In messages attached to return transactions, the hacker said giving the assets back was ‘always the plan’.
The perpetrator of this week’s $600m cryptocurrency theft has returned more than half of the stolen assets to Poly Network.
The platform announced on Twitter that it had seen $342m of the funds returned as of this morning (12 August). The assets sent back were $252m of Binance Smart Chain, $85m of Polygon and $4.6m of Ethereum. $268m of Ethereum remains missing.
After the heist, Poly Network published an appeal to the hacker, saying it wanted to “establish communication” and “work out a solution”. The platform noted both that the stolen assets were “from tens of thousands of crypto community members” and that one of the largest such heists in history was likely to be pursued aggressively by law enforcement.
Blockchain analytics firm Elliptic published a list of messages that were embedded in the transactions that returned the money. The hacker said they had performed the heist “for fun” and claimed that their main motivation was to expose serious flaws in Poly Network’s systems.
“I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
They also said returning the assets was “always the plan” and they were “not very interested in money”, but that they were returning the assets gradually because they “need time to talk with the Poly team”.
Speaking to CBNC, Elliptic chief scientist Tom Robinson said that even if the hacker did or did not always intend to return the money, “this demonstrates that even if you can steal crypto assets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics”.
Notably, the thief also said they chose to steal larger and more popular coins from Poly Network instead of more niche ones, “so people didn’t have to worry about them going to zero”. They said they “didn’t want to cause real panic of [sic] the crypto world”.
Blockchain security company SlowMist said in a blog post that it had “grasped the attacker’s mailbox, IP and device fingerprints” and was “tracking possible identity clues”. The thief claimed in their messages that they had successfully hidden their identity, used a disposable email and masked their IP address.
Despite the perpetrator’s claims that they performed the heist for fun and for altruistic security purposes, they did provide an address where people could send donations “if you support my decision”. At time of reporting, the account had received just under $3,800 in donations.