Poly Network Recoups $610M Stolen from DeFi Platform

The attacker returned the loot after being offered a gig as chief security advisor with Poly Network.

A threat actor called “Mr. White Hat” has returned the $610 million they stole from the decentralized finance platform Poly Network. The breached company did everything from threaten to sic law enforcement on the attacker on up to its ultimate offer: the position of chief security officer in exchange for getting its money back.

Instead of falling victim to the largest DeFi heist in history, all it wound up costing Poly Networks was a bit of embarrassment.

Mr. White Hat, as Poly Network dubbed him, said the plan was never to keep the money, just to prove there are security weaknesses associated with DeFi platforms.

Mission accomplished.

Infosec Insiders Newsletter

The money was returned in different phases, with the remainder released when the attacker shared the key to a multi-signature wallet on Monday, Coin Rivet added.

“Poly Network has successfully retrieved the remaining 28,953 ETH and 1,032 WBTC (about $141 million),” the company said in a statement, according to the cryptocurrency-focused publication Coin Rivet.

“At this point, all the user assets that were transferred out during the incident have been fully recovered,” Poly Network said. “Thanks to Mr. White Hat’s cooperation, Poly Network has officially entered the fourth phase of our roadmap ‘Asset Recovery’. We are in the process of returning full asset control to users as swiftly as possible.”

The Poly Network DeFi platform connects various blockchains so they can all work together to build a wider infrastructure. Poly Network has not responded to Threatpost’s request for comment.

Mr. White Hat’s Attack

On Aug. 10, Poly Network announced it had been attacked.

Thanks to blockchain, the stolen money was tracked to three addresses. There was $264.8 million in Ethereum, $250.8 million in Binance Smart Chain and $85 million in Polygon, according to Coin Rivet.

On the same day, with few alternatives available to recover the stolen assets, the company decided to try to engage the attacker with an open letter urging Mr. White Hat to return the money.

“The amount of money you hacked is the biggest one in the defi history,” the Poly Network open letter said. “Law enforcement in any country will regard this as a major economic crime and you will be pursued. … You should talk to us to work out a solution.”

Then, the mood seemed to shift inside Poly Network. Hours later, the company changed tactics and started recruiting the attacker to its team.

“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the company said on a Bloomberg broadcast, according to Coin Rivet. “Again, it is important to reiterate that Poly Network has no intention of holding Mr. White Hat legally responsible, as we are confident that Mr. White Hat will promptly return full control of the assets to Poly Network and its users.”

By the next day, Aug. 11, the attacker published what they called a Q&A explaining that they broke into the Poly Network “for fun” and always planned to return the money. Elliptic researcher Tom Robinson tweeted out screenshots of the correspondence.

After a bit more back-and-forth between Poly Network and the attacker on Aug. 23, all of the stolen funds were returned, including a $500,000 bug bounty paid by Poly Network and other donations.

As a final act, Mr. White Hat released a statement explaining that they hope this is a security lesson for the wider DeFi community.

“Personally, I have learned and practiced a lot,” Mr. White Hat wrote. “And I tried to point out some crucial facts about this crazy DeFi world.”

For one last jab at Poly Networks, the note was signed “Your Chief Security Officer.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles