Attackers stole $600 million from the Chinese DeFi platform Poly Network

Daniel ZimmermannAugust 11, 2021

0 115 1 minute read

It looks like a new record has been set in the field of cryptocurrency robberies. On August 10, 2021, unknown hackers stole over $600 million worth of cryptocurrency from the Poly Network decentralized financing platform.

The attackers transferred funds from the platform to cryptocurrency addresses under their control. The following wallets of the criminals have already been identified:

BinanceSmartChain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

The distribution of stolen assets is as follows:

Ethereum tokens: $273 million;
Binance Smart Chain: $253 million;
Polygon Network (in USDC): $85 million.

The Poly Network administration explains that the hackers exploited the vulnerability, which is the _executeCrossChainTx function between calls to the contract.

Attackers used this feature to transmit carefully crafted data to alter the custodian of the EthCrossChainData contract.the company explained to The Record.

That is, the attack allowed hackers to declare themselves the owners of any funds processed by the platform.

The Poly Network reported the incident and reached out to the crypto community for help, asking other platforms and exchanges to track the hackers and freeze their assets. In response, representatives from Huobi, Tether, OKEx and Binance said that they managed to freeze some of the stolen assets, but this is only a small part of what was stolen.

SlowMist specialists prepared a detailed analysis of the incident. Experts claim that they were able to trace the attacker’s ID and identify his email address, IP address and fingerprinting the device.

Meanwhile, the Poly Network itself posted an open letter on Twitter asking the attackers to return funds to avoid escalating the incident. And while there have been cases in the past where hackers have returned stolen funds to cryptocurrency platforms (mostly in an effort to avoid prosecution), most users only laughed at the naivety of Poly Network.

Dear hacker, we are the Poly Network team. We would like to contact you and urge you to return the hacked assets. The amount you stole is the largest in DeFi history. Law enforcement agencies in any country will consider this a serious economic crime, and you will be prosecuted. It is very unwise to make any further transactions. The funds you stole belong to tens of thousands of members of the crypto community, which means people. You should talk to us to find a solution.reads the open letter.

Meanwhile, Bleeping Computer found transactions sent to attackers with money laundering advice and requests for free cryptocurrency. It looks like these tips are coming from other hackers.

Journalists note that in response to the advice not to transfer blocked USDT, the attacker sent the user 13.37 Ethereum tokens (“leet“) in the amount of $41,474.

Let me remind you that we also talked about the CryptoCore hacker group that have stolen $200 million linked to North Korea.

Sending