Hacker returns Poly Network funds: Ransom deals in the time of DeFi

Published in

Breadcrumbs

12 min readAug 11, 2021

The saga continues as the Poly Network stolen funds appear to be moving… in the right direction. Breadcrumbs tracked how Poly Network negotiated with the hacker to return the funds and we’re telling you, it’s an interesting one!

On August 11, 2021 funds moved in and out of the PolyNetwork Hacker address. It received:

ETH .05 from 0x3c979fb790c86e361738ed17588c1e8b4c4cc49a (tagged as an unknown centralized service — help us to identify it!)
ETH .01337 from 0x36f95f5d16a1aaefb58a5aaff34fce4b8359f47b

It also sent out funds to address 0x71fb9db587f6d47ac8192cd76110e05b8fd2142f. A total of $4,515,189.00 was sent to this address from four transactions.
(See at bottom for audit of what funds have been returned)

What is this contract?

This address is a multisig contract owned by the following addresses:

0x6c3192FF89b6E20430e3f2069C1133BC64ceF46A — Owner 1
0x0E860F44d73F9FDbaF5E9B19aFC554Bf3C8E8A57 — Owner 2
0x33BB64087E2CA54D1B74bF765745Fdd8eeb196Bb — Owner 3
0x8B35064B158634458Fd53A861d68Eb84152E4106 — Owner 4

Breadcrumbs reviewed if these addresses were owned by Poly Network but our audit showed that these our new addresses created.

Is there anything unusual?

Upon review of the transactions of one of the contract signatories, Poly Network Return wallet Owner 2, we noted that it is a Poly Network address that has been communicating with the hacker as detailed below:

TX Hash: 0xf6488e1efacd9c280eb91133d04ba357beca8016df8b0b0524b9a2e207b2ad7f

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

Can you connect us? contact@poly.network

TX Hash: 0x6b174ace1a83530bd2f33f07b213536699418b533cf2d3685556cf126e7061d8

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

We can offer you a security bounty when you return all the remaining assets.We will provide a secure address through e-mail.

TX Hash: 0xe72e56fa6392b5cae82997aa24d3b668b8a0fba04afb543ea4e7f50295d439d2

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

The decision made by DAO can’t changed the fact that the assets are stolen from crypto believers.We want to offer a security bounty and we hope it will be remembered as the biggest white hat hack in the history.

Hacker responds

TX Hash: 0x7b6009ea08c868d7c5c336bf1bc30c33b87a0eedd59dac8c26e6a8551b20b68a

Hacker SELFSEND directed to Poly Network

READY TO RETURN THE FUND!

TX Hash: 0x79245fb1d1ae48a214118e25d6ad2f9324f514ec6708135a19ba9d4cfa6344f6

Hacker SELFSEND directed to Poly Network

FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU

TX Hash: 0x910b00b2b60b76d7c29a1855f9a1ebf204356eed22498334ddd46e46d96e06c2

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

We are preparing a multi-sig address controlled by known Poly addresses

TX Hash:0xf25ad2da525da68e7e254ecb5d780ae2c64f4df442baa14832fcbdff65dfb193

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

Hope you will transfer assets to addresses below:
ETH: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f
BSC: 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc
Polygon: 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17

Hacker returns funds with some side comments taunting Poly Network

TX Hash: 0x160231043b80c7824f658b3621163ebcc537ff29ad1dfb3572e658ebf0ddc2fd

Hacker SELFSEND directed to Poly Network

ACCEPT DONATIONS TO “THE HIDDEN SIGNER” NOW. ENCRYPT YOUR MSG WITH HIS PUBKEY.

TX Hash: 0x59451c04dd5809958100c20a1263b7c1c6fc5080b38163b5117557418a473c47

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

You are moving things to the right direction. We received 1+M USDC on Polygon. Did you ask us to encrypt the receiving addresses with your BookKeeper public key?

Poly Network Hacker responds

TX Hash: 0x87715ad26621431c2c27f44d9214798e0c81a97d938ba5d4580dcd72f07ec6a8

Hacker SELFSEND directed to Poly Network

DONATE TO 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B IF YOU SUPPORT MY DECISION
ENCRYPT YOUR MSG WITH HIS PUBKEY IF YOU WANT TO TALK

TX Hash: 0xa7cd9cb0211942998602e22ad6f7fd7d9c1eef9515f4e4154a76237d5fd71aa3

Hacker SELFSEND directed to Poly Network

DUMPING SHITCOINS FIRST!
HOW ABOUT UNLOCKING MY USDT AFTER RETURNING ENOUGH USDC?

