The booty was enormous: More than 600 million dollars in crypto currencies such as ether had been stolen from Poly Network by one or more strangers on Tuesday. Now they are apparently trying to return their prey. According to the company, almost half of the damage was transferred back to them.
Poly Networks specializes in cross-system transfers of cryptocurrencies. On Tuesday, the company threatened the attackers on Twitter that their theft would be prosecuted as economic crimes by many countries and asked the perpetrators: “Dear hackers, we would like to contact you and ask you to return the assets you hacked”.
The appeal could have been dismissed as a desperate but pointless attempt, but now it turns out that it worked. A few hours later, Poly Network received a tiny transfer, in the note field it said: “Ready to return the fund,” ready to return the money.
On the night of Thursday, the perpetrator (s) then began to return their loot piece by piece. Initially only tentatively, but later in tranches with nine-figure sums. The stranger (s) marked the first transfer with the note: “The hacker is ready to surrender,” the hacker is ready to give up. In another transfer, the perpetrator (s) wrote that they were “not so interested in money” and that they were now ready to return part of the loot. You can hardly say more clearly that you are standing there with your hands raised.
In other transaction notes that IT security expert Tom Robinson compiled on Twitter, the perpetrators try to explain themselves in a kind of FAQ. There it says, for example, that they only hack “for fun” and only wanted to bring the crypto-monetary values ”to safety”. When asked themselves why they are now returning the money, they answer, “Why not?” After all, thanks to the price gains in the crypto world, they already have enough money.
The willingness of the strangers to return their booty could have increased due to another message. On Wednesday, the Chinese company SlowMist, which specializes in blockchain security, published a message on “Medium”, according to which it was able to record the attacker’s mailbox, IP addresses and device-specific data and to investigate clues about the attacker’s identity.