Money for nothing: the true story of the world’s biggest ever crypto heist
An online thief made history recently by stealing $610 million in cryptocurrency. Then they gave half of it back. Why?
Words: Tom Ward
One of the biggest heists in history didn’t involve retired gangsters and an East End jewellers. It didn’t involve suave European criminals, high speed cars and credit card fraud. And it certainly didn’t involve ski masks and sawn off shotguns.
No, in 2021, crime is smarter. Hacking has been in the news a lot in recent years, mostly with fingers pointed at China or Russia, alleging their hackers have interfered in Western politics. But, it seems, not every hacker has malicious intent.
Fans of the Michael Mann film Black Hat (and while we’re on the subject of robbery, why not give Heat a re-watch?) will know that in the world of hacking, there are ‘Black Hats’ who cause damage, and ‘White Hats’ who hack supposedly to point out a flaw in a company’s system. The hacker who last week got away with around $610 million in one of the largest cryptocurrency heists ever reportedly identifies as the latter.
The heist occurred when the hacker exploited a vulnerability in the blockchain site (where users can swap cryptocurrencies) Poly Network. A preliminary investigation by the company found the hacker had exploited a “vulnerability between contract calls”. And once in, the hacker took thousands of digital tokens, including around $267m of Ether currency, $252m of Binance and roughly $85 million in USDC tokens. Elon Musk’s beloved Dogecoin, however, was left alone.
In an open letter to the hacker, Poly Network announced “The amount of money you have hacked is one of the biggest in defi [decentralised finance] history… Law enforcement in any country will regard this as a major economic crime and you will be pursued…The money you stole are [sic] from tens of thousands of crypto community members, hence the people [sic].”
Poly Network also asked the individual to get in touch “to work out a solution”.
In response, a person claiming to be the hacker contacted Tom Robinson, the chief scientist and co-founder of the crypto tracking firm Elliptic and published a letter through Robinson’s Twitter account. According to these messages, Poly Network had offered a $500,000 “bug bounty” to return the stolen assets and promised the anonymous hacker that “you will not be held accountable for this incident”.
According to Robinson, the hacker had told him they would not be claiming the money but would be donating it to the “unexpected victims” of the hack. The hacker then pledged to return the funds, claiming to be “not very interested in money”.
The following day, Poly Network said it had received $260m back, including $256m worth of Binance Coin, $3.3m worth of Ethereum and $1m worth of Polygon. To date, $269m in Ether tokens and $84m in Polygon tokens has yet to be recovered.
"The hacker pledged to return the funds, claiming to be 'not very interested in money...'"
Poly Network dubbed the hacker a ‘White Hat’, i.e. a hacker who uses their skills to expose cyber vulnerabilities. Despite this, it naturally wants the rest of its money back.
“The repayment process has not yet been completed,” Poly Network said in a statement the day after some of its money was returned. “To ensure the safe recovery of user asset, we hope to maintain communication with Mr White Hat and convey accurate information to the public.”
But what is really behind the robbery? Surely there are easier ways to point out flaws in a system than stealing $610 million? Or maybe the hacker simply got cold feet and decided to return the money? It seems the hacker themselves may be able to offer some insight…
“I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” the purported hacker wrote this week as part of a three-page-long Q&A session published on one of the blockchains.
According to this statement, the hacker claimed to have spent an entire night searching for a vulnerability in the Poly Network system. Once they found it, they decided it was time to go big or go home, and that taking such a large sum of money would be the only way to stop Poly Network quietly patching the security flaw without telling anyone.
In that regard, the hacker’s plan seems to have worked as the heist grabbed headlines across the world. The hacker did say, however that they weren’t seeking to cause “real panic [in] the crypto-world” and as such they only took “important coins”, which, according to them, is why Dogecoin was untouched.
Speaking to the BBC, Mr Robinson offered some insight into the hacker’s psyche. “Either they just intended to commit theft and steal the assets, or they were acting like a white hat hacker to expose a bug, to help Poly Network make themselves more strong and secure,” Robinson said.
Robinson explained it could well be likely that despite their claims, the hacker initially intended to fly under the radar but realised it would be difficult to do so, explaining that blockchain technology means all users can see money being moved across the network into a hacker’s wallet. Meaning it would be difficult for the hacker to take the money without anyone noticing.
“I wonder whether this hacker stole the funds, realised how much publicity and attention they were getting, realised wherever they moved the funds they would be watched, and decided to give it back,” Robinson mused.
As to how the hacker was able to enter the system in the first place, Robinson put it down to human error in code writing.
"I know it hurts when people are attacked. But shouldn't they learn something from those hacks?"
With a significant amount of the money having been returned, it seems the hacker intends to give it all back, having cryptically posted “The pain suffered is temporary, but memorable.”
The hacker seems to be reiterating that this was all just a plot to teach Poly Network a lesson. But if that was the case, what is the hacker’s endgame other than bragging rights? And, if the aim was to essentially do the company a favour by pointing out their security flaws, why all the bragging online?
Unless the hacker is found, it’s likely we may never really know their motives. The only thing we can guess is that with unregulated and decentralised cryptocurrency growing in popularity, more heists of this nature are sure to be on the horizon, wether carried out by ‘White Hats’ or ‘Black Hats’ with more dubious intentions.
Read next: The most brazen art heists in history
Become a Gentleman’s Journal Member?
Like the Gentleman’s Journal? Why not join the Clubhouse, a special kind of private club where members receive offers and experiences from hand-picked, premium brands. You will also receive invites to exclusive events, the quarterly print magazine delivered directly to your door and your own membership card.