An unidentified hacker stole $600 million worth of virtual currencies from Poly Network, the cryptocurrency company announced Tuesday. Then in an unusual twist, less than 24 hours later, the hacker began to return some of the stolen money after a public plea from the company.
As of publication time, the hacker had returned more than $4,772,000 worth of assets, according to the company. Chainalysis, a cryptocurrency-tracking firm, confirmed Wednesday that funds were on the move.
The incident is the largest public attack against the decentralized financed industry to date. The identity of the thieves remains unclear.
Poly Network offers a service that promises interoperability between different chains of cryptocurrency, which each have their own digital ledger and act independently of one another. A preliminary investigation by cybersecurity firm SlowMist found that the hacker exploited a vulnerability in a feature that allows for the implementation of exchanges across chains. This allowed the hackers to replace the address of the manager of the funds, allowing them to withdraw money at will.
Changpeng Zhao, CEO of cryptocurrency exchange Binance, said on Twitter that the industry was coordinating security in response to the exploit.
The cryptocurrency industry has been under significant government scrutiny in recent months due to the use of virtual currencies by hackers to acquire funds from victims. Financial regulators and lawmakers in the United States have pushed to make payments easier to trace. Reporting requirements passed yesterday in the Senate version of the $1 trillion infrastructure bill have been met with steep opposition by industry and privacy advocates.
But this latest attack shows that cryptocurrency isn’t a flawless solution for hackers.
“I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” Tom Robinson, co-founder and chief scientist at Elliptic, wrote in an email. “In this case the hacker concluded that the safest option was just to return the stolen assets.”
A representative of Poly Networks declined to say if the company was working with law enforcement on the matter.