Biggest Defi Theft results in 600 million USD going up in Smoke

Bloomberg reports that hackers have just successfully stolen roughly 600 million USD from a decentralized finance platform. The theft occurred on the Poly Network which allows users to swap tokens across several blockchains. Tens of thousands of users are believed to be impacted by the theft with a vulnerability within Poly Network being exploited by hackers.

The Poly Network team took to Twitter to address those responsible for the hack and open a line of communication in the hopes that funds can be retrieved. For those who are victims of the theft, there is a strong possibility that the funds cannot be recovered, and they will be significantly out of pocket even if some arrangement can be made with the Poly Network’s team.

The issuer of the popular stable coin Tether has managed to freeze approximately 33 million USD worth of Tether that was stolen.

Biggest Defi Theft results in 600 million USD going up in Smoke

This is possible due to Tether’s code and infrastructure that allows for Tether transactions to be frozen by the issuer. However, that is where the good news will end for many.

What may alarm victims of the heist along with losing substantial cryptocurrency assets is that it is not clear who runs Poly Network’s protocol. The protocol is responsible for governing transactions that occur. On Poly Network’s website there is little to no information about the team behind the protocol.

This is contrary to the normal practice of cryptocurrency institutions being open about who makes up the team. Decentralized finance, or DeFi, has surged in popularity in the past few years in the wake of a boom in the development of applications that let people trade, borrow and lend funds to each other without intermediaries.

Defi’s popularity has resulted in a massive influx of capital which has also drawn the unwanted attention of hackers and scammers. Exact details on how this hack was achieved but security firm SlowMist has provided some clues as to who is responsible. The firm noted,

“1)The cross-chain interoperability protocol @PolyNetwork2 was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. The impact caused the transfer of large assets of the O3 Swap cross-chain pool. 2)The SlowMist security team has grasped the attacker's mailbox, IP, and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker. 3)With the technical support of SlowMist’s partner Hoo and multiple exchanges, we found that the hacker’s initial source of funds was Monero (XMR), which was then exchanged to BNB / ETH / MATIC on the exchanges. 4)Wait for the currency and withdraw the tokens to 3 addresses respectively, and launch an attack on the 3 chains soon. Combining the flow of funds and multiple fingerprint information can be found, this is likely to be a long-planned, organized and prepared attack.”

Defi Attacks Up 60%

While this attack is the world's largest DeFi theft to date, it is part of a drastic increase in related DeFi attacks experienced this year alone. According to research published by CypherTrace DeFi attacks are up 60% when compared to the previous year. Researchers noted,

“CipherTrace analysts found that attacks on DeFi made up more than 60% of the major hack and theft volume in 2021 and 47% of the major fraud and misappropriation. By the end of April, 2021 criminals have netted nearly $240 million from DeFi.
At $156 million, the amount netted from DeFi-related hacks already surpasses the $129 million stolen by hackers throughout 2020. DeFi-related fraud, such as rug pull scams, have added an additional $83.4 million—more than 200% of 2020’s DeFi fraud volume.”

It is important to note that the statistics mentioned above do not include this hack. If this most recent attack was to be included the 60% figure would be effectively blown out of the water.

This does mean that the research is suddenly obsolete, rather it provides trends as to how hackers are operating. In one attack on another DeFi platform, EasyFi Network, a DeFi project on Polygon Network, reported that a hacker stole roughly 80 million USD worth of funds from its wallet.

According to the protocol’s post-mortem, the EasyFi smart contracts were not exploited. Instead, the private keys to the network admin MetaMask account had been compromised through EasyFi founder and CEO Ankitt Gaur’s administrative computer.

Other attacks have involved attackers tricking users into downloading malicious versions of the wallet they need. This was the case in the MetaMask attack, which involved users downloading a malicious browser extension.

The spread of the malicious download was supported by the attackers taking out ads to redirect users to the malicious download. Funds could then be stolen by the attacker as the wallet would redirect funds to wallets under the attacker’s control. Another attack involved a DeFi hedge fund, with researchers noting,

“DeFi hedge fund Force DAO was the victim of an attack made by five different hackers on April 4. The attack was uncovered by Polymath’s blockchain team lead Mudit Gupta on Twitter, who provided each attacker’s address and the amount stolen. After one attacker returned their share, Force DAO recorded a loss of $376,000 USD worth of FORCE tokens, which also saw an 80% drop following the attack.”

Given the increase in popularity in both the development of DeFi applications and investors, attacks on platforms can only be expected to rise. Users are advised to do due diligence when looking to store funds and assets on any platform.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal