Hacker is returning $600M in crypto, claiming theft was just “for fun”


Ars Technica 12 August, 2021 - 02:01pm 44 views

Can Bitcoin be hacked?

Bitcoin transactions are recorded in a digital ledger called a blockchain. Blockchain technology and users' constant review of the system have made it difficult to hack bitcoins. Hackers can steal bitcoins by gaining access to bitcoin owners' digital wallets. InvestopediaCan Bitcoin Be Hacked? - Cryptocurrency

Hacker grabs $600m in cryptocash from blockchain company Poly Networks

Naked Security 12 August, 2021 - 05:20pm

Sorry, something happened and we could not sign you up. Please try again later.

Check your inbox for our confirmation email.

Sorry, we will not accept that email address. Please try a different address.

We're adding your address to our list...

Remember Mt. Gox? Sure you do!

Although it’s usually said aloud as “Mount Gox”, as if it were a topographic feature, it actually started life as MTGOX, short for Magic: The Gathering Online Exchange, where MTG fans could trade cards via the internet.

The web domain was eventually repurposed for what was, back in 2014, the world’s biggest Bitcoin cryptocurrency exchange.

Mt. Gox was headquartered in Japan, holding what was then a mind-blowing $500,000,000 in other people’s bitcoins (BTC).

And then a strange thing happened: the money, or at least the bitcoins, vanished, just like that.

We’ve never really found out what happened.

Early suggestions blamed a cryptographic flaw known as transaction malleability, but sceptics argued that this sort of treachery, even if if were possible on such an epic scale, would be visible in the Bitcoin transaction record, also known as the blockchain.

Simply put, transaction malleability means that two different transactions can be rigged to have the same supposedly unique identifier. Crooked transactors could, in theory, fraudulently concoct duplicate-yet-different transaction pairs, and use these transactions to trick a naive exchange into thinking that something had gone wrong. Them the crooks could dishonestly repudiate one of the transactions in each pair and demand a refund.

Some people suspected Mt. Gox insiders of simply taking the missing bitcoins (or some of them, anyway) for themselves.

Indeed, on New Year’s Day 2015, Japanese newspaper Yomiuri Shimbun publicly stated that there was “strong suspicion” that most of the missing Bitcoins were ripped off from inside.

Yomiuri Shimbun’s considered opinion was that no more than 1% of the loss could be explained by external hacking or cyberscamming – for example due to transaction malleability tricks – and therefore that 99% of the loot had simply been plundered from within.

Intriguingly, Mt. Gox founder Mark Karpelès was arrested, and ultimately given a suspended prison sentence in Japan, but not because of the missing bitcoins – he was found guilty of mispreresenting the value of his company to make it look like a better investment.

Even more weirdly, lawyers for Ross Ulbricht, currently serving two life sentences in the US for running the infamous Silk Road site on the dark web, argued – without success, given that their client was convicted – that it was Karpelès, not Ulbricht, who was behind the notorious website.

And in what may be the weirdest cryptocurrency twist of all in this part of our story, a federal agent from the US Secret Service, Shaun Bridges, who investigated the Silk Road case, was himself convicted of stealing several hundreds of thousands of dollars of bitcoins from the Silk Road site.

Bridges (and you have probably guessed this by now) stashed his ill-gotten gains on the Mt. Gox exchange.

You couldn’t make this stuff up… and, at the end of it all, we still can’t answer the question, “What really happened when Mt. Gox got hacked?”

Well, we’re now in the middle of In other episode of the “Cryptocurrency Truth is Stranger than Fiction” saga.

Online blockchain company Poly Networks, which describes itself as a company that was “built to implement interoperability between multiple [block]chains in order to build the next generation internet infrastructure”, has been hacked.

A blockchain, simply put, is a public ledger that lists details such as financial payments or contractual agreements.

A contract might be some sort of algorithm such as “when Pete sends me the $50 he owes me, I’ll automatically pay $20 of that to Jane, send $15 to Naledi, and keep the rest in my cryptocoin wallet.”

A transaction might record that “wallet B457F has transferred $30 to wallet 7EE19, with $4.50 of transaction fees claimed from B457F by wallet 1445A”.

As you can imagine, a hacker who could inject fraudulent contracts and transfers into a system of this sort could wreak havoc, for example by triggering a series of automated payments into cryptocoin wallets of their own, and then running off with the proceeds.

And that it exactly what seems to have happened to Poly Networks, apparently to the tune of $600,000,000, dizzyingly breaking the Mt. Gox “megahack” record by some $100 million.

How the hack happened is not yet certain.

Some reports are blaming the attack on “stolen private keys”, which basically implies that the hacker got hold of the authentication codes needed to approve a whole raft of fraudulent activities.

Twitter user @kelvinfichter, however, who tweets under the self-assured name of God-like Natural Number Creator Person (TM, R), claims to have identified various cryptographic blunders in Poly Network’s transaction protoocol.

For anyone still confused, here's the hack depicted as a beautiful gif pic.twitter.com/Shg5Tdf21Z

— God-like Natural Number Creator Person (TM, R) (@kelvinfichter) August 10, 2021

Fichter says that this blunder would have allowed the hacker to set the fraudulent transactions in train using cryptographic keypairs they had created themselves.

