On Aug. 10, hackers pulled off what looked to be the largest cryptocurrency heist in history, stealing more than $610 million from the blockchain exchange platform Poly Network. Their triumph appears to have been short-lived.
Like several recent high-profile hacks, the sheer scale and audacity of the theft immediately attracted attention from cybersecurity researchers and law enforcement. Cybersecurity experts quickly ferreted out clues to the hackers’ identities and traced the stolen cryptocurrency back to the digital wallets where they had been stashed. Poly Networks posted stern warnings on Twitter to return the money as law enforcement was watching.
Within 24 hours, the hackers capitulated and began returning the stolen currency to Poly Network, which runs a platform where users can exchange one form of cryptocurrency for another. The hackers, whose identities remain unknown, have reportedly sent back $256 million so far. It’s unclear whether they intend to keep any of the money they stole.
The episode highlights the vulnerability of crypto exchanges, which have been increasingly targeted by hackers in recent years. But it also underscores a golden rule that hackers must follow to avoid complications: Don’t steal too much in any single attack. The biggest exploits draw scrutiny from researchers who trace the stolen money and occasionally prompt counterattacks from intelligence agencies, while those who commit smaller heists often escape consequences.
DeFi hacks are on the rise
The days of gangsters sticking up banks are (mostly) over. These days, crime syndicates are better off targeting cryptocurrency exchanges, where people swap buy and sell digital currencies. At any given moment, these exchanges may hold hundreds of millions of dollars in cryptocurrency—which a team of talented hackers can siphon off without firing a shot.
The $610 million loss in the Poly Network hack was the largest publicly reported theft to date. But that obscures the rise of much smaller financial crimes. Over the first seven months of 2021, a record-setting string of smaller-scale cryptocurrency hacks accounted for $361 million in losses. That figure represents a nearly threefold increase over the same period in 2020.
In recent years, hackers have regularly set new records for their attacks on the so-called “decentralized finance,” or DeFi, industry, which develops the software that underpins cryptocurrencies. In 2014, hackers made off with $460 million in bitcoin from the Tokyo-based Mt. Gox exchange, leading to its collapse. In 2018, a cybergang nicked $530 million from Coincheck, another Tokyo-based exchange.
Poly Network hackers wave the white flag
Within hours of the Poly Network attack, researchers at the cybersecurity firm SlowMist claimed (link in Chinese) they had tracked down the hackers’ email, IP address, and the little-known Chinese cryptocurrency exchange they had used to hide the stolen money. Poly Network posted a message to the hackers on Twitter, warning they had attracted too much attention and would never be able to spend the spoils without law enforcement tracking them down through their transactions.
The next day, the hackers signaled their capitulation by minting a token named “The hacker is ready to surrender” and sending it to Poly Network. The exchange set up three cryptocurrency wallets for returning funds, and as of the time of publication, it has reportedly gotten more than a third of the stolen money back.
The Poly Network hackers are following in the footsteps of other cybercriminals that have recently bitten off more than they could chew and faced consequences. After ransomware gang DarkSide hacked Colonial Pipeline and disrupted US fuel supplies in May, it was forced to shut down and the FBI clawed back much of the ransom from its big score. Ransomware gang REvil also apparently shut down following its headline-grabbing July 4 hack that affected more than 1,000 businesses.
Only the biggest hacks draw scrutiny
Hacks, on the whole, are on the rise as increasingly sophisticated cybergangs make handsome profits and operate with impunity in host countries like Russia and China. But only the most sensational hacks have elicited crackdowns from authorities. And even when hackers attract police attention, they often resurface later under a new alias.
The Poly Network attack is the rare instance of a hack that may have a happy ending for the victim (although the incident may still cause hardship for the crypto exchange, which will have to regain its users’ trust after the security lapse). A true solution to the widespread scourge of criminal hacking will only come from an international pressure campaign aimed at permissive host countries that tolerate hacking groups in their jurisdictions. Without the cooperation of those governments, crackdowns on hacking groups will remain scattershot and ineffective.