red 
On August 10, just over $600 million in cryptoassets was stolen from the Poly Network, a system that allows users to transfer digital tokens from one blockchain to another.
We won’t go into detail here about exactly how the hack happened – others have discussed it in detail.
The stolen crypto assets were on three different blockchains: Ethereum, Binance Smart Chain and Polygon, and included cryptocurrencies, stablecoins and other tokens. Stablecoins usually have a built-in security system for such circumstances, allowing their issuers to freeze certain accounts. Tether took advantage of this feature shortly after the theft, yes freeze the 33 million USDT the hacker took. (Ethereum user reported hacker that this happened, and the hacker rewarded them by sending them $42,000 in cryptoassets.)
Poly Network also released the accounts holding the stolen funds and asked miners and exchanges to “blacklist” tokens coming from them. Separately, Elliptic added the thief’s accounts to its dataset, allowing customers to view transactions and wallets to have direct and indirect exposure to stolen funds.
In the immediate aftermath of crypto asset thefts of this magnitude (of which there have been many over the past decade), there is usually not much activity seen from thieves. Amid the significant publicity that comes with such events, the thief will retreat and perhaps refrain from moving the funds for years – until they attract less attention and may be able to spend or cash them without being caught. .
However, early Wednesday morning the hacker started posting messages. They did this by sending transactions to themselves (from an Ethereum account holding some of the stolen funds), with text embedded in them. Most importantly, they sent a message stating:
It seemed like the hacker might be willing to return the stolen cryptoasset. Either they had always intended to do this, or the massive attention the hack had attracted meant they were unlikely to be able to spend the funds and were at risk of arrest – so returning them was the only real option.
Poly Network replied to this message asking the hacker to return the funds to three accounts – one on each of the affected blockchains:
A few hours later, the hacker made good on his word and began sending the stolen assets back to accounts designated by Poly Network. You can see this happening on each of the three blockchains – Binance Smart Chain, Ethereum and Polygon.
In the end, the hacker sent all the stolen assets to the agreed accounts, except for $33 million in USDT, which was frozen by Tether.
However, this did not mean that the hacker had fully returned the stolen property. The latest tranche of stolen assets, totaling $235 million, was sent to what the hacker described as a new “shared multi-signature” Ethereum account. Poly Network later clarified that it holds these funds in joint custody with the hacker (dubbed “Mr. White Hat”):
Moving the funds required keys held by both Poly Network and the hacker. The hacker explained in the message that he will “COMMIT THE FINAL KEY WHEN _EVERYONE_ IS READY”.
As he returned the funds to these accounts, the hacker began sending further messages, including a series of “Questions and Answers”—effective self-interviews:
Further questions and answers from the hacker can be found below thread. The gist of these messages seems to be that the hacker always intended to return the assets, and that this was done for “fun” and to protect Poly Network before any “insiders” used the same bug to steal funds.
The hacker later claimed they were offered a $500,000 reward to recover the stolen funds, but declined the offer:
The hacker eventually began allowing the movement of some of the last $235 million in stolen assets locked in a multi-signature account. In response to this, Poly Network paid a 160 ETH (~$486,000) “bug bounty” to an account created by the hacker to solicit donations from the general public:
Including the payment from Poly Network, about $525,000 in Ether was received in the hacker’s donation account.
Almost two weeks after the initial theft, the hacker finally shared the key needed to move the remaining funds to a shared wallet. Not only that, they also sent the entire contents of their donation account (including the bug bounty) back to Poly Network. They asked that it be divided among the “survivors” and signed as:
Regardless of the motivation behind the hack, these events have shown how difficult it is to profit from theft or any other illegal activity using cryptoassets. Blockchain transparency has enabled real-time collaboration between protocol developers, stablecoin publishers, block analysis companies, and the wider community to ensure that a hacker cannot get away with stolen assets.
Despite the refund, the hackers could still be pursued by the authorities. Their activities left numerous digital crumbs on the blockchain for the police to track, with the help of blockchain analytics tools.
Learn more about how Elliptic’s blockchain analytics solutions help crypto businesses and financial institutions manage their cryptoasset risk.
