Follow up to the poly network incident and the psychological journey of hackers

Published on 8/25/2021   584 views   0 Comments  

Hacker reminder: in the world of defi, you can't trust anyone except code and yourself!

Return of assets hijacked by hackers

It is reported that at about 5:00 p.m. Beijing time on August 11, hackers involved in asset theft on the polynetwork chain gradually began to return coins. They have transferred usdc from the beginning 0x5dc36 of the polygon address to the address officially designated by polynetwork, with a total of 1010100 usdcs (stable coins).

Hackers returned 23.88 pbtcs worth about $1.1 million from the currency security smart chain (BSC) address.
Hackers returned Shib and Fei from Ethereum (ETH) addresses, worth about $2.65 million.

At about 22:00 on August 11, hackers returned about 253 million US dollars on the BSC chain, including bus Eth and BTC.
At 23:30 p.m. on August 11, hackers began to return assets on the Ethernet chain, first returning 14.47 renbtcs.

As of 9 a.m. on August 12, hackers had returned all assets on the polygon chain, valued at about $85 million.

At noon on August 11, the hacker said: ready to pay back the money! We haven't contacted the official of poly network yet. We need to provide multi signature wallets. Winning so much wealth is already a legend. It will become an eternal legend to save the world. I have decided not to adopt the Dao scheme.

In the early morning of August 12, polynetwork hackers released self questions and answers. As of 8:00 a.m. on August 12, about $250 million of stolen assets on the BSC chain had been returned, about $85 million on the polygon L chain had been returned, and other assets were being returned in succession.

The psychological course of hacker's self described attack

Conversation 1:

Q: why attack?

Hacker: for fun:)

Q: why polynetwork?

Hacker: cross chain attack is very popular at present.

Q: why transfer tokens?

Hacker: to ensure security.

When I find mistakes, I have a complex feeling. You can ask yourself what you should do if you face so much wealth.

Ask the project team politely so that they can solve the problem?

Anyone can be a traitor! I can't trust anyone! The only solution I can come up with is to keep it in a trusted account while maintaining my own anonymity and security.

Now everyone smells conspiracy. Insider? Not me, but who knows? I have the responsibility to expose loopholes before any insider hides and uses it!

Q: why is it so complicated?

Hacker: polynetwork is a good system. This is one of the most challenging attacks that hackers can enjoy. I must quickly defeat any insider or hacker. I regard it as a reward challenge.

Q: are you exposed?

Hacker: No, absolutely not. I understand that even if I don't do evil, I risk exposing myself. So I used temporary email, IP or so-called fingerprints, which can't be traced. I'd rather stay in the dark and save the world.

Conversation 2:

Q: what happened 30 hours ago?

Hacker: it's a long story.

Believe it or not, I was forced to play this game.

Polynetwork is a complex system. I can't establish a local test environment. I didn't make POC at the beginning. However, just before I gave up, the aha moment came. After debugging all night, I made a single message for the ontology network.

I plan to launch a cool blitz to take over four networks: eth, BSC, polygon and heco. However, heco network error! The behavior of the repeater is different from that of other repeaters. The administrator just relayed my exploit directly, and the key has been updated to some wrong parameters. It ruined my plan.

I should have stopped at that moment, but I decided to let the game continue! What if they secretly fix the vulnerability without any notice?

However, I don't want to cause real panic in the encrypted world. So I chose to ignore junk money, so people don't have to worry about them returning to zero. I only took important tokens (except Shib tokens) and didn't sell any tokens.

Q: then why sell / exchange those tokens?

Hacker: the initial response of poly team made me very angry.

Before I have a chance to reply, they urge others to blame and hate me! Of course I knew there were fake defi tokens, but I didn't take it seriously because I didn't have a money laundering plan.

At the same time, deposit in curve can earn some interest to pay the potential cost, so I have more time to negotiate with poly team.

Dialogue 3:

Q: why tip 13.37eth & nbsp;?

Hacker: I feel the warmth of Ethereum community.

I'm busy investigating heco's problems and debugging my script. I think it's a network problem. Why can't I deposit (I'm behind a complex agent). So I shared my kindness with the person who prompted me.

Q: why ask tornado and Dao?

Hackers: after witnessing so many hacker attacks, I know that investing money in tornado is a wise but desperate decision. It goes against my original intention. After meeting so many beggars, becoming a crowdsourced hacker is just my joke:)

Q: why is there a refund?

Hacker: this has always been a plan! I'm not very interested in money! I know people suffer when they are attacked, but shouldn't they learn something from these hackers? I announced the refund decision before midnight, so those who believe in me should have a good rest;)

Q: why is the refund so slow?

Hacker: I really need time to communicate with poly team. Sorry, this is the only way I know to prove my dignity while hiding my identity. I need a break.

Q: what do you want to say to the polynetwork team?

Hacker: I have started a short conversation with them. The log is on Ethereum. I may or may not publish them. Their suffering is temporary but unforgettable. I want to provide them with tips on how to protect their network security so that they can be qualified to manage a $1 billion project in the future. Polynetwork is a well-designed system that will handle more assets. They have a lot of new fans on twitter, right?

Some gags

Hackers have used robots to speak to the public in discord:
Guys, ask yourself, is the poly team the owner of the asset?

They are just fund managers! Will you teach them how to trigger their "back door"?

In the world of defi, you can trust anyone except code and yourself.

To "victims":

I'm not saying that the poly team is not trustworthy, but you don't have a chance to challenge their code. This should be the law (rule). Don't worry, you're not the real victims. I saved you!

The polynetwork team has tried to Phish hacker emails:

We can offer you a security bounty when you return all the remaining assets.We will provide a secure address through e-mail.  When you return all your remaining assets, we can provide you with a security reward. We will provide a secure address by email.

The hacker mercilessly said "fuck" to the polynetwork team and said he didn't use email. Playing this set in front of hackers is a bit like playing with a big knife in front of Guan Gong.

Overall, the performance of the polynetwork team was really bad this time. At the beginning, when the assets were stolen, the community was not informed in time, and there was no communication with the community after the theft. The only communication was to justify whether the cross chain contract authority owner was a person. The victims of the assets involved (defi miners) saw no official statement, quickly met the wechat group, synchronized the messages received by all parties, and summarized them into Google online documents, so that everyone can understand the news and progress. Because Xiaobian also paid attention to the incident in the victim group, he really didn't see the official personnel in it or any indirect communication information.


Generic placeholder image
Promote your coin to 10k unique users daily
contact us PM Twitter
598 views   0 Comments   8/26/2021
552 views   0 Comments   8/26/2021
549 views   0 Comments   8/25/2021
507 views   0 Comments   8/27/2021
466 views   0 Comments   8/26/2021
461 views   0 Comments   8/26/2021
435 views   0 Comments   8/26/2021
424 views   0 Comments   8/28/2021
416 views   0 Comments   8/28/2021