Only a few days have passed since the hack of the Poly Network cryptocurrency project, and the story is already beginning to seem like a cyberpunk-style plot.
Recall that the hacker attack became the largest in the entire history of the industry: the anonymous man managed to get more than $ 600 million in crypto. Shortly after the event, the hacker held an Answers to Questions (AMA) session, in which he promised to fully recover all losses and stated that his attack on the protocol was done «for fun. «
The Poly Network project focuses on bringing together different blockchains like Ethereum, Binance Smart Chain, Solana, and so on. Thanks to this, users of different networks will be able to interact with each other, and the developers themselves will be able to create a «new generation Internet».
Such a replica is on the official website of the project.
Despite the great prospects of Poly Network, it became a victim of a hack – and the largest in terms of the amount of stolen funds. However, the hacker did not initially plan to keep money for himself. This and other details of the hacking author’s activities became known thanks to his story.
How Poly Network was hacked
The session of answering questions itself was done in an unusual style – the hacker encrypted it in UTF-8 encoding in the form of transactions sent to himself. To see his questions and answers, follow the link to one of the transactions in the Etherscan blockchain explorer and select UTF-8 in the Input Data section. Below is a screenshot published by journalists from the news outlet Decrypt.
In the information from the transactions, the hacker explained that the hack was supposed to «teach a lesson» to all participants in the Poly Network ecosystem. At the same time, the refund was “originally planned”. Here is his line.
I’m not interested in money. I know it is very frustrating when people become victims of hacker attacks, but shouldn’t they learn a lesson from them?
Apparently, the hacker really had no intention of embezzling the stolen funds. At the very least, their return began fairly quickly after the break-in.
On August 11 at 7 pm Moscow time, the hacker announced a full refund. He did it with this remark.
I announced my decision before midnight so that people who believed in me could sleep well. 😉
At the time of this writing, the hacker has already managed to return at least $ 342 million in crypto. He also made it clear why refunds take so long. The fact is that the cracker is in constant negotiations with the Poly Network team, and also tries to maintain his «honor and anonymity . » In addition, he denied any suspicion of «insider activity . » That is, the hacker is not a member of the team itself and does not cooperate with the project from the outside.
The AMA also noted some indignation on his part.
They quickly pushed everyone to blame and hate me even before I had a chance to justify myself!
Accordingly, the hacker did not like the harsh condemnation from the cryptocurrency community. Although, in fact, he just used the vulnerability to strengthen the project in the future – and he was not going to keep the money for himself. At the same time, we believe that it is possible to understand the harsh criticism of the community: it is always unpleasant to lose money in large quantities.
Finally, here is a quote from a cracker about the attack itself.
When I noticed the bug, I had mixed feelings. Ask yourself what you would do if you had access to this state. Politely ask the project team to correct their mistake? Anyone can become a traitor for one billion dollars. I can’t trust anyone! The only option was to keep funds in a trusted wallet.
Accordingly, in this case, the hacker was afraid to report the vulnerability found to someone from the team, because he was not sure of them. Indeed, in such a situation, some representatives of the project, in theory, could behave unpredictably.
That is, the hacker tried to «keep» the cryptocurrencies in his possession – in case someone from the team really attempted to steal the money. Most interestingly, someone had previously warned the hacker not to move his USDT out of his own wallets, as they were blacklisted on many cryptocurrency platforms. For this, the anonymous benefactor received 13.37 ETH from the hacker .
I felt warmth from the Ethereum community. I have shared my goodwill with the person.
As the author of the attack noted, he made good money as the cryptocurrency industry developed. Therefore, he does not need money.
As the hacker noted at the end, he was attracted by the idea of hacking and refunding, because in that case he could remain a «moral leader.» At the same time, he described his passion as the ability to «hack everything in order to fight fate.»
A story that could have ended in disaster for many people has a happy ending. The mysterious burglar was not really a villain, but a guardian of moral standards, even in such a seemingly delicate topic as possession of hundreds of millions of dollars. He had the opportunity to appropriate this money for himself, but he did it with good intentions.
We believe what happened proves how unique the cryptocurrency industry is. It includes not only rapidly developing blockchain projects, but also individuals who put global happiness above their own interests. I would like to believe that his example will inspire developers who will help to fix vulnerabilities of popular projects in the future.