© Reuters. FILE PHOTO: A person wearing a balaclava is silhouetted as he poses with a laptop in front of a screen projected with the word ‘cyber’ and binary code, in this picture illustration taken in Zenica October 29, 2014. REUTERS/Dado Ruvic/File photo
By Alun John, Tom Westbrook and Tom Wilson
HONG KONG/SINGAPORE/LONDON (Reuters) – A cryptocurrency platform has lost an estimated $600 million in digital tokens after one of the sector’s biggest ever hacking attacks, according to details of the heist which emerged on Wednesday.
Poly Network, a decentralised finance platform (DeFi), announced the hack on Twitter https://twitter.com/PolyNetwork2/status/1425073987164381196 and posted details of digital wallets to which it said the money was transferred, urging people to blacklist tokens from those addresses.
The value of the tokens in the wallets cited by Poly was just over $600 million at the time of the announcement, according to crypto trade publication The Block.
The heist appears to be one of the biggest ever in cryptocurrency markets, and compares with the $530 million in cryptocurrency stolen from Tokyo-based bitcoin exchange Coincheck in 2018.
Crypto exchange Mt. Gox, also based in Tokyo, collapsed in 2014 after losing half a billion dollars in bitcoin.
The latest attack comes as losses from theft, hacks and fraud related to decentralised finance hit an all-time high, raising the risk of both investing in the sector and of regulators looking to shake it down.
DeFi https://www.reuters.com/article/us-crypto-currencies-lending-insight-idUSKBN25M0GP refers to peer-to-peer cryptocurrency platforms that allow transactions without traditional gatekeepers such as banks or exchanges. Poly Network allows users to swap tokens across different blockchains.
“It is a massive hack … as large as Mt. Gox,” said Bobby Ong, co-founder of crypto analytics website CoinGecko, although he noted the fallout had not yet hurt major crypto prices.
“This project is finished in my opinion. (It is) going to take a lot to regain confidence,” Ong said.
Poly did not immediately respond to a request on Wednesday for more detail about the incident. It was not immediately clear where the platform is based, or whether any law enforcement agency was investigating the heist.
Poly tweeted it planned to take legal action and urged the hackers to return the assets, a move analysts said underscored how hard it is to recover stolen tokens.
“It is not like an ordinary bank heist where the money is stolen from the bank who remains the victim,” said Jake Moore, cybersecurity specialist at cybersecurity firm ESET and former head of digital forensics at Britain’s Dorset Police.
“Money stolen which is stored in digital ledgers is taken from individual accounts and this is what worries those choosing to store their money in these locations,” Moore added.
The stolen funds amount to more than the criminal losses registered by the entire DeFi sector from January to July of a record $474 million, according to a report from crypto intelligence company CipherTrace.
Proponents of DeFi say the technology will allow more people and businesses to access financial services. Yet it is mostly unregulated, with tech flaws and weaknesses in the code many platforms use leaving it vulnerable to hacks and heists.
Still, a message embedded in transactions from one of the wallets controlling the missing funds said: “I need a secured multisig wallet from you,” possibly in an attempt to try and return the loot.
“It’s already a legend to win so much fortune,” read a subsequent message.
The chief technology officer of Tether, a stablecoin, also said on Twitter the company had frozen $33 million connected with the hack, and top management at large crypto exchanges responded to Poly on Twitter saying they would try to help.