August has been a big month for hacks as one of the biggest in cryptocurrency history was pulled off on the Poly Network, with strange results.
The cyberattack against the Poly Network has made headlines with several bizarre twists and head-scratching turns. It might be imagined that plundering cryptocurrency exchanges is easier than robbing a bank.
High-stakes cryptocurrency thefts are seemingly on the rise. However, it is essential to point out that these decentralized technologies are still evolving since their inception. Like with any system, when vulnerabilities are discovered, they’re fixed.
The Poly Network saga
The Poly Network was undoubtedly this month’s biggest hacker scandal.
The hacker found a vulnerability in the digital contracts. These are what the Poly Network uses to move crypto assets between various chains. Through this, they found their way in.
They then proceeded to pull off a monumental crypto heist across three chains. Ethereum, Binance, and the Polygon Network were all hit. They drained over $600 million from the decentralized finance (DeFi) platform.
What’s more, the attacker maintained a public presence during this attack. They even went so far as to publish a Q&A which claimed the attack was “for fun.”
However, their actual motives for robbing the money are not clear. This is because their justifications are rather contradictory and confusing to follow. In their Q&A, they allege that they took the tokens “to keep it safe.”
They alleged that they took the money to prevent any insiders in the Poly Network from finding the vulnerability. However, instead of fixing it, they decided to take the money instead.
They appeared to make it their responsibility to worry about the vulnerability. They then focused their attention on robbing the DeFi platform by trying to find the best way to launder the money out unnoticed.
However, the attacker made noisy transactions under the watchful eye of the crypto community. These were observed on the public blockchain. They even purchased a Cryptopunk NFT for 42,000 ETC, a figure that is worth over $180 million.
An unusual hacker move
What’s strange is that they eventually returned $550 million of the stolen money. The hacker pocketed the other half for a time, despite attempting to explain that the intrusion was carried out with good intentions.
In a Twitter thread, Poly Network said, “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses … We will take legal actions, and we urge the hackers to return the assets.”
Tether, which operates the stablecoin USDT, responded to the call to blacklist the addresses used by the attacker.
As this was occurring, a fellow cryptocurrency user by the name of Hanashiro delivered a blank Ethereum transaction to the attacker with advice to help the hacker maneuver around the changing landscape, saying, “don’t use your USDT token, you’ve got [sic] blacklisted.”
The intruder responded to Hanashiro half an hour later, sending 13.37 ETH worth around $57,000 as a token of gratitude. Hanishiro then sent some of the funds to charity organizations.
Community members support hacker
Word of this payment got around and spread like wildfire. This ignited into a “gold rush” on the Ethereum network.
Would-be accomplices started messaging the account used by the attacker, offering them advice on how to launder the money to pleas for charity contributions.
Poly Network stated that they would pursue legal actions against the attacker, saying that “law enforcement in any country will regard this as a major economic crime, and you will be pursued.”
As the situation escalated due to unreturned funds, the Poly Network then offered the intruder $500,000 for discovering the vulnerability.
The hacker turned them down. After all, they were holding close to half a billion dollars in stolen assets.
Somewhere in between the Poly Network urging the hacker to return the money and it eventually being returned, Poly Network offered the intruder a job as their new Chief Security Advisor, which was also rejected.
“After communicating with Mr. White Hat, we have also come to a more complete understanding regarding how the situation unfolded as well as Mr. White Hat’s original intention,” reported Poly Network in a statement, where they refer to the intruder by this moniker.
Tracking the hacks
This isn’t the end of the story, however. SlowMist, the blockchain ecosystem security company, were able to successfully untangle the thread leading back to the hacker.
They did so by unmasking their mailbox, IP address, and device fingerprint using on-chain and off-chain tracking.
With the technical aide of SlowMist’s partner Hoo Tiger Symbol, along with multiple participating exchanges, the SlowMist security team was able to ascertain that the attacker’s initial source of crypto was Monero (XMR).
They then transferred the funds to BNB, ETH, and MATIC on the exchange. Following this, they withdrew funds to several addresses and then launched hacks on three exchanges.
The flurry of activities on the blockchain made it easier to track them. However, they concluded that this attacker thoroughly researched, planned, and organized the hack before it was executed.
More hacks, different victim
The next event that unfolded in this saga came from Fetch.ai, an artificial intelligence lab situated in Cambridge, who requested that Binance work to identify and track the movements of the hacker after the hacker breached their cryptocurrency accounts on June 6.
The network restricted the attacker’s accounts. Thus preventing them from withdrawing assets. Consequently, the attacker reportedly sold these funds to a third party within an hour.
Fetch.ai requested Binance put a hold on the intruder’s accounts on the exchange. To compound the issue further, a Supreme Court granted the requests so that the incident could be fully investigated and resolved through legal channels.
Reports indicate that Binance will comply with the court orders. Nevertheless, they will not be able to seek a recovery order until they provide evidence demonstrating that they have been victims in this matter.
“We need to dispel the myth that cryptoassets are anonymous. The reality is that with the right rules and applications, they can be tracked, traced, and recovered,” said Syedur Rahman, who is a partner at Rahman Ravelli representing Fetch.ai.
Binance was already under fire as financial institutions around the world have been scrutinizing the exchange. The United Kingdom, along with several other countries, has issued admonitions about using the exchange. Meanwhile, others have implemented bans altogether.
Japanese Liquid Crypto breached
The Poly Network was not the only security incident in August. Liquid Crypto. Threat actors also attacked a Japanese crypto exchange based in Tokyo. They funneled out $97 million in cryptocurrencies consisting of BTC, ETH, TRX, and XRP. The hackers targeted hot wallets.
Liquid Crypto responded by saying it is temporarily moving all assets offline into cold storage wallets. Furthermore, they suspended all transactional services.
The exchange reported that they are “currently tracing the movement of the assets and working with other exchanges to freeze and recover funds.”
According to a blog post, the company explained that the hacker targeted a Multi-Party Computation wallet (MPC). MPC’s are used for storing and managing cryptocurrencies of the Singapore subsidiary, QUOINE PTE. However, Liquid Crypto did not offer a statement explaining how the intruders were able to break in.
“We are currently investigating and will provide regular updates. In the meantime, deposits and withdrawals will be suspended,” said the exchange in a tweet.
Additionally, Liquid Crypto tweets show the cryptocurrency addresses that were used by the hackers to exfiltrate the stolen assets.
Bug bounties could offer solution to hacks
In a recent blog post, the Poly Network said it would launch a $500,000 bug bounty program. This will welcome researchers and hackers to discover and report any vulnerabilities in its software.
According to the bug bounty listing on Immunefi, the maximum bounty payout is $100,000. With attractive incentives from collaborations with positive actors in the cybersecurity field, this could be viewed as an extra layer of asset protection.
Keeping bad actors behind in the race to find exploitable holes is undoubtedly key when it comes to working out the kinks. Who finds them first is another matter.
A bug bounty program is a crowdsourcing initiative. It compensates individuals who find and report software vulnerabilities which can be performed through code audits and penetration testing.
This allows companies and members of the cybersecurity industry to find solutions before threat actors discover them to use for their own advantage.