TX Hash: 0xe229f66efb5003e73cd21976c6490b8c48e73698766ed4ee4ab0f17f0bb14fa3

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

encrypt by the public key of 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B

TX Hash: 0x3de5a4eb6c1953ce2d0422bc5d0d16b2d9e54316cf0784bb793b3c67f09387b7

Hacker SELFSEND directed to PolyNetwork

JUST DUMPED ALL ASSETS ON BSC & POLYGON.
HACKING FOR GOOD, I DID SAVE THE PROJECT

TX Hash: 0xf59c47f47e6f19acc60bea81f6bde2ca41ecefaddc797bdb7fa6a8651aede384

Sender: 0x0e860f44d73f9fdbaf5e9b19afc554bf3c8e8a57

Recipient: PolyNetwork Hacker

We appreciate your returning of assets and the explanation of your motivation. We would like to work with you to resolve the current and future security issues of PolyNetwork. Please complete the returning of assets as you promised and let’s move on.

For a detailed back and forth correspondence, the Hacker shared this sheet.

What’s up with this hacker?

The hacker shared their sentiments or what seemed like a series of FAQs on why they did the hack in a series of self-send transaction messages below:

TX hash: 0xd239b01026c49b234d075e3d23a07efd1c3234239cfb440c0f90d5e84836fbe2

SELFSEND

IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO

Tx hash: 0x552bc0322d78c5648c5efa21d2daa2d0f14901ad4b15531f1ab5bbe5674de34f

SELFSEND

IT WOULD HAVE BEEN A BILLION HACK IF I HAD MOVED REMAINING SHITCOINS! DID I JUST SAVE THE PROJECT?
NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS OR JUST LEAVING THEM HERE

TX Hash: 0x1fb7d1054df46c9734be76ccc14fa871b6729e33b98f9a3429670d27ec692bc0

SELFSEND

Q & A, PART ONE:
Q: WHY HACKING?
A: FOR FUN :)
Q: WHY POLY NETWORK?
A: CROSS CHAIN HACKING IS HOT
Q: WHY TRANSFERING TOKENS?
A: TO KEEP IT SAFE.
WHEN SPOTTING THE BUG, I HAD A MIXED FEELING. ASK YOURSELF WHAT TO DO HAD YOU FACING SO MUCH FORTUNE. ASKING THE PROJECT TEAM POLITELY SO THAT THEY CAN FIX IT? ANYONE COULD BE THE TRAITOR GIVEN ONE BILLION! I CAN TRUST NOBODY! THE ONLY SOLUTION I CAN COME UP WITH IS SAVING IT IN A _TRUSTED_ ACCOUNT WHILE KEEPING MYSELF _ANONYMOUS_ AND _SAFE_.
NOW EVERYONE SMELLS A SENSE OF CONSPIRACY. INSIDER? NOT ME, BUT WHO KNOWS? I TAKE THE RESPOSIBILITY TO EXPOSE THE VULNERABILITY BEFORE ANY INSIDERS HIDING AND EXPLOITING IT!
Q: WHY SO SOPHISTICATED?
A: THE POLY NETWORK IS DECENT SYSTEM. IT’S ONE OF THE MOST CHALLENGING ATTACKS THAT A HACKER CAN ENJOY. AND I HAD TO BE QUICK TO BEAT ANY INSIDERS OR HACKERS, I TOOK IT AS A BONUS CHALL :)
Q: ARE YOU EXPOSED?
A: NO. NEVER. I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON’T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.

