[TheRecord] Hacker steals $600 million from Poly Network in biggest ever cryptocurrency hack

An unidentified hacker has stolen more than $600 million worth of cryptocurrency from Poly Network, a decentralized finance (DeFi) platform based in China.

According to its website, Poly Network provides users the ability to trade cryptocurrency assets across different blockchains. Under the hood, the Poly Network executes these transactions using scripts called “contracts.”

On Thursday, August 10, an unidentified individual began moving funds from the Poly Network platform into cryptocurrency addresses under their control.

How the attack took place

“The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls,” a Poly Network spokesperson told The Record in an email today.

“The attacker use[d] this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract,” the company added, an attack that effectively allowed the intruder to declare themselves as the owner of any funds processed through the platform.

Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them to wallets under their control, identified by Poly admins as follows:

BinanceSmartChain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214

At the time of the hack, the Poly Network said the stolen funds were worth more than $600 million, making it the largest hack pulled off against a cryptocurrency trading platform to date.

Poly Network begs hacker to return stolen funds

Once the attack was discovered, Poly Network disclosed the incident to the public and asked for the help of the cryptocurrency community, begging mining platforms and exchanges to track the hacker’s movements and freeze their accounts.

On Twitter, companies like HuobiTetherOKEx, and Binance said they managed to freeze some of the stolen assets, but only a small portion of the larger pot.

In the meantime, the Poly Network has published an open letter on its Twitter feed, asking the hacker to return the funds before the incident escalates.

While hackers have returned stolen funds to cryptocurrency platforms in the past to avoid prosecution, the company’s letter was universally ridiculed for its naivety, becoming a trending topic on Twitter late last night.


— Poly Network (@PolyNetwork2) August 10, 2021

At the time of writing, the hacker has not returned any of the stolen funds.

Instead, the hacker has been using the comment field in Ethereum transactions to post public messages or engage in conversations with various individuals, revealing in one of these that the breach could have been much larger if they would have bothered to move the Poly Network’s less popular altcoins.

Image: banteg

The Poly Network told The Record they plan to update their users about the hack in the coming days via their Twitter account. It also confirmed the validity of an independent review of the hack posted by cryptocurrency security firm SlowMist.

Another Poly Network hack analysis is also available in the Twitter thread below:

Ok here’s how the Poly Network hack actually worked. If I’m reading the contracts correctly, it’s pretty genius.

— God-like Natural Number Creator Person (TM, R) (@kelvinfichter) August 10, 2021

The post Hacker steals $600 million from Poly Network in biggest ever cryptocurrency hack appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Ransomware: Industrial services top the hit list – but cyber criminals are diversifying

All posts, ZDNet

Ransomware gangs are heavily targeting industry with attacks – but increased competition means cyber criminals are expanding their targets. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Google patches 8th Chrome zero-day exploited in the wild this year

Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Web Security Provider Jscrambler Raises $15 Million

All posts, Security Week

Client-side web security provider Jscrambler on Thursday announced that a $15 million Series A financing round led by Ace Capital Partners. Existing investors Sonae IM and Portugal Ventures also participated. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.