By Wolfie Zhao
The attacker of the $611 million Poly Network exploit has started returning the stolen crypto assets, less than a day after their ID information was reportedly obtained by blockchain security firm Slowmist. They have now sent back $256 million in tokens out of the haul.
Seven minutes prior to sending the first transaction returning some of the funds, the hacker created a token called “The hacker is ready to surrender” and sent this token to the designated Polygon address.
Then they elected to send back $1 million in USDC on the Polygon blockchain. They did so in three transactions in incrementally increasing amounts (10, 10,000 and 1 million). They also handed back 23.8 BTCB ($1.1 million), a bitcoin-pegged token on Binance Smart Chain, as well as 259.7 billion shiba inu (SHIBA) tokens, worth $2 million, and $600,000 in FEI, a stablecoin.
A few hours later, after speaking to the Poly Network team in encoded messages, the hacker sent back nearly all of the assets on Binance Smart Chain. They sent over 1,000 more BTCB ($46.4 million), 26,629 ETH ($86 million) and $119 million in the stablecoin BUSD. The only assets remaining on this chain are 6,613 BNB ($2.6 million).
The attacker’s move came less than a day after the initial exploit, which was the largest DeFi hack to date. The stolen assets included $273 million of Ethereum tokens, $253 million in tokens on Binance Smart Chain and $85 million in USDC on the Polygon network. Since then, Tether was the only entity that was swift enough to blacklist the stolen USDT on Ethereum worth about $33 million.
But hours after the heist, blockchain security firm Slowmist claimed that they already tracked down the attacker’s IP and email information while the investigation on other ID intel relating to the attacker continued. Slowmist’s Weibo post on Tuesday suggested that the attacker used a little known Chinese crypto exchange Hoo when putting together the funds for the attack, hinting at how their digital footprint was trailed at the beginning. Other crypto sleuths also found details relating to other exchanges that may help to identify them.
Around 4:00 UTC time on Wednesday, the attacker wrote “Ready to return the fund!” in an Ethereum transaction that was sent from the PolyNetwork Exploiter address to itself. That message was followed by another one that reads: “Failed to contact the Poly. I need a secured multisig wallet from you.”
About 20 minutes later, the team behind the Poly Network responded to the exploiter address through a transaction that it is “preparing a multi-sig address controlled by known Poly addresses.” In a follow-up transaction, the Poly Network team identified three addresses that they hoped the attacker returns the funds to. The money is currently being sent to these addresses.