The $611M Poly Network hack is the largest crypto and DeFi hacks to date in terms of mark-to-market value and all the stolen funds were returned, but the identity of the hacker is still unknown.

Dubbed “Mr. White Hat” by the Poly Network security team, the anonymous perpetrator of the biggest crypto hack to date gave all the stolen crypto assets back within 15 days of the incident.

But how was the Poly Network hack carried out? Why did they return the funds? And how did they manage to remain anonymous? We’ll explore these questions, but first…

What is the Poly Network?

The Poly Network is a DeFi platform that enhances blockchain interoperability by enabling users to transfer information and cryptocurrencies between various blockchains. Using the Poly Chain consortium blockchain as its framework, the Poly Network deploys a series of smart contracts to establish bridges between Bitcoin, Ethereum, BNB Smart Chain, and more than 20 other blockchains.

In simplified terms, Poly Network lets blockchains talk to each other using smart contracts.

How the Poly Network Hack Happened

A comprehensive Poly Network hack technical report by Kraken Security Labs less than 2 months after the incident revealed the mechanics of the attack. Through a series of data manipulation techniques in the high-level code of the Ethereum smart contract, the attacker was able to grant himself the necessary permissions to transfer all Poly Network funds on the Ethereum blockchain into his own wallet, which included 2,528 ETH valued at $267M at the time.

The same method was used to extract 6,610 BNB valued at $252M to the attacker’s BNB Smart Chain wallet, and again it was used to transfer roughly $85M worth of USDC into the attacker’s wallet on the Polygon network.

The stolen assets also included several million dollars worth of Shiba Inu, DAI, USDT, and BUSD, for a grand total of around $611M at the time of the attack and making the Poly Network hack the biggest crypto hack as of October 2022.

The Axie Infinity Ronin Bridge Attack wasn’t the biggest crypto hack of all time.

Why did they Return the Funds?

Oftentimes “white hat” security experts will reveal vulnerabilities in networks by exploiting them first and answering questions later. This is how they ensure they’ll get paid for finding the bug, but it’s also risky because they could technically be breaking various laws. In the case of the Poly Network hack, countless international finance and cybercrime laws were broken, so it was imperative that the attacker remained anonymous.

In short, the Poly Network hack attackers claim it was done with the intention of returning the funds the whole time. The attacker said:

“You don’t know me. Money means little to me, some people are paid to hack, I would rather pay for the fun. I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network. (They can win double if they feel the current plan is awkward).

If the Poly don’t give the imaginary bounty, as everybody expects, I have well enough budget to let the show go on. Just some funny thoughts but I may probably make them come true. If you are still confused, ask some richer friends, what is money for? I trust some of their code, I would praise the overall design of the project, but I never trust the whole poly team. My only guilt was triggered from the refugees.

All of my actions were determined since I made the final decision to be eternal. I am a little bit surprised that you call them professional negotiators, just look at their tense and repetitive words. If the Poly really got my initial idea, they could be less embarrassed. I published their request so that they got the chance to be a winner. Who do you think is dominating the game?”

However, many in the cybersecurity community are skeptical of this claim, especially in light of the fact that the hacker started moving the funds around between various smart contracts and wallets immediately after the incident.

In a series of messages left by the hacker via Ethereum transaction notes, they said they had done the attack for fun, and also asked “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”

It’s worth noting that the Poly Network hack hacker was only able to return $340M worth of crypto initially, as the rest was frozen by Tether and other blockchain security firms, or locked in DeFi contracts, and the total amount was finally moved back into the Poly Network’s possession on Aug 25, 15 days after the attack.

Blockchain-based security firm SlowMist also announced hours after the attack that they had identified the attacker’s email, IP address, and device fingerprints. This all drew speculation that they only decided to return the funds once they realized how difficult it would be to launder them.

The bug bounty offered to “Mr. White Hat” by Poly Network was a $500,000 reward, plus an offer to become their chief security advisor. It’s still unknown if they took the position. Poly Network also stated that it has no intention of holding Mr. White Hat legally responsible.

How the Poly Network Hack Attacker Managed to Remain Anonymous

While SlowMist did say they had identified the attacker’s email, IP address, and device fingerprint, a sophisticated hacker knows how to mask those properties and shield their true identity. It’s unlikely that any of these identifiers would reveal the precise location or true identity of the attacker. However, the smartest thing the attacker did was not try to reach any cashout points or make any withdrawals of the funds, because that’s the point at which digital identities collide with reality.

The attacker was able to remain anonymous by letting their pseudonymous digital identity be found, but never revealing any personal information through it. They would not have been able to cash out the funds without revealing their true identity.

This is yet another lesson taught to us by “Mr. White Hat”, which is that despite the headlines about massive smart contract exploits like this one, cryptocurrencies aren’t as private or as easily laundered as people think.

---

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.