Image: Luis Alvarez via Getty Images
Cryptocurrency platform Poly Network announced it was hacked to the tune of about $600 million on Tuesday morning, which the company claimed in an open letter is the largest amount ever stolen to date in the decentralized finance, or DeFi, industry.
“Dear Hacker,” the letter, which was posted to Twitter, began. “We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in DeFi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution.”
Poly Network was launched by the founder of Chinese crypto project Neo, and was designed to be a bridge across disparate blockchains and claimed to resolve issues around “trust” and “security” while being “safe.” The stolen funds were pilfered from the Ethereum blockchain, Binance Smart Chain, and the Polygon blockchain. According to an initial postmortem by China-based security firm BlockSec, the fatal flaw may have been a leaked private key used to send a cross-chain message, or some other bug that was abused to similar effect. Eventually, Poly Network tweeted that it had discovered the cause of the hack, chalking it up to a vulnerability in contract calls.
While an open letter beginning with “Dear Hacker” may seem odd, it may well be worth a Hail Mary. In one head-scratching instance, an alleged scammer returned millions of dollars worth of ether stolen from unwitting marks in 2017 and 2018.
In typical fashion, the industry sprang into action in the wake of the hack, tracking the movement of stolen funds. The attackers’ addresses have been marked on blockchain explorers, and Tether, which runs the USDT stablecoin, froze some of the attacker’s funds on its end.
Some, however, saw an opportunity.
One user sent a message to the attackers attached to a transaction, warning them not to try and move the USDT tokens. “DONT USE YOUR USDT TOKEN YOUVE GOT BLACKLISTED” the message read. In return, the hackers sent the user $42,000 worth of ether.
Since that incident, numerous people have sent small transactions to the attackers with messages begging for a handout:
“God, please accept my worship”
“I like you as a knight”
“Hello, brother hacker, I am a student from a mountainous area. I have known blockchain since I was born. I am currently penniless and faceless facing the folks who sent me out of the mountain. I hope my brother will show compassion to save the child.”
“Hi Can i haz shitcoins I will properly dispose of them Hack the Planet”
“Hello, I appreciate your hacking skills. I don’t know if I can rob the rich and help the poor. I owe a lot of money because of fcoin’s runaway last year. I hope I can get your help, even a little bit, thank you! May you be healthy and safe!”
“thanks，i need eth! ”
Poly Network did not immediately respond to a request for comment.
With reporting from Jason Koebler.