A person claiming to be the hacker behind one of the biggest cryptocurrency heists of all time says they stole the funds “for fun.”
More than $600 million worth of crypto was stolen in the cyberattack, which targeted a decentralized finance platform called Poly Network.
Decentralized finance — DeFi, for short — is a fast-growing space within the crypto industry that aims to reproduce traditional financial products like loans and trading without the involvement of any middlemen.
While it has attracted billions of dollars in investment, the DeFi space has also given rise to new hacks and scams. For example, a token backed by billionaire investor Mark Cuban recently dropped from $60 to several thousandths of a cent in an apparent “bank run.”
Poly Network is a platform that looks to connect different blockchains so they can work together. A blockchain is a digital ledger of transactions that’s maintained by a distributed network of computers, rather than a central authority.
On Tuesday, a hacker exploited a flaw in Poly Network’s code which allowed them to steal the funds. According to researchers at blockchain security firm SlowMist, Poly Network lost more than $610 million in the attack.
Poly Network then pleaded with the hacker to return the money and, sure enough, nearly half of the crypto haul was returned by Wednesday. As of Thursday morning, $342 million worth of assets had been returned, according to Poly Network.
In a Q&A embedded within a digital currency transaction Wednesday, a person claiming to be the anonymous hacker explained their reasoning behind the hack — “for fun.”
“When spotting the bug, I had a mixed feeling,” the person said. “Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion!”
“I can trust nobody!” they continued. “The only solution I can come up with is saving it in a _trusted_ account while keeping myself _anonymous_ and _safe_.”
The person also gave a reason for why they returned the funds, claiming: “That’s always the plan! I am _not_ very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
Tom Robinson, chief scientist at blockchain analytics firm Elliptic, said the person writing the Q&A was “definitely” the hacker behind the Poly Network attack.
“The messages are embedded in transactions sent from the hacker’s account,” Robinson told CNBC. “Only the holder of the stolen assets could have sent them.”
CNBC could not independently verify the authenticity of the message and the hacker, or hackers, have not been identified. SlowMist said its researchers had tracked down information on the attacker’s IP and email information. In the Q&A, the hacker claimed they took care to ensure their identity was “untracable.”