By Brian Fung, CNN Business
An anonymous hacker who stole more than $600 million from the decentralized finance platform Poly Network this week has returned virtually all of the money — and apparently turned down a half-million-dollar reward offered by the company for exposing its security vulnerability.
The bizarre outcome caps off an unusual cryptocurrency heist that has been called the biggest in industry history.
In a message posted to Twitter on Thursday, Poly Network said the hacker — whom it is calling “Mr. White Hat,” a term that refers to an ethical hacker who raises awareness of security flaws — has returned all of the stolen funds, save for a small percentage that had been frozen by the cryptocurrency issuer Tether following the hack.
The money has been deposited to an account that requires both the company and the hacker to manage jointly.
“To ensure the safe recovery of user assets, we hope to maintain communication with Mr. White Hat and convey accurate information to the public,” Poly Network said.
Reuters reported Friday that the company thanked the hacker and asked for his continued contributions to industry security.
In messages accompanying the returned funds published by the blockchain forensics firm Chainalysis, the hacker claimed it was “always the plan” to give the money back.
“I am _not_ interested in money!” the hacker said, and added: “I would say figuring out the blind spot in the architecture of Poly Network would be one of the best moments in my life.”
According to Chainalysis and transaction notes shared by Tom Robinson, co-founder of the forensics firm Elliptic, Poly Network had offered a $500,000 bounty to the hacker. Although it appears the hacker acknowledged receiving a bounty offer, it was never accepted, according to the notes. “Instead, I will send all of their money back,” the hacker said.
It would have been extremely difficult for the hacker to spend the stolen funds, forensic experts say. The fact that blockchain transactions are publicly recorded makes it challenging to launder money anonymously.
“The best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet,” Chainalysis wrote in its blog post.