This means that, instead of being forced to use public keys that could only be verified by private keys held by other principals in the transaction, the hacker was able to use public keys for which they themselves had the matching private keys.

That’s a bit like appearing on a criminal charge where your defence attorney not only gets to present your case to the court, but then also gets to act as judge and jury in deciding whether to acquit you.

Astonishingly, the hacker decided to send a note to Poly Networks.

And what better way than to generate a public transaction with no value, but with some added data, like this:

This time, the hexadecimal data above decodes as:

As far as we can see [2021-08-11T15:00Z], the ETH account above has only received about $3000 so far.

But the Polygon wallet has picked up $1,010,100.

That “binary-like” number is apparently the result of three transactions in quick succession this morning, first of $100, then $10,000 and then a full $1,000,000:

Update. Another $84m was returned via this wallet at about 2021-08-12T20:00Z. The BSC address listed in Poly Networks tweet above has seems to have received just over $250m. [2021-08-12T00:45Z]

According to other reports, Poly Networks has also received a repayment of $622,000 in a cryptocoin known as Fei, and a whopping 260 billions’ worth of SHIBA INU cryptocoins.

As dramatic as the last “refund” might sound, the current exchange rate for SHIBA INU is about 125,000 SHIBs to the US dollar, assuming you could find anyone to cash them out into hard currency, so the nominal value there is about $2,000,000.

As in the Mt. Gox case, we may never discover the full truth of what happened.

Poly Networks may never get all the funds back, and as for how much the company’s customers stand to lose, we can only guess.

Perhaps the hacker or hackers will eventually return all, or at least most, of the vanishing cryptocoins?

In the meantime, we will leave you with two suggestions:

Follow @NakedSecurity on Twitter for the latest computer security news.

Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

It stil surprises me the number of people that still trust these currencies and even promote them to their friends as a good investment vehicle. SHEESH !

David, because of a few of the currencies, I have bought 3 homes and 4 cars for my family. SHEESH!

Crypto currencies are an extension of the computer gaming world with real world prizes. Until the regulators cosh crypto bank raiders before they get to the loot crypto currencies are merely a sophisticated part of the betting industry, imo.

Very good presentation of the facts as they are known Paul👍and also utilizing the back-story with Mt. Gox and Shaun Bridges.

“It never rains but that it pours.”

Hacker is returning $600M in crypto, claiming theft was just “for fun”

KiniTV 12 August, 2021 - 05:20pm

Sign up or login to join the discussions!

The hacker who breached the Poly Network crypto platform says the theft was just "for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker's own wallets to “keep it safe.”

As of 4 am this morning, Poly Network says $342 million has been returned. The remainder, which is apparently all in Ethereum, is being “gradually transferred,” the company said.

Poly Network operates a platform that allows people to move tokens between different blockchains, using smart contracts that help to automate the process. The hacker exploited a vulnerability in one of Poly Network's smart contracts, the company said in a tweet. That smart contract required a large amount of liquidity so that transactions between different blockchains could be completed quickly and efficiently.

The hacker apparently exploited a vulnerability in the way Poly Network verified smart contracts to change a list of public keys to match the hacker's private keys, according to an analysis of the hack tweeted by Kelvin Fichter. Once those keys were changed, the hacker was able to reroute funds to personal wallets.

In an exclamation point-laden, all-caps Q&A found within one of the transactions, the hacker gave some insight into the motivation behind the hack. (We cannot verify the authenticity of the statements, though one expert said they were linked to the hacker's account. Also, we’ve changed the passages to sentence case to make them more readable.) “When spotting the bug, I had a mixed feeling,” the hacker wrote. “Ask yourself what [would you] do had you fac[ed] so much fortune. Ask the project team politely so that they can fix it? Anyone could be the traitor given one billion!”

Though the hacker wasn't going to pass up on some extra cash, of course. “In the meanwhile, depositing the [stable coins, like Tether,] could earn some interest to cover potential cost so that I have more time to negotiate with the Poly team,” the hacker said.

Shortly after Poly Network revealed the breach, it posted a note to the hacker on Twitter. “The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you do to any further transactions.”

This negotiating tactic—along with Tether freezing $33 million of its coins on Poly Network—seems to have worked. The difficulty in moving that amount of cryptocurrency anonymously likely also posed a challenge for the hacker, said Joel Kruger, a currency strategist at LMAX Group, to The Wall Street Journal. “You’re going to have to find a way to get it out to cash in—it becomes a greater impossibility given how things are tracked from wallet to wallet and exchange to exchange,” he said.

Less than a day after the note was posted, the hacker began sending the stolen cryptocurrency back to the company.

In the Q&A, the hacker attempt to pose as a white hat, writing, “I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP, or so called fingerprint, which were untracable [sic].”

The hacker capped off the answer with what may be a sarcastic wink at the crypto community: “I prefer to stay in the dark and save the world."

You must login or create an account to comment.

Footage courtesy of Dvids, Boeing, and The United States Navy.

Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.

Business Stories