Just-In: PolyNetwork Hackers Start Returning $610 Million Stolen Funds

Update: Hackers have returned $133 million worth of funds out of $610 million as per the latest update.

PolyNetwork became the victim of the largest defi hack in crypto history estimated to be worth $610 million. The stolen funds were sent to three wallet addresses one on the Ethereum network containing over $260 million, BSC address with $250 million, and Polygon address with $85 million. The total fund distribution was as follows,

• BSC assets: 6613 BNB, 87,603,671 USDC, 26,629 ETH, 1,023 BTCB, 32,107,854 BUSD
• Polygon assets: 85,089,719 USDC
• Ethereum assets: 96,389,444 USDC, 1,032 WBTC, 673,227 DAI, 43,023 UNI, 14 renBTC, 33,431,197 USDT, 26,109 WETH, 616,082 FEI

The hackers behind the theft had agreed to return the funds earlier today and have demanded a multisig wallet after failing to contact PolyNetwork.

The hacker said,

“FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU. IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO.”

The hackers have started to return the funds starting with the Polygon Network and have already transferred nearly a million dollars worth of USDC.

How Hacker Managed to Steal Significant Chunk From PolyNetwork?

The hacker has boasted that the stolen funds would have been in billion had they decided to transfer “Shitcoins” as well. The main reason for the hack was overriding “Bookkeepers,” someone who is responsible for authenticating fund transfers on the PolyNetwork. Poly being a cross-chain platform requires a cross-chain signature to approve transactions.

There are two theories, one that the hack was inside job or someone leaked the cross-chain signature to the hacker. The second theory suggests that the hacker managed to exploit a loophole to override the bookkeeper’s signature and became the sole authenticator, thus transferring such high amounts of assets.

The hackers tried to launder the money on Curve protocol, but the initial few transactions were declined because of Tether freezing USDT funds,  but the hacker managed to send $76 million in USDC to Curve and another $120 million in stablecoins on Ellipsis Finance.

The hack only exposed the growing vulnerabilities in the Defi ecosystem as the number of attacks on Defi has continued despite maturity in the market.