On Tuesday morning, August 10, 2021, decentralized financial services (DeFi) provider Poly Network revealed that $611 million (more than BRL 3 billion) in cryptocurrencies were transferred from their wallets to a stranger’s wallets. The next day, mysteriously – but not that much – the money began to be returned in parts, until reaching the equivalent until reaching almost its entirety on Friday (13). This is the summary of the opera:

At around 9:40 am, the Poly Network revealed on Twitter that a cybercriminal had transferred the equivalent of $273 million in Ethereum; $253 million in Binance and $85 million in Polygon’s US Dollar Coin (USDC) for criminal-owned cryptocurrency wallets.

“We regret to announce that Poly Network has been attacked in Binance, Ethereum and Polygon. Assets have been transferred to the hacker’s addresses […] After a preliminary investigation, we found the cause of the vulnerability. We will take legal action and ask hackers to return the assets.”, the company wrote in a series of posts on the social network.

Poly Networks is a provider of decentralized finance services [DeFi]), founded by Chinese businessman Da Hongfei, in August 2020. It works as a kind of cryptocurrency bank, offering services of normal banks, but in a decentralized way, that is, it is not related to the regulations imposed by governments and regulatory agencies of the economy. It does this through cryptocurrency blockchains.

To have funds to operate financial services, a DeFi works with its own investment system. Interested in receiving a commission for transactions carried out on the platform, they invest in cryptocurrencies and customers pay a fee per transaction. That fee is split back among investors. For this reason, a DeFi actually moves a lot of cryptocurrencies. In this case, a total trade volume of more than $10 trillion (BRL 54 trillion), according to Poly Network itself.

Information of transactions involving cryptocurrencies that Poly Networok mediated, according to the company itself. Photo: The Hack.

At almost 1 pm, still on Tuesday (10), Poly Network returned to social networks, with a special request. She wanted to talk to the criminal. He explained that the amount stolen is the largest in the history of decentralized finance companies and that the police, authorities and security companies are already taking action.

“Dear hacker”, begins the text. “We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the largest in defi history. Law enforcement in any country will consider this a major economic crime and you will be prosecuted . It is very unwise to make any further transactions. The money you stole belongs to tens of thousands of members of the cryptographic community. You should talk to us to find a solution,” the text ends. Photo: Poly Network.

This is not just the biggest attack on a decentralized finance company, and also the biggest cryptocurrency theft in the history of technology, surpassing the case of Coincheck, which lost the equivalent of U$ 534 million (R$ 2.7 trillion) to cybercrime, in January 2018.

By this time, news and rumors of the attack had spread around the world. In response to the Poly Network communiqué, Changpeng Zhao, the CEO of Binance, one of the blockchains that Poly Network offers exchange, reported that contacted Binance’s partner security companies to proactively help. “We are coordinating with all of our security partners to proactively help. There are no guarantees. We will do everything we can,” he wrote.

We are aware of the https://t.co/IgGJ0598Q0 exploit that occurred today. While in one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can. stay #SAFU. 🙏 https://t.co/TG0dKPapQT — CZ 🔶 Binance (@cz_binance) August 10, 2021

At the end of the day, around 10 pm, a Chinese blockchain security firm, SlowMist revealed to the local press that it was able to identify the identity of the person responsible, as well as his email, fingerprints and fingerprints.

Information was published by the Chinese cryptocurrency portal, ChainNews. Further detailed on SlowMist’s Medium page. Photo: The Hack.

The attack

The Poly Network operates cryptocurrency transactions between the Binance, Ethereum and Polygon blockchains. Cryptocurrencies are exchanged through “smart contracts”. One of these contracts stores a large amount of assets, to allow users to exchange cryptocurrencies efficiently. According to a statement from Poly Network on Twitter, an investigation has determined that a vulnerability in one of these contracts was exploited.

An analysis carried out by the US firm Chainalysis identified that the criminal decided to claim to be an ethical hacker and that he only stole the more than $600 million as a Proof of Concept (PoC), to prove that it was possible to steal a frightening amount of cryptocurrencies by exploiting this vulnerability.

This “ethical hacker” argument was soon deconstructed by Gurvais Grigg, Chainalysis’ chief technology officer, which explains that the criminal only decided to return the stolen amount after realizing that it would be very complicated to launder all that money.

The proof of this is a Coindesk investigation that identified that the criminal tried to use some coins to invest in the Curve.fi platform, in addition to trying to transfer some $100 million wax through Ellipsis Finance. Both transactions were rejected, as the wallet used had been blocked by the operators.

After the revelation that SlowMist had identified the identity of the perpetrator, the company published a study detailing how the vulnerability was exploited by the criminal.

On Wednesday (11) the criminal contacted the Poly Network and started to return the money, but in small parts, with public comments attached to the transactions, where he claimed to be an ethical hacker and that the plan was always to return the money. However, according to SlowMist, this was a “long-planned, organized and engineered attack”.

On Friday (13), the Poly Network revealed that the criminal has returned most of the stolen cryptocurrencies, only still has not been able to return around U$ 33 million, which were frozen by the platform by Tether, after the accusations.

As a reward for reporting vulnerability — in fact, for returning the money —, Poly Networks decided to reward the hacker, Mr. White Hat, as he preferred to be identified, with US$ 500 thousand (R$ 2 million). Happy ending to a crime gone wrong, no?

Cryptocurrencies are anonymous but completely traceable.

A big misunderstanding, which is part of the common being, is that cryptocurrencies are untraceable. On the contrary, cryptocurrencies are fully traceable. In addition to being traceable, security companies and the police have tools, not accessible to the general population, exclusively for crimes involving encryption and anonymity.

According to Daniel Coquieri, COO of BitcoinTrade, some cryptocurrencies are fully traceable, like Bitcoin, for example, which has its public blockchain. In addition, cryptocurrency operators can block transactions with wallets that have been involved in theft in the past and that’s exactly what happened in the case of Poly Network, which stopped the hacker from laundering the money.

“There are platforms that do what we call blacklist or whitelist, which are wallets that are somehow identified as wallets that traded stolen bitcoins or that were the target of scams in certain wallets. In this way, these wallets are blocked and the world’s leading bitcoin exchange agencies do not allow you to receive money from stolen wallets”, explained the executive in an interview with The Hack last November.

Sergio Hussein, an officer specializing in cybercrime of the Civil Police State of São Paulo, explains that cybercriminals are often identified where they sin most, in the tracks left during the attack and in the exposure of sensitive data that lead to the bad guy’s identity, what he calls “the unencrypted steps”.

