That a hacker is able to take a loot of 600 million dollars (more than 500 million euros) is more like the plot of a movie than reality. That then begins to return the money adds to the matter a bizarre twist of the script as unlikely as it is true, if you look at the information provided by the Poly Network cryptocurrency platform.
It all started at 2:30 p.m. last Tuesday, when the firm communicated on the social network Twitter that it had suffered a theft of cryptocurrencies, especially ethereum, binance smart chain and polygon. In a statement, he addressed the culprit directly in a more threatening than conciliatory tone: “Dear hacker. We want to communicate with you and urge you to return the hacked assets. The amount of money hacked is the largest in the history of decentralized finance. Law enforcement in any country will consider this a major financial crime and you will be prosecuted. The money he stole belongs to tens of thousands of members of the crypto community, ”the message read.
That same day, the company noted that a quick internal investigation allowed them to identify that the security hole was in the vulnerability of one of its smart contracts – those that use a computer code or protocol that makes it easy to automatically verify and enforce a contract. , without the intermediation of people. Hours later, Poly Network provided on social networks the three addresses in which it expected the pirate to return the cryptocurrencies. He based all his hopes on it being a hacker of white hat, those interested in exposing the security weaknesses of the companies so that they fix them and not to enrich themselves at their expense.
With all the eyes of the crypto community on the matter, the strategy seemed to pay off. Poly Network first reported that four million had been returned, then the amount rose to 260 million, and later to $ 342 million. However, the last part of the refund, more than 200 million, remained pending that the hacker provide access codes and the company has not yet confirmed that it has been able to recover them. The management of the crisis, facing a hacker anonymous and unpredictable, it does not seem simple, so the platform has asked for peace of mind. “We hope that users who are temporarily unable to transfer their assets will try to remain calm and patient, as their understanding will help the team manage their asset recovery in the most appropriate manner,” the company noted.
An act “for fun”
In parallel, Tom Robinson, a regular advisor to governments on cryptocurrency crimes and co-founder of Elliptic, a company of blockchain based in London, published, also on Twitter, the messages left by the hacker embedded in the transactions. In them, the hacker He claims to have done it “for fun”, he says he is not very interested in money because he has already earned enough investing in cryptocurrencies and ensures that the plan was always to return what he had taken. “I know it hurts to be attacked, but shouldn’t people learn something from these hacks? ”Asks the cybercriminal. Using sometimes mocking rhetoric and sometimes purportedly profound, he even allows himself to quote the German philosopher Martin Heidegger and present himself as an undetectable hero hungry for strong emotions. “I prefer to work in the dark and save the world,” he writes. “I have been exploring the meaning of life for a while. I hope that in my life there are unique adventures ”, he adds.
His identity remains a mystery, but the hacker is being tracked. The Chinese cybersecurity firm Slow Mist reported that its investigators identified the email address, IP address and fingerprint of the suspect’s device, which gave hope that he could be caught, but no news has emerged.
Despite the supposed ethical purpose of their action, supposedly a way to alert of a security breach, experts cited by the agency Reuters doubt that the initial intention was that and point out that he could choose to return the juicy sum of money in the face of complications to get it extracted for his personal use, since the transactions leave a trace. The affected company has also tried to tempt him to speed up the process: he offered the pirate $ 500,000 (425,000 euros) if he returns everything stolen and as a reward for having put them on the trail of the security problem. The hacker He did not respond to the offer and began to return the money.
Poly Network has apologized for what happened, which has left part of its users unable to transfer their assets, and ensures that the failure in the system that allowed the theft has already been corrected. To avoid future problems, it has launched a program by which it will reward security agencies with $ 100,000 for each vulnerability they detect in their operations, up to a maximum outlay of $ 500,000, or what is the same: five failures.
Unrest in investors
Full money recovery has another hurdle. When he learned of the theft, Tether, issuer of one of the coins stolen from Poly Network, was able to freeze 33 million dollars of the amount stolen to prevent the thief from transferring it to his benefit and both firms are in talks to see how to unlock that money.
The incident brings to the table the risks of the burgeoning cryptocurrency business, whose current market value is around two trillion dollars. The news may bring some uncertainty to a part of investors, who assume with some unease the danger of placing their money in a deregulated sector seeking to prolong the streak of fast and large profits that many of the cryptocurrency buyers accumulate. However, among the supporters of these electronic currencies there are those who defend that the fact that the hacker The money has not been pocketed is precisely due to the nature of the ecosystem of decentralized finance, which they consider transparent and easily traceable, which would be an argument in favor of its use and not the other way around.
In 2014, the Japanese Mt. Gox, One of the largest bitcoin exchanges, it filed for the national bankruptcy law after more than 300 million euros in bitcoins at the current price disappeared from its virtual wallets. In 2018, security concerns made headlines again in Japan as well. The authorities of that country gave a serious wake-up call to cryptocurrency exchanges after the theft from Coincheck of 430 million euros in digital currencies stored in the virtual wallets of some 260,000 users. More recently, in April this year, the founder of the Turkish cryptocurrency platform Thodex fled the country after leaving nearly 400,000 investors high and dry in a multi-million dollar fraud in which 62 people have been arrested.