Over $600 million reportedly stolen in cryptocurrency hack

Over $611 million has reportedly been stolen in one of the largest cryptocurrency hacks.

Decentralized cross-chain protocol and network, Poly Network announced today that it was attacked with cryptocurrency assets having successfully been transferred into the attackers’ wallets.

Largest DeFi hack to date: $611 million stolen

Today, Poly Network announced getting hit by a major attack that led to attackers having successfully transferred Binance Chain, Ethereum, and Polygon assets into their wallets:

Important Notice:

We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:

ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963

BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

— Poly Network (@PolyNetwork2) August 10, 2021

The Block estimates that the value of stolen assets to be at least $611 million, making this the largest DeFi hack thus far.

Poly Network was created by a collaboration between multiple blockchain providers, namely, Neo, Ontology and Switcheo to enable users to exchange tokens across different crypto platforms, including Bitcoin and Ethereum.

The attacker wallet addresses associated with this incident are:

ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963

BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

The breakdown of the stolen assets is as follows:

• Ethereum tokens: $273 million
• Binance Smart Chain: $253 million
• Polygon Network (in USDC): $85 million

Centralized stablecoin provider Tether has since blacklisted the USDT on Ethereum—worth $33 million of tokens, that was stolen in this attack.

“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses. @Tether_to @circlepay.”

“We will take legal actions and we urge the hackers to return the assets,” stated Poly Network in the same Twitter thread.

Binance CEO, Changpeng Zhao also tweeted that the company was coordinating with security partners to remediate the situation but that there are no guarantees:

We are aware of the https://t.co/IgGJ0598Q0 exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can. Stay #SAFU. https://t.co/TG0dKPapQT

— CZ Binance (@cz_binance) August 10, 2021

The Block research team’s Igor Igamberdiev believes the hack was caused due to a cryptography issue, which is a rare happening when it comes to cryptocurrency protocols.

“It may have been similar to the Anyswap exploit, which saw $7.9 million stolen due to a hacker reversing the private key,” surmised Igamberdiev.

Blockchain security firm SlowMist claims they were able to trace the attacker’s ID and have identified the attacker’s email address, IP address, and device fingerprint.

According to SlowMist, the attacker transacted in Monero (XMR) originally and exchanged the funds later for BNB, ETH, MATIC, and other tokens used to fund the attack.

The complete damage and implications resulting from this incident are yet to be found out, but networks and pools relying on Poly Network may have to suspend their operations.

That has already been the case with the O3 trading pool that uses Poly Network. O3 has halted its cross-chain functionality.

Users posting money laundering tips

Following the attack, BleepingComputer has come across transactions sent to the attacker with tips on how to launder the money and requests for free cryptocurrency.

Some of the tips appear to be from threat actors or other scammers on ways the stolen funds can be laundered:

Another tip was sent by a user warning the hacker not to transfer the USDT tokens as they have been blacklisted:

In return for the tip to not transfer blocklisted USDT, the threat actor sent the user 13.37 Ethereum tokens (the amount being an innuendo for “leet”) worth $41,474.41, as seen by BleepingComputer.

After receiving the money, the tipper began donating 1.337 ETH tokens or $4,148.32 to Binance Charity [transaction], Archive.org [transaction], Etherscan [transaction], and infura.io [transaction].

Other transaction comments seen by BleepingComputer are from people asking the threat actor to send them free cryptocurrency.

“I come from a remote and impoverished Guizhou mountainous area in China, and I need money to study for my sister. My sister’s name is July, and I thank you for her! Robinson,” read another tip seen by BleepingComputer.

“Respected Hacker… I’m a father of three, and my wife is in chemo for cancer. I sold my house and the car. Deposit O3 hopes to provide medical expenses for my wife, and help me better take care of them, but today your behavior causes me to bankrupt, I hope you can give me money 5 eth. 0xe3D….0b03c,” read yet another comment.

This is a developing story.

Updates:

Aug 11th, 9:32 AM ET:

On August 10th, Poly Network had urged the threat actors to return the stolen cryptocurrency assets as a heist this big is likely to be on law enforcement’s radar.

Today, Poly Network says thus far they have recovered assets worth around $4.7 million—still that’s a tiny chunk of the total stolen amount:

So far, we have received a total value of $4,772,297.675 assets returned by the hacker.

ETH address: $2,654,946.051

BSC address: $1,107,870.815

Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS

— Poly Network (@PolyNetwork2) August 11, 2021