TX Hash: 0xd4ee4807c07702a3202f45666983855d7fa22eb1c230e4c1e840fc9389e54729

SELFSEND

Q & A, PART TWO:
Q: WHAT REALLY HAPPENED 30 HOURS AGO?
A: LONG STORY.
BELIEVE IT OR NOT, I WAS _FORCED_ TO PLAY THE GAME.
THE POLY NETWORK IS A SOPHISTICATED SYSTEM, I DIDN’T MANAGE TO BUILD A LOCAL TESTING ENVIRONMENT. I FAILED TO PRODUCE A POC AT THE BEGINNING. HOWEVER, THE AHA MOMEMNT CAME JUST BEFORE I WAS TO GIVE UP. AFTER DEBUGGING ALL NIGHT, I CRAFTED A _SINGLE_ MESSAGE TO THE ONTOLOGY NETWORK.
I WAS PLANNING TO LAUNCH A COOL BLITZKRIEG TO TAKE OVER THE FOUR NETWORK: ETH, BSC, POLYGON & HECO. HOWEVER THE HECO NETWORK GOES WRONG! THE RELAYER DOES NOT BEHAVE LIKE THE OTHERS, A KEEPER JUST RELAYED MY EXPLOIT DIRECTLY, AND THE KEY WAS UPDATED TO SOME WRONG PARAMETERS. IT RUINED MY PLAN.
I SHOULD HAVE STOPPED AT THAT MOMENT, BUT I DECIDED TO LET THE SHOW GO ON! WHAT IF THEY PATCH THE BUG SECRETLY WITHOUT ANY NOTIFICATION?
HOWEVER, I DIDN’T WANT TO CAUSE _REAL_ PANIC OF THE CRYPTO WORLD. SO I CHOSE TO IGNORE SHIT COINS, SO PEOPLE DIDN’T HAVE TO WORRY ABOUT THEM GOING TO ZERO. I TOOK IMPORTANT TOKENS (EXCEPT FOR SHIB) AND DIDN’T SELL ANY OF THEM.
Q: THEN WHY SELLING/SWAPPING THE STABLES?
A: I WAS PISSED BY THE POLY TEAM FOR THEIR INITIAL REPONSE.
THEY URGED OTHERS TO BLAME & HATE ME BEFORE I HAD ANY CHANCE TO REPLY! OF COURSE I KNEW THERE ARE FAKE DEFI COINS, BUT I DIDN’T TAKE IT SERIOUSLY SINCE I HAD NO PLAN LAUNDERING THEM.
IN THE MEANWHILE, DEPOSITING THE STABLES COULD EARN SOME INTEREST TO COVER POTENTIAL COST SO THAT I HAVE MORE TIME TO NEGOTIATE WITH THE POLY TEAM.

TX Hash: 0xe954bed9abc08c20b8e4241c5a9e69ed212759152dd588bb976b47eca353a5bc

SELFSEND

Q & A, PART THREE:
Q: WHY TIPPING 13.37?
A: I FEELED THE WARMTH FROM THE ETHEREUM COMMUNITY.
I WAS BUSY INVESTIGATING ISSUES FROM HECO AND DEBUGGING MY SCRIPTS. I THOUGHT IT WERE NETWORKING ISSUES WHY I COULD NOT DEPOSIT (I WAS BEHIND A SOPHISTICATED PROXY). SO I SHARED MY GOODWILL THE GUY.
Q: WHY ASKING TORNADO AND DAO?
A: HAVING WITNESSED SO MANY HACKINGS, I KNEW DEPOSITING INTO TORNADO IS A WISE BUT DESPERATE DECISION. IT WAS AGAINST MY ORIGINAL INTENTION. BEING THE CROWDSOURCED HACKER WAS JUST MY BAD JOKE AFTER MEETING SO MANY BEGGARS :)
Q: WHY RETURNING?
A: THAT’S ALWAYS THE PLAN! I AM _NOT_ VERY INTERESTED IN MONEY!I KNOW IT HURTS WHEN PEOPLE ARE ATTACKED, BUT SHOULDN’T THEY LEARN SOMETHING FROM THOSE HACKS? I ANNOUNCED THE RETURNING DECISION BEFORE MIDNIGHT SO PEOPLE WHO HAD FAITH IN ME SHOULD HAD A GOOD REST ;)
Q: WHY RETURNING SLOWLY?
A: I DO NEED TIME TO TALK WITH THE POLY TEAM. SORRY, IT’S THE ONLY WAY I KNOW TO PROVE MY DIGNITY WHILE HIDING MYSELF IDENTITY. AND I NEED SOME REST.
Q: THE POLY TEAM?
A: I ALREADY STARTED TALKING WITH THEM BRIEFLY, THE LOGS ARE ON THE ETHEREUM. I MAY OR MAY NOT PUBLISH THEM. THE PAINS THEY HAVE SUFFERED IS TEMPORARY BUT MEMORABLE.
I WOULD LIKE TO GIVE THEM TIPS ON HOW TO SECURE THEIR NETWORKS,SO THAT THEY CAN BE ELIGIBLE TO MANAGE THE BILLION PROJECT IN THE FUTURE. THE POLY NETWORK IS A WELL DESIGNED SYSTEM AND IT WILL HANDLE MORE ASSETS. THEY HAVE GOT A LOT OF NEW FOLLOWERS ON TWITTER, RIGHT?

TX Hash: 0xe926ef4b6f4e3ff1b680df02a6a2456cd9b415d25f051bb894ea3e24cfa864f0

SELFSEND

I DON’T USE EMAIL. FUCK polyhacker@yandex.com & negotiations@cock.li

TX Hash: 0xa5371eda3e56a614cdecc2b875f4236c7651e8ab3822f798b108e14b2659aaaa

SELFSEND

DISCLAIMER: I HAVE NEVER ASKED FOR BOUNTY FROM POLY NETWORK
WHAT I HAVE SAID IS ON THE CHAINS

TX Hash: 0xde330cbd5484e9ce808c60d3a76739f224eb8390b6b891a8e4d29dbdaeab826d

SELFSEND

Q & A, PART FOUR:
Q: WHY CEX? NOOB?
A: WHATEVER :)
THE KEY CHALLENGE OF THIS HACK IS TO INVOKE SOME CONTRACT FROM THE ONTOLOGY NETWORK (MY FAVOURITE PART). YOU HAVE TO GET SOME “GAS” FOR THE ONTOLOGY NETWORK, WHICH IS CALLED “ONG”.
HOWEVER, IT’S NOT A DEFI TRADABLE TOKEN. I CAN ONLY FIND IT ON SOME CHINESE(?) CEXES. WHY BOTHER TRADING FROM DEX IF YOU HAVE TO GO THROUGH CEX? WHY DO YOU THINK I MAY LEAVE TRACES IN THE DEXES?
Q: WHY REFUND? COWARD?
A: WHATEVER :)
WHEN YOU JUDGE OTHERS, YOU DO NOT DEFINE THEM, YOU DEFINE YOURSELF.
I ALREADY ENJOYED WHAT I CARED MOST: HACKING & GUIDING.
FEW HACKERS CAN UNDERSTAND THE SITUATION OF DEFI SECURITY. YES, YOU SEE A LOT OF HACKS, BUT MOST OF THEM ARE NOT ENJOYABLE AS A REAL HACKER. SOME STUPID CODE LEADS TO HUGE AMOUNT OF LOSS, BUT IT’S NOT CHALLENGING. IT’S LIKE FIGHTING AGAINST A TEENAGER.
I WOULD ADMIT THAT THE POLY HACK IS NOT AS FANCY AS YOU IMAGINE, BUT I DID EXPERIENCED SOMETHING NEW FROM THE PROJECT. I WOULD SAY FIGUING OUT THE BLIND SPOT IN THE ARCHTECTURE OF POLY NETWORK WOULD BE ONE OF THE BEST MOMENTS IN MY LIFE.
I HAVE GOT ENOUGH MONEY AS THE GROWTH OF THE CRYPTO WORLD. I HAVE BEEN EXPLORING THE MEANING OF LIFE FOR A WHILE. I HOPE MY LIFE CAN BE COMPOSED OF UNIQUE ADVENTURES, SO I LIKE LEARN & HACK EVERYTHING IN ORDER TO FIGHT AGAINST THE FATE. SEIN ZUM TODE.
TO BE HONEST, I DID HAVE SOME SELFISH MOTIVES TO DO SOMETHING COOL BUT NOT HARMFUL BY LEVERAGING THE HUGE FUND, LIKE THE DAO IDEA. THEN I REALIZED BEING THE MORAL LEADER WOULD BE THE COOLEST HACK I COULD EVER ARCHIVE! CHEERS!

TX Hash: 0x078063e9574e1937a64b6552919b9fc0035429df1e601d79e200bf211e75f337

SELFSEND

GUYS, ASK YOURSELF, IS THE POLY TEAM THE OWNER OF THE ASSETS? THEY ARE JUST THE MANAGER OF THE FUND! WILL YOU TEACH THEM HOW TO TRIGGER THEIR “BACKDOOR”? IN THE DEFI WORLD, YOU CAN TRUST NOBODY BUT THE CODE AND YOUSELF.
TO THE “VICTIMS”: I DON’T MEAN THE POLY TEAM IS NOT TRUSTWORTHY, BUT NONE OF YOU HAVE THE CHANCE TO CHALLENGE THEIR CODE WHICH SHOULD BE THE LAW. DON’T WORRY, YOU ARE NOT REAL VICTIMES. I SAVED YOU!

What happened to hanashiro.eth?

