Hello world!
Would you rather wear a dali mask, organize a team, buy a shitload of weapons and go rob the royal mint of Spain, or choose to drain 600 million dollars from the comfort of your home, with just your laptop and an internet connection?
I’d choose the latter.
August 2021, the crypto world witnessed the largest heist in cyberspace, not one of the largest, but, the largest hack of 600 million dollars worth of cryptocurrencies. And surprisingly, the hacker returned all the money back, saying he or she did it for fun.
This is the story of greed, control for power, and most importantly “trust”.
That’s in this episode of Bees of Bitcoin where we explore all things crypto.
Intro
Polynetwork is a Decentralised Finance platform, that’s just a fancy term for saying no one is in control of your funds except you. Modern cryptography protects your funds. Or at least, that’s what you are told to believe. Polynetwork allows users to swap tokens across various blockchains. The network operates on one fundamental fact. “Code is Law”.
A set of smart contracts, that’s nothing but a bunch of computer code, gets executed when specific conditions are met. What if this code gets exploited?
That’s exactly what happened. The poly network team posted this tweet, to begin with.
The hacker stole 600 million dollars worth of digital assets from three different blockchains, Ethereum, Binance Smart Chain, and Polygon Network.
As soon as the tweet started spreading in crypto communities, CEOs of major exchanges rushed to Twitter to update they’re doing everything they can to stop the hacker.
Binance CEO tweeted
Other centralized exchanges such as Huobi and OKEx also ensured to watch the flow of coins on those transparent blockchains to prevent the hacker from spending the hacked funds.
Even though the networks are decentralized, many online exchanges are heavily centralized.
They can stop, freeze or prevent a certain individual from spending their funds if it lands in their exchange’s wallet. As soon as this news broke, Tether Limited, the corporation which issues USDT stable coins, froze the funds in the wallet of the hacker. That’s around 33 million dollars worth of crypto.
Polynetwork then issued a statement to the hacker on Twitter.
There’s a lot to unpack here.
Dear Hacker….
Dear Hacker?
Come on!
If shitcoin executives were to draft an email to Afghanistan,
Dear Taliban…
Meanwhile, the hacker tries to spend millions of dollars worth of crypto. But for some reason, the transaction fails. The hacker tries again, but still, the transactions fail to go through. One more time fails again.
Hanashiro
Upon seeing this activity on the transparent blockchain, a user who goes by the alias hanashiro attempts to help the hacker. He sends an empty transaction to the polynetwork exploiter’s address, along with million-dollar information.
Dont use your USDT token
You’ve got blacklisted
Yes, you can send messages on the blockchain.
This time, the hacker did a transaction without the USDT token, and it went through.
And, you won’t believe this, the hacker tipped hanashiro 13.37 Eth, that’s roughly 42,000 dollars for the information.
At this point, we wonder, who is hanashiro?
Why is he trying to help the hacker?
When we look up his wallet, Hanashiro is obviously a crypto whale. The one with a large number of crypto holdings. The transactions he makes range in a couple hundred thousand dollars. Hanashiro then starts sending the money he received, to Ethereum co-founder Vitalik Buterin, and a couple of other charities. Hanashiro claims he’s just a crypto enthusiast who was passing by.
Meanwhile, here’s a victim’s perspective.
It looks like a lot of Chinese funds/individuals are affected because PolyNetwork is used by Neo and Ontology to bridge assets over from Ethereum.
On the other hand, the hacker sent messages like,
Wonder why tornado? Will miner stop me? Teach me plz!
He is, of course talking about, laundering money through Tornado, a fully decentralized protocol for private transactions on Ethereum.
And obviously trolling others.
One Twitter user describes Poly hacker as the most dramatic, theatrical, and narcissistic in the short Defi hack story.
He went on to say,
It would have been a billion hack if I had moved the remaining shitcoins! Did I just save the project? Not so interested in money, now considering returning some tokens or just leaving them here.
What if i make a new token and let the DAO decide where the tokens go.
DAO, meaning, decentralized autonomous organization. In other words, he was thinking of letting people decide where the funds should go.
After all those mood swings trying to handle half a billion dollars of money, the hacker makes a U-turn move. He was ready to return the fund but says he failed to contact the poly network.
He says he needs a secured multisig wallet from them, which is to make sure that the team behind the poly network doesn’t misuse funds.
It's already a legend to win so much fortune. It will be an eternal legend to save the world.
I made the decision, no more DAO. Hacking for good, i did save the project.
At this point, the poly network team started referring the hacker as Mr.White Hat, meaning, his actions constitute white hat behavior, and that he is one of the good guys who expose bugs.
Mr.Whitehat then went on to answer Q&As.
Hacker’s Q & As
Q: Why hacking?
A: For fun :)
Q: Why poly network?
A: Cross chain hacking is hot
Q: Why transfering tokens?
A: To keep it safe.
When spotting the bug, i had a mixed feeling. Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion! I can trust nobody! The only solution i can come up with is saving it in a trusted account while keeping myself anonymous and safe.
Now everyone smells a sense of conspiracy.
Insider? Not me, but who knows?
I take the responsibility to expose the vulnerability before any insiders hiding and exploiting it!
Q: Are you exposed?
