NEW YORK: Hackers behind one of the biggest ever digital coin heists have now returned nearly all of the US$610 million-plus they stole, Poly Network, the cryptocurrency platform targeted earlier this week by the attack, said on Thursday (Aug 12).
The platform, which was little known before Tuesday's heist, declared the hacker on Twitter as a "white hat", referring to ethical hackers who generally aim to expose cyber vulnerabilities, upon the return of the funds.
Poly Network, which facilitates peer-to-peer token transactions, added that the tokens were transferred to a multi-signature wallet controlled by both the platform and the hacker.
The only remaining tokens yet to be returned are the US$33 million in tether stablecoins frozen earlier in the week by cryptocurrency firm Tether, Poly Network said.
"The repayment process has not yet been completed. To ensure the safe recovery of user asset, we hope to maintain communication with Mr. White Hat and convey accurate information to the public," said Poly Network on Twitter.
A person claiming to have perpetrated the hack said Poly Network offered him a US$500,000 bounty to return the stolen assets and promised that he would not be accountable for the incident, according to digital messages shared on Twitter by Tom Robinson, chief scientist and co-founder of Elliptic, a crypto tracking firm.
Poly Network, which allows users to transfer or swap tokens across different blockchains, said on Tuesday it had been hit by the cyberheist, urging the culprits to return the stolen funds.
The still as yet unidentified hacker or hackers appear to have exploited a vulnerability in the digital contracts Poly Network uses to move assets between different blockchains, according to blockchain forensics company Chainalysis.
On Wednesday, the hackers started returning the stolen coins, leading some Blockchain analysts to speculate that they might have found it too difficult to launder stolen cryptocurrency on such a scale.
Later on Wednesday, the hackers said in digital messages also shared by Elliptic that they had perpetrated the attack "for fun" and wanted to "expose the vulnerability" before others could exploit it and that it was "always" the plan to return the tokens.
At US$600 million, however, the Poly Network theft far outstripped the record US$474 million in criminal losses that were registered by the entire decentralized finance (DeFi) sector from January to July, according to crypto intelligence company CipherTrace.
The theft illustrates the risks of the mostly unregulated DeFi sector, said crypto experts. DeFi platforms allow users to conduct transactions, usually in cryptocurrency, without traditional gatekeepers such as banks or exchanges.
A person claiming to be the hacker told their side of the story in a question-and-answer style post on Twitter.
The hacker said the heist was pulled "for fun" to expose a flaw that could have cost Poly Network dearly and undermined faith in cryptocurrencies.
"I would say figuring out the blind spot in the architecture of Poly Network would be one of the best moments in my life," the post read.
"To be honest, I did have some selfish motives to do something cool but not harmful... then I realized being the moral leader would be the coolest hack I could ever archive."
The return of the digital loot came as the thief was tracked by "white hat" hackers who use their software skills for good.
Their nefarious counterparts are referred to as "black hat" hackers in the cybersecurity world.
The heist had sparked debate about whether it would be fair to let the hacker keep some of the loot as reward for uncovering a Poly Network security weakness.
Open-source developers alliance BinomialPool in a tweeted exchange proposed a bounty of 5 per cent to 10 per cent for pulling off such crypto-hacks.
"This could be a win-win," tweeted @BinomialPool.
"Hackers don't go into jail. The community faces acceptable losses. Code gets better."
In an exchange on Twitter, Poly Network promised to pay a US$500,000 bug bounty after the stolen assets are returned.
Poly Network also assured the hacker they would not be held accountable.
"We think this behavior is white hat behavior, therefore this 500,000 USD will be seen as completely legal bounty reward," Poly Network said in the exchange.
Paying hackers bounties for uncovering and reporting bugs in software is common practice in the tech world.