HONG KONG/SINGAPORE/LONDON (Reuters) -A cryptocurrency platform has lost an estimated $600 million in digital tokens in one of the sector’s biggest ever cyberheists, according to details of the heist emerging on Wednesday.
Poly Network, a so-called decentralised finance platform that facilitates peer-to-peer transactions, announced the hack on Twitter and posted details of digital wallets to which it said the money was transferred, urging people to blacklist tokens from those addresses.
The value of the tokens in the wallets cited by the platform was just over $600 million at the time of the announcement, according to crypto trade publication The Block.
Poly Network did not respond to requests for further detail about the heist. It was not immediately clear where the platform is based, or whether any law enforcement agency was investigating the heist.
The platform tweeted it planned to take legal action and urged the hackers to return the stolen funds to several of its digital addresses.
The plea looked to be gaining some traction, with around $4.8 million in stolen tokens returned by Wednesday afternoon, according to public blockchain records and crypto tracking firm Elliptic. Analysts cited the headaches of laundering stolen crypto on such a scale as a possible motivation for the move.
The theft appeared to be one of the biggest ever in cryptocurrency markets, and was on a par with the $530 million in digital coins stolen from Tokyo-based exchange Coincheck in 2018. The Mt. Gox exchange, also based in Tokyo, collapsed in 2014 after losing half a billion dollars in bitcoin.
The latest attack comes as losses from theft, hacks and fraud related to decentralised finance (DeFi) hit an all-time high, raising the risk of both investing in the sector and of regulators looking to shake it down.
DeFi platforms allow financial transactions, usually in cryptocurrency, without traditional gatekeepers such as banks or exchanges. The sector has boomed over the last year, with platforms now handling more than $80 billion worth of digital coins.
Poly Network allows users to swap tokens across different blockchains.
“It is a massive hack … as large as Mt. Gox,” said Bobby Ong, co-founder of crypto analytics website CoinGecko, although he noted the fallout had not yet hurt major crypto prices. “This project is finished in my opinion. (It is) going to take a lot to regain confidence.”
Yet the retrieval of some of the tokens underscores the difficulty of laundering large amounts of stolen crypto, said Tom Robinson, Elliptic co-founder.
“There’s so much public attention on this, and exchanges will be on the lookout for customer deposits linked to this theft,” Robinson said.
“This demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the broad use of blockchain analytics by financial institutions.”
The hacker or hackers sent a message with some of the returned coins appearing to ask for donations, Robinson added.
Still, the stolen funds amount to more than the criminal losses registered by the entire DeFi sector from January to July of a record $474 million, according to a report from crypto intelligence company CipherTrace.
Proponents of DeFi say it offers people and businesses free access to financial services, arguing that the technology will cut costs and boost economic activity.
Yet it is mostly unregulated, with technical flaws and weaknesses in the code many platforms use leaving it vulnerable to hacks and heists.
The chief technology officer of Tether, a stablecoin or type of cryptocurrency usually backed by real-world world assets, said on Twitter the company had frozen $33 million connected with the hack, and top management at large crypto exchanges responded to Poly on Twitter saying they would try to help.
Reporting by Alun John in Hong Kong, Tom Wilson in London and Tom Westbrook in SingaporeEditing by Jane Wardell and David Holmes