A: No. Never. I understood the risk of exposing myself even if i don't do evil. So i used temporary email, IP or so called fingerprint, which were untracable. I prefer to stay in the dark and save the world.
Q: Then why selling/swapping the stables?
A: I was pissed by the poly team for their initial reponse.
They urged others to blame & hate me before i had any chance to reply!
Of course i knew there are fake defi coins, but i didn't take it seriously since i had no plan laundering them.
In the meanwhile, depositing the stables could earn some interest to cover potential cost so that i have more time to negotiate with the poly team.
Q: Why tipping 13.37?
A: I felt the warmth from the ethereum community.
I was busy investigating issues from heco and debugging my scripts. I thought it were networking issues why i could not deposit (i was behind a sophisticated proxy). So i shared the guy my goodwill.
Q: Why asking tornado and DAO?
A: Having witnessed so many hackings, i knew depositing into tornado is a wise but desperate decision. It was against my original intention. Being the crowdsourced hacker was just my bad joke after meeting so many beggars :)
Q: Why returning?
A: That's always the plan! I am not very interested in money!I know it hurts when people are attacked, but shouldn't they learn something from those hacks? I announced the returning decision before midnight so people who had faith in me should had a good rest
I don't use email. F**k the impostors.
Apparently, scammers were playing the game with the poly network team too.
The hacker admitted to having selfish motives given the amount of money he stole.
To be honest, I did have some selfish motives to do something cool but not harmful by leveraging the huge fund, like the DAO idea. Then i realized being the moral leader would be the coolest hack i could ever archive! Cheers!
The polygon network is so unreliable. For many times I thought I had sent the transaction but it vanished. Lol
Guys, ask yourself,
is the poly team the owner of the assets?
They are just the manager of the fund!
Will you teach them how to trigger their "Backdoor"?
In the defi world, you can trust nobody but the code and youself.
To the "Victims": I don't mean the poly team is not trustworthy, but none of you have the chance to challenge their code which should be the law. Don't worry, you are not real victimes. I saved you!
Hello beggars, why not asking money from the poly multisig wallet?
Apparently, people have been begging him to send Ether. Remember Hanashiro who tried to help and the hacker tipped him 13.37 ETH? This created many copycats and a lot of people were begging the hacker for money. This is not the first instance of this happening.
People have been sending small amounts of Bitcoin to the wallet supposedly owned by the creator of Bitcoin, Satoshi Nakamoto. This is to let him know their wallet address so that he can donate them.
At this time, many people were sending the hacker donations to the same wallet, but he urged his supporters to send funds to his other wallet because the donations are getting mixed up with poly network funds.
He had asked the poly to set up a new multi-sig wallet and he will begin transfer when everyone is ready.
In the defi world, code is law. Then who is the arbitrator?
At this point, the hacker shared a message from the poly team.
'We appreciate you sharing your experience and believe your action constitutes white hat behavior. So we plan to offer you a $500,000 bug bounty after you complete the refund fully. You can reserve the equivalent value of 500,000 usd in any assets to the current owner address. We will make up this part of the assets to poly network users.
What?
They’re making up the part of the assets to poly network users?
Who in the world gave them the right to do so?
I understand that they’re recovering a huge sum of money, not because of their competence but because of how lucky they’re with who hacked the funds.
The hacker says,
The poly did offer a bounty, but i have never responded to them.
Instead, i will send all of their money back.
I felt sorry for any innocent people who were affected by my wild adventure. I tried to avoid introducing any noises to the crypto world
No touching shitcoins
No doing huge swaps
No dumping valuable assets.
Q: Shouldn't a white hat just notify the developers?
Defi is a dark forest, hundreds of projects ran away every year. I dont trust anyone.
Q: Why explain so much?
A: The guiding part means a lot to me. I would like to share how i pawned my mind to overcome the arrogant and greed. I think the mental challenge is not easier than the hacking part.
I realized that even taking over the money temporarily is still an unforgiven joke, it's causing too much pain. I was not terrified because of exposure or laundering trouble at all. I just realized i should be cautious because my decision would change the lives of many people! If i left tokens there and quit the game, i could enjoy the life of being a millionaire and continue my exploration as usual, but thousands of people would lose control of their fate. This is against my personal philosophy.
The next part of the story is what you already know. I stopped my game and returned the money, as I promised, as I planned.
Another funny fact is that it's unusual to see any professional security teams report those crucial bugs of live contracts! Sure, they can always teach you why you were killed after your death! Why don't you see any cases that the security teams spot the vulnerability that affects millions usd, let alone cases in billions? Because they are not paid?
I guess most teams are even richer than me, and some of them might be more capable than me, do you believe that they have never faced the similar temptation?
Or some of them just surrendered to the evil?
It reminds of the film, "Searching". Just my conspiracy, and that's the reason i don't trust anyone, but you can always believe in me.
A hacker who says Don’t trust anyone but me. Hmmmmm…..
This incident raises many serious questions such as,
Can I trust third-party audits?
How decentralized are most blockchains?
Who understands these systems?
Can I gamble beyond my capability?
Who gave the right to the poly team to give the hacker the bounty by making up to their users?
So, only invest money you can afford to lose unless you understand the technology fully.
And as always,
Thanks for reading
Share this post