You are probably wondering, “Where does hanashiro.eth fit in all of these?” We are not surprised that he still made a cameo appearance thus far and they sent three transactions to the contract with the following deep/pitch deck-y messages:

TX Hash: 0x5e092d0167ca07c75b234f4081dc0f770c2b5f1582f61c95e26ce87f1356e33f

Sender: Hanashiro.eth

Recipient: Poly Network Return Wallet

Our protocol includes the following two parts:
1. a solution to implement interoperation between blockchains
2. a two-phase commit protocol for atomic cross chain transactions
This groundbreaking interoperability protocol mainly has the following advantages:
• Wide range of support and strong versatility
Support for heterogenous and homogeneous chains, including BTC, ETH, NEO, Ontology and Cosmos. Our protocol can quickly support other heterogeneous chains and don’t need to make a lot of changes to the underlying architecture. For the heterogeneous chain that are already supported, the homogeneous chain fork from the chain can join in seamlessly.
• Easy to join in
If the underlying architecture of the chain supports smart contract, only two contracts need to be deployed to support cross-chain. If not, only two additional functional modules need to be added.
• Support atomic transaction
Our protocol aims to achieve the ultimate and atomic nature of cross chain transactions, with a focus on cross chain smart contract interactions to extend the scope of application scenarios for decentralized applications.
• Support cross-chain of arbitrary information
Our protocol is not limited to cross-chain of assets, it will support crosschain of arbitrary information.
• Security Enhancement
Our protocol is based on cryptography, and adds a complex set of mechanisms at the technical and operational levels to enhance the security of cross chain transactions and interactions.
• Eco Friendly
Our protocol is designed for cross chain, and neither issuing tokens nor a dedicated smart contract system, it is more able to deal with compliance issues, the alliance chain and private chain can also join in.

TX Hash: 0xd805003ec5c982563369ae104dc9b3c25939a275842eb8224c0b6455475a7241

Sender: Hanashiro.eth

Recipient: Poly Network Return Wallet

Cross-chain Contract Call
Sometimes we will encounter a situation such that different modules of a DAPP may be deployed on different chains. How does a user from a chain call modules on other chains? And how do different modules interact if chain A needs to know the result of chain B to proceed to the next step?
Our solution distinguishes the cross-chain read operations and cross-chain write operations. Users can get the status of the destination chain at a specific block height from the source chain by using a read operation. Users can send a transaction to the destination chain (transfer assets, call a contract or some other operations) by initialing a write operation. The combination of read and write operations enables interaction between cross-chain contracts.
Different from some current popular cross-chain solutions, our solution does not require the participant chain to follow the unified cross-chain protocol standard at the initial design level of the underlying platform. Of course, the unified cross-chain protocol standard can be used to constrain the future chain. But for many existing public chains, it is impractical to make changes in the underlying layer to conform to the cross-chain standard. Our two-phase protocol is suitable for most of the existing blockchains and it is a universal solution in the true sense.
Conclusion
In this cross chain project, we outlined our core structure based on Read and Write operation to implement the interoperation between blockchains. This project can remove the barrier of information silos and improve the user experience when using and developing DApps. We have provided a precise proof for the safety of this cross chain project. We briefly talked about some new strategies to optimize our cross chain solution for further development. We have drafted an economic model for incentivizing relayers to make our network better. We are devoting ourselves for a better blockchain network, and we hope our project will be a big step in the development process of Web 3.0.
(LOL)

TX Hash: 0xbbcf659aa2b7f9498aba6f399c25dc82f7ec6c252271c10edec9fcdd647d4e3d

Sender: Hanashiro.eth

Recipient: Poly Network Return Wallet

I’M QUITE INTERESTED IN YOUR PROJECT ONCE I KNOW O3SWAP & POLYNETWORK IN POLYGON ICEAGE MINING FIRST TIME, HOWEVER, OPEQUE SOURCE CODE AND LACK OF TRANSPARENCY MADE ME TOO SCARE TO APPROACHING.
FINALLY, CATASTROPHE HAPPENED, SO SAD AND SOOOOO DISAPPOINTED.
THE WHOLE THING RUINED MY NORMAL LIFE. I DON’T WANT TO FOCUS THIS OR GET INTO THIS ANYMORE.
FIN.

How about the other chains?

Breadcrumbs reviewed the return wallets Poly Network created in the other blockchains as mentioned in their message to the hacker. As of this writing, around $342,073,666.87 have been returned by the Hacker on all three blockchains.

All of the funds taken from BSC and Polygon have been returned in full. There is still $268,475,532 USD worth of funds that the hacker is still in possession of, all sitting on the Ethereum blockchain.