A firm specialising in transferring cryptocurrency said that hackers have given back US$260 million worth of digital loot from a record haul.
Poly Network fired off a tweet Wednesday saying hackers had returned US$260 million worth of the digital assets taken in a heist a day earlier valued at US$613 million.
Polygon had urged the thieves to return the stolen fortune and provided online addresses for transfers.
“Seven minutes prior to sending the first transaction returning some of the funds, the hacker created a token called ‘The hacker is ready to surrender’ and sent this token to the designated Polygon address,” digital asset research firm The Block said in a post at its website.
One of the touted features of cryptocurrency is that blockchain transactions are public, even if the people behind them are not.
Poly Network had put out a plea for the stolen Ethereum, BinanceChain and OxPolygon tokens to be shunned by traders running “wallets” for storing cryptocurrency.
“The amount of money you hacked is the biggest one in the defi history,” Poly Network said in a tweeted message to the thieves, using a reference to decentralised finance involving cryptocurrency.
“The money you stole are from tens of thousands of crypto community members.”
The return of some of the digital loot came as the thieves were tracked by “white hat hackers” who use their software skills for good.
The heist also sparked debate about whether it would be fair to let the hackers keep some of the loot as reward for uncovering a Poly Network weakness that could have been even more costly.
Open source developers alliance BinomialPool in a tweeted exchange proposed a bounty of 5% to 10% for pulling off such crypto-hacks.
“This could be a win-win,” tweeted @BinomialPool.
“Hackers don’t go into jail. The community faces acceptable losses. Code gets better.”
Paying hackers bounties for uncovering and reporting bugs in software is common practice in the tech world.
Blockchain system defence firm SlowMist put out word it is on the trail of the cyber crooks who pulled the Poly Network heist.
“The SlowMist security team has grasped the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker,” the company said in a blog post.
Poly Network threatened police involvement, but also offered the hackers the chance to “work out a solution”.
The US Department of Justice and FBI did not respond to requests for comment.
Poly Network posted online addresses used by the hackers, and called on “miners of affected blockchain and crypto exchanges to blacklist tokens” coming from them.
Poly Network did not reply to an AFP request for comment, but Twitter users echoed calculations valuing the hackers’ haul at some US$600 million.
As of the end of April, cryptocurrency thefts, hacks and fraud so far this year totalled US$432 million, according to an analysis by CipherTrace.
That compares to 2019, when defi hacks were virtually non-existent, according to CipherTrace.