Poly Network hacker returns nearly all funds, refuses $500K white hat bounty



The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.”

According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used “a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack.

Related articles

The hacker had been communicating with the Poly Network team and others through embedded messages in Ethereum transactions. They seemed to have not planned to transfer the funds after successfully stealing them, and claimed to do the hack “for fun” because “cross-chain hacking is hot.”

Related: DAO Maker crowdfunding platform loses $7M in latest DeFi exploit

However, after speaking with the project and users, the hacker returned $258 million of the funds on Wednesday. Poly Network said it determined that the attack constituted “white hat behavior” and offered the hacker, whom it dubbed “Mr. White Hat,” a $500,000 bounty:

“We assure you that you will not be accountable for this incident. We hope that you can return all the tokens as soon as possible […] We will send you the 500k bounty when the remainings are returned except the frozen USDT.”

“The poly did offered a bounty, but I have never responded to them. Instead, I will send all of their money back,” said the hacker.

With the remainder of the funds, with the exception of the frozen USDT, now returned, the biggest hack in decentralized finance seems to be coming to an end. Though the hacker’s identity has yet to be made public, Chinese cybersecurity firm SlowMist posted an update shortly after news of the hack broke, saying its analysts had identified the attacker’s email address, IP address and device fingerprint.