Crypto Hack Earned Crooks $600 Million

2021-08-11T15:12:47
ID THREATPOST:4F60E983E4CE1A3DF45A40539F157755
Type threatpost
Reporter Tom Spring
Modified 2021-08-11T15:12:47

Description

Attackers reportedly stole $600 million from the cryptocurrency platform Poly Network, in what experts say is one of the largest crypto heists to date.

Poly Network, a decentralized finance (DeFi) platform based in China, publicly acknowledged that an attacker “exploited a vulnerability” that allowed them to assign themselves the ownership of money processed through the platform.

According to a statement made on Wednesday by the company, attackers abused the function “_executeCrossChainTx”. The company said that this specific function dictates the “between contract calls” and is tied to interoperability needed to communicate between independent blockchains.

Infosec Insiders Newsletter

A blockchain is a specific type of database. When used in the context of cryptocurrency, it serves as a ledger for irreversible transactions.

What Poly Network Is Disclosing

“The attacker use this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract,” Poly Network stated.

Attackers snatched up a reported $611 million in digital tokens. Tokens (or crypto tokens) represent an asset that resides on a blockchain. Unlike a crypto coin, a token is associated with a specific blockchain (or ledger). In this case, it was Poly Network’s platform that was used to steal Ethereum (ETH) and BowsCoin (BSC) tokens.

In an “important notice” posted to Twitter, Poly Network stated: “We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71.”

In a string of follow-up tweets the company urged crypto-miners “of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses. @Tether_to @circlepay.”

Attackers Return Funds?

Poly tweeted that it planned to take legal action and demanded that the attackers return the funds.

In a follow-up tweet posted at 7:47 a.m. ET, Poly Network said some assets ($4.7 million) were returned by the attackers.

“So far, we have received a total value of $4,772,297.675 assets returned by the hacker,” Poly Network tweeted.

In a message by hackers, associated with the illicit transaction, an attacker wrote; “I need a secured multisig wallet from you.” This, experts say, was an effort to return some of the stolen tokens.

A blockchain analysis by BleepingComputer revealed some of the loot stolen was also redirected to the non-profits Binance Charity and Archive.org. Additional funds were sent to blockchain search engine Etherscan and Ethereum blockchain developer infura.io.

Changpeng Zhao, CEO of Binance, one of three platforms from which stolen assets were taken, wrote on Twitter: “We are aware of the poly.network exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can.”

Is Poly Network’s Loss the Largest Crypto Attack?

Based on recent publicly disclosed losses due to attacks, Poly Network’s losses are the largest to date to be associated with cyrptocurrency firms.

In 2018, Coincheck, a Tokyo-based exchange, lost $530 million in digital coins. In 2013, Mt. Gox, another Tokyo-based exchange, collapsed after a massive distributed-denial-of-service attack triggered the loss of an estimated $500 million dollars in bitcoin. In 2019, Italian exchange BitGrail was hacked, with losses totaling an estimated $195 million.

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.