In what became the largest DeFi hack to date, an unknown attacker exploited Poly Network's smart contracts—then gave the money back
An unidentified hacker breached Poly Network, a decentralized finance platform facilitating peer-to-peer token exchanges across blockchain networks, stealing $610 million in cryptocurrencies in August 2021. The theft marked the largest DeFi hack on record at the time, but the attacker's next move confounded the industry: they gave nearly all of it back.
The stolen funds were distributed across three major blockchain networks. Approximately $273 million in Ethereum tokens were taken, along with $253 million from Binance Smart Chain and $85 million in Polygon stablecoins. The hacker targeted at least 12 different cryptocurrencies in total, exploiting a vulnerability in Poly Network's smart contract calls, according to the platform's forensic investigation.
Poly Network announced the theft and immediately called for action. The platform threatened legal consequences, offered a $500,000 reward for information, and urged cryptocurrency exchanges and token issuers to blacklist the attacker's wallet addresses. The company's statement emphasized that thousands of users had been affected by the breach.
Angriff auf Poly Network
Ein unbekannter Hacker stiehlt rund 610 Millionen Dollar durch Ausnutzung einer Schwachstelle in den Smart Contracts der Plattform.
Erste Rückgabe
Der Hacker gibt innerhalb von zwei Tagen 342 Millionen Dollar zurück. 268 Millionen Dollar bleiben in einer Multi-Signatur-Wallet gesperrt.
Angebot von Poly Network
Poly Network bietet dem Hacker eine Belohnung von 500.000 Dollar und eine Stelle als Chief Security Advisor an – beide Angebote werden abgelehnt.
Nahezu vollständige Rückgabe
Fast alle Gelder sind zurückgegeben, mit Ausnahme von 33 Millionen Dollar in USDT-Tokens, die von Tether eingefroren wurden.
Freigabe des privaten Schlüssels
Der Hacker teilt den privaten Schlüssel zur Multi-Signatur-Wallet über eine Blockchain-Nachricht, sodass Poly Network Zugriff auf die restlichen Vermögenswerte erhält.
What happened next was unprecedented in cryptocurrency crime. Within a day of the theft, the hacker began returning funds. By the second day, partial recovery was underway, with $4.77 million in assets already restored. The attacker subsequently returned the vast majority of the stolen cryptocurrency, ultimately recovering all funds for Poly Network.
The hacker's methods during the recovery phase were equally unusual. They locked over $200 million in cryptocurrency in an account protected by dual passwords—one controlled by the attacker and one by Poly Network—effectively preventing either party from accessing the funds alone. This forced cooperation ensured the platform's participation in the final recovery process.
Messages appended to blockchain transactions offered clues to the attacker's motives, though interpretations varied across reporting. The hacker claimed the breach was "for fun" and suggested they were "hacking for good" and had "saved the project." Some sources indicate the attacker described themselves as conducting security testing and contributing to Poly Network's security improvements. Poly Network subsequently referred to the perpetrator as "Mr. White Hat," adopting the terminology used for ethical hackers who expose vulnerabilities responsibly.
Blockchain security firm SlowMist tracked the transfers and identified the hacker through email addresses, IP addresses, and device fingerprints, though this information did not lead to a public identification or arrest. When the attacker requested compensation for their work, they reportedly received approximately $200 in donations. Poly Network's $500,000 reward offer remained outstanding.
Tether, the issuer of USDT stablecoins, froze approximately $33 million in tokens held in the hacker's wallets, a significant barrier to converting stolen assets into traditional currency. Analytics firm Elliptic tracked approximately $258 million of the returned funds and noted that the transparent nature of blockchain technology had made it exceptionally difficult for the hacker to launder the stolen cryptocurrency through conventional methods.