Babbitt News, at 23:40 on August 12, as the last 28,953 ETH in Ethereum was entered into the Ethereum multi-signature payment address set by Poly Network, the previously stolen 610 million US dollars have been returned (580 million US dollars) All have been returned, of which 33.43 million usdt was frozen by Tether), the largest hacking incident in the history of the blockchain, which lasted more than 50 hours, has come to an end.

secondary title

August 11 at 23:57

Q: Why do you want to be a hacker?

A: Just for fun :)

Q: Why did you choose Poly Network?

Answer: Cross-chain is very popular

Q: Why transfer tokens?

A: To ensure safety.

I had mixed feelings when this error was discovered. Ask yourself, what would you do if you had so much wealth right in front of you? Politely inform the project team so they can fix the bug? But anyone can be a traitor, because this is a billion dollars! I can't trust anyone. I can't trust anyone! The only solution I can think of is to deposit the money in an account I trust, while keeping my identity anonymous and safe. Now everyone can smell the conspiracy. Insider? I'm not, but who knows? It is my duty to expose this vulnerability before any insider hides and exploits it!"。

Q: Why is it so complicated?

Answer: POLY network is a good system. This is one of the most challenging attacks a hacker can enjoy. I have to beat any insiders or hackers fast, I take it as a bonus challenge :)

Q: Have you revealed your identity?

secondary title

August 12 at 00:31

Q: What exactly happened in the attack 30 hours ago?

A: It's a long story.

Believe it or not, I too was forced to play this game.

Poly Network is a complex system and I haven't managed to set up a local test environment. I was not able to make a proof of concept (POC) at first. However, when I was about to give up, the opportunity came. After debugging all night, I crafted a _SINGLE_ message for the ontology network.

I plan to launch a cool blitz to quickly take over the four networks supporting Poly: ETH, BSC, Polygon, and HECO. However, something went wrong with the HECO network! Its relay behaved differently than the others, the admin just directly relayed my exploit and the key was updated with some wrong parameters. This caused my plan to be destroyed.

I should have stopped attacking at that moment, but I decided to let the show go on! What if they secretly patched the bug without any notice?

However, I don't want to cause real panic in the crypto world. So I chose to ignore the crap coins on Poly so people don't have to worry about them going to zero. I took those important tokens (except SHIB) and didn't sell any tokens afterwards.

Q: So why sell/exchange those stablecoins?

A: The initial response from the POLY team pissed me off.

They urged others to blame and hate me before I could reply! Of course I knew there were fake DeFi tokens, but I didn't take it seriously because I had no plans to launder money.

secondary title

August 12 at 00:55

Q: Why send a tip of 13.37 ETH to a community member?(Note: A community member named "Hanashiro.eth" told hackers not to use USDT through a transaction message, and received a reward of 13.37 ETH from the address linked to "PolyNetwork Exploiter".)

A: I feel the warmth of the Ethereum community.

I was busy investigating HECO issues and debugging my scripts. I think it's a network problem why I can't deposit (I use a complicated web proxy). So I shared my goodwill with that guy.

Q: Why are you asking about Tornado and DAO? (Note: Tornado is usually used by hackers to mix coins and launder stolen assets)

A: Having witnessed so many hacks, I knew that putting money into Tornado was a wise but desperate decision. This defeats my original intention. After seeing so much begging, being a crowdsourced hacker is just a joke on my part :)

Q: Why are funds returned?

A: This has always been my plan! I'm not very interested in money! I know people suffer when they get hacked, but shouldn't they learn something from so many hacks that have happened in the past? I announced my decision to return funds just before midnight, so anyone who believes in me should go get some rest ;)

Q: Why is the progress of returning funds a bit slow?

A: I do need time to communicate with the POLY team. Sorry, this is the only way I know of to hide my identity while maintaining my dignity. I need a break.

Q: What do you think of the Poly team?

A: I've started a short conversation with them, and the content logs are all on Ethereum. I may or may not post these. Their suffering is temporary, but it must be unforgettable.

secondary title

August 12 at 01:13

secondary title

August 12 at 02:05

secondary title

August 12 at 02:59

Q: Why CEX? Rookie?

Answer: whatever :)

The key challenge of this hack was to call some contracts with the Ontology network (my favorite part). You have to get some"Gas",is called"ONG". It is not a tradable DeFi token and can only be found on some Chinese(?) exchanges. Why trade from Dex if you have to go through CEX? Why do you think I might leave traces in DEXes?

Q: Why do I need a refund? coward?

Answer: whatever :)

When you judge others, you are not defining them, you are defining yourself.

I've enjoyed the things I care most about: hacking and mentoring.

Few hackers can understand the situation of DdeFi security