Hackers have siphoned $611 million worth of cryptocurrencies from a blockchain-based financial network in what’s believed to be one of the largest heists targeting the digital asset industry, putting it ahead of breaches of exchanges Coincheck and Mt. Gox.
Poly Network, a cross-chain decentralized finance (DeFi) platform for swapping tokens across multiple blockchains such as Bitcoin, Ethereum, and others, on Tuesday disclosed unidentified actors had exploited a vulnerability in its system to plunder thousands of digital tokens such as Ether.
“The hacker exploited a vulnerability between contract calls,” Poly Network said.
The stolen Binance Chain, Ethereum, and Polygon assets are said to have been transferred to three different wallets, with the company urging miners of affected blockchain and centralized crypto exchanges to blocklist tokens coming from the addresses. The three wallet addresses are as follows –
- Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 ($273 million)
- Binance Smart Chain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 ($253 million)
- Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 ($85 million)
In an open letter, the protocol maintainers urged the thieves to “establish communication and return the hacked assets.”
“The amount of money you have hacked is one of the biggest in DeFi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. […] The money you stole are from tens of thousands of crypto community members, hence the people,” the team said.
Tether’s Chief Technology Officer Paolo Ardoino tweeted that the stablecoin company froze $33 million worth of its tokens that were taken in the haul.
“We are aware of the poly.network exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can,” Binance CEO Changpeng Zhao said in a tweet.
The identity of the hacker remains unclear, although blockchain security firm SlowMist claimed it was able to trace the attacker email address, IP address, and device fingerprint and that their and their initial source of funds were in Monero coins, which were then exchanged for ETH, MATIC, and other currencies.