Poly Network Hacker Offered $500,000 To Return Stolen Tokens

Blockchain site Poly Network is now calling the hacker who stole $611m worth of digital tokens earlier this week, a white hat hacker (i.e. an ethical hacker or security expert, who carries out penetration testing).

Poly Network on Tuesday this week took an unusual approach and published a letter appealing directly to the ‘hacker’ to return the stolen digital assets, worth an eyewatering $611m.

“The amount of money you hacked is the biggest one in the defi (sic) history,” it wrote. “Law enforcement in any country will regard this as a major economic crime and you will be pursued…You should talk to us to work out a solution.”

White Hat Hacker?

Over the course of the week, the hacker gradually began to return the stolen tokens to three crypto addresses supplied by the DeFi platform for the hacker to use.

By Thursday morning the hacker had returned assets worth $342 million.

But by Friday morning Poly Network posted an update saying that most of the remaining assets in the hacker’s possession had been transferred to a digital wallet controlled by both the hacker and the company.

That said, the hacker still reportedly holds $33.4m of stolen Tether [tokens], but that is reportedly because the tokens have been frozen by Tether itself.

Bug bounty

The returning of most of the stolen assets was an unexpected development.

But perhaps even more surprising was the anonymous hacker claiming in an Q&A within a transaction, that he had stolen the tokens “for fun”.

He also said he had done it to encourage the cryptocurrency exchange firm to improve its security.

Poly Network then confirmed on Friday it had offered what it called ‘the white hat hacker’ a $500,000 ‘bug bounty’, if he returned the stolen assets, as well as a promise of immunity from prosecution.

The hacker has reportedly refused to accept the bug bounty offer.

Expert reaction

The decision by Poly Network to offer a bug bounty, and promise immunity has raised some eyebrows within the cybersecurity community.

“In a rather bizarre turn of events, most of the money returning reveals that the process of cashing out and laundering many cryptocurrencies can prove difficult for the lesser professional career criminal,” noted Jake Moore, cybersecurity specialist at ESET.

“Offering immunity may have sounded like a smart move from Poly Network to dangle a carrot, but it is unlikely that the authorities would agree with this decision nor even allow it,” Moore added.

“This attack is likely to have been watched closely by cybercriminals and law enforcement alike, potentially opening up the possibility of copycat attacks,” he said.

“However, next time, the attackers may plan an exit strategy involving cryptocurrencies that aren’t so well monitored,” Moore concluded.