Hackers have siphoned $611 million worth of cryptocurrencies from a blockchain-based financial network in what’s believed to be one of the largest heists targeting the digital asset industry, putting it ahead of breaches targeting exchanges Coincheck and Mt. Gox in recent years.
Poly Network, a China-based cross-chain decentralized finance (DeFi) platform for swapping tokens across multiple blockchains such as Bitcoin and Ethereum, on Tuesday disclosed unidentified actors had exploited a vulnerability in its system to plunder thousands of digital tokens such as Ether.
“The hacker exploited a vulnerability between contract calls,” Poly Network said.
The stolen Binance Chain, Ethereum, and Polygon assets are said to have been transferred to three different wallets, with the company urging miners of affected blockchain and centralized crypto exchanges to blocklist tokens coming from the addresses. The three wallet addresses are as follows –
- Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 ($273 million)
- Binance Smart Chain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 ($253 million)
- Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 ($85 million)
In an open letter, the protocol maintainers urged the thieves to “establish communication and return the hacked assets.”
“The amount of money you have hacked is one of the biggest in DeFi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. […] The money you stole are from tens of thousands of crypto community members, hence the people,” the team said.
Tether’s Chief Technology Officer Paolo Ardoino tweeted that the stablecoin company froze $33 million worth of its tokens that were taken in the haul.
“We are aware of the poly.network exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can,” Binance CEO Changpeng Zhao said in a tweet.
The identity of the hacker remains unclear, although blockchain security firm SlowMist claimed it was able to trace the attacker email address, IP address, and device fingerprint and that their initial source of funds were in Monero coins, which were then exchanged for ETH, MATIC, and other currencies.
Update: The Block reported that the attackers behind the Poly Network crypto hack have returned $1 million in USD Coin (USDC) on the Polygon blockchain, $1.1 million in BTCB, as well as $2 million in the Shiba Inu ERC-20 token and $622,243 FEI USD stablecoins. Prior to sending back the funds, the hacker created a token called “The hacker is ready to surrender” and sent it to the designated Polygon wallet address.