The largest crypto-robbery in history is rapidly turning into the most bizarre as well. Let’s start at the beginning…

In an apparent scream for mercy, 21 hours ago the Poly Network Team reached out via Twitter to “hacker(s)” that had managed to transfer roughly $600 million in digital tokens out of its control and into separate cryptocurrency wallets.

It alerted the world to what looks like the biggest crypto-heist in history, dwarfing even the landmark Mt. Gox theft in 2014.

Dear Hacker,

We are the Poly Network team.

We want to establish communication with you and urge you too return the hacked assets.

The amount of money you hacked is the biggest one in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousdands of crypto community members, hence the people.

You should talk to us to work out a solution.

Poly Network Team

Poly Network describes itself as a project to “implement interoperability between multiple chains” and says it has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. What really matters though, is that underneath all that, it’s a website users can join their cryptocurrency wallets to. Something that makes both legitimate trading and theft much easier.

Insecure code

As with any exchange type of robbery (and they are many, and frequent) there are screams about inside jobs. The Poly Network team says hackers have exploited a vulnerability in its system to steal about $267m of Ether currency, $252m of Binance coins, and roughly $85 million in USDC tokens. According to Poly Network a preliminary investigation found a hacker exploited a “vulnerability between contract calls” (contracts are code stored on blockchains).

Not long after the heist, SlowMist published a post on Medium explaining the vulnerability. Cutting to the chase, the important part of the analysis is this bit: “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.” In other words, the Poly Network code had a bug that allowed attackers to make themselves the owner of other people’s money.

Freezing accounts

Poly Network has blocklisted the addresses of the cryptocurrency was transferred into. It said it is also working with its partners to freeze the hackers’ accounts. This is a step that can make it harder for the thieves to use stolen money. Cryptocurrency payments are pseudonymous but they are not private: Every transaction is traceable and if everyone agrees not to trade with blocklisted accounts they are essentially frozen.

Making it impossible for the thieves to move the stolen cryptocurrency would certainly make them more admissible for negotiations. After all, what is your full bank account worth if you can never hope to spend the money?

A rough time for cryptocurrencies

Like any technology, cryptocurrencies are neutral, neither intrinsically good or bad, but they do have a way of attracting bad news. Poorly-secured exchanges, exit scams, pump-and-dump scams, inside jobs, and colossal thefts are part of the furniture. Cryptocurrencies are also popular for tax evasion and, of course, an essential part of the recent boom in ransomware.

Recently, we have seen a call to action from governments that want more oversight and control over cryptocurrencies. Their concern isn’t following where the money goes, that’s easy, but linking real identities to the anonymous IDs used in blockchain transactions.

Among those contributing to the mood music that “something must be done” about cryptocurrencies, the US senate is getting ready to vote on a bipartisan infrastructure package, which would impose more federal regulation on cryptocurrencies; the director of the Dutch economic advisory Centraal Planbureau (CPB) has argued that all cryptocurrencies should be banned; Turkey has banned cryptocurrencies as a legal from of payment; India is considering whether to make the mining and possession of cryptocurrencies illegal; and China has banned initial coin offerings and announced a crack down on Bitcoin mining and trading.

Listening to the plea?

Poly Network provided the hacker with three addresses and as it seems the hackers have been busy returning some funds. At the time of writing they had returned less than 1 percent of the money,

You should be able to follow the developments in this thread on Twitter.

Update 11 August, 15:10 UTC. It gets weirder

Elliptic reports that the crypto-robber has now returned $258 million worth of cryptocurrency, suggesting that the crypto-robber may be serious about returning all the stolen money.

Negotiations between Poly Network and the thief started early and appear to be going well. Communicating via metadata on Ether transactions, the thief declared early on (about 12 hours ago) they were “NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS”.

The hacker sends a message to Poly Network in Ether metadata.

In response, Poly Network offered an undisclosed “security bounty”, and dangled the carrot of notoriety, saying: “We want to offer a security bounty and we hope it will be remembered as the biggest white hat hack in the history.”

Seeming to prefer the role of hero over villain, the thief replied “IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD”.

As if that wasn’t weird enough, in a further bizarre twist, the thief has also declared they are taking donations, should anyone wish to thank them for returning all the money, or finding the bug, or something.