutions and regulators around the world on safe, secure and compliant adoption of crypto assets and other decentralized technologies.