US$600 million stolen in biggest crypto hack in history

UPDATE: Incredibly, the hackers are returning the funds. Why?
11 August 2021

A screen showing exchange rates of cryptocurrencies at an exchange in Seoul in 2017. (Photo by JUNG Yeon-Je / AFP)

The rapidly growing but still nascent decentralized finance (DeFi) industry has been rocked by what could be the biggest theft of cryptocurrency assets ever, with the attackers said to have made off with US$600 million in crypto assets in the sensational hack.

DeFi platform Poly Network said yesterday August 11, 2021, that the thieves exploited a vulnerability in its “contract calls”, which are a type of test not intended to be published to a blockchain that allows for transparent, traceable transactions.

Poly Network is a blockchain protocol which links blockchains together, with the purpose of making them interoperable. Exploiting the vulnerability allowed the hack of a variety of crypto assets, including about US$267m of Ethereum, US$252m of Binance coin, and roughly US$85m in USDC tokens which are a cryptocurrency whose value is pegged to the US Dollar, according to wallet addresses posted on Twitter.

The hack is thought to be one of the largest ever in crypto, trumping the US$530m heist at Tokyo-based bitcoin exchange Coincheck back in 2018. Poly Network referred to it as “one of the biggest in the DeFi history” in an interesting tweet in which the protocol operator urged the perpetrators to return the stolen assets.

The nature of cryptocurrencies is that they are largely anonymous, which creates an interesting dichotomy within the DeFi space as central financial intermediaries such as brokerages, exchanges or banks are not required to perform transactions – instead, processes are often entirely automated that can be used off-the-shelf by anyone interested enough to learn.

Conversely, the anonymity of the crypto assets themselves makes such a hack extremely attractive to parties who are willing to put in the necessary work to take advantage of any vulnerabilities. But the traceability of transactions on the blockchain means that “even if you can steal crypto assets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” said Dr Tom Robinson, co-founder & chief scientist at blockchain analytics specialists Elliptic, to Yahoo Finance UK.

This might explain why Poly Network figured the Twitter appeal might pay off, as despite the crypto hack being likely long-planned and well organized, there are limited avenues to clear the funds. Poly Network had already urged other members of the cryptocurrency ecosystem to “blacklist” the assets coming from addresses used by the attacker to siphon away the funds, and had acquired the security aid from notable players such as Binance, the most prolific cryptocurrency exchange right now.

Following the attack, Poly Network established several addresses to which it said the attacker could return the money. And it appears the incredible gambit is paying off: after security researchers said they had identified a trail of digital clues such as the attacker’s mailbox, IP address, and device fingerprints discovered through on-chain and off-chain tracking, Poly Network tweeted this morning that over US$4.7 million had been returned to some of the designated addresses.

“In this case, the hacker concluded that the safest option was just to return the stolen assets,” surmised Dr Robinson. “So I think that this will actually improve confidence in decentralized finance.”

Whether trust in DeFi grows remains to be seen, even as such hack incidents shed light on the lack of consumer protections within the crypto space, and regulators such as the SEC in the US continue to probe whether oversight of crypto platforms should be made mandatory, even as retail investors continue to pour billions into digital currencies.

According to CipherTrace, the US$156 million netted from DeFi-related hacks in the first five months of 2021 – prior to the Poly Network incident – already surpasses the US$129 million stolen in DeFi-related hacks throughout the entirety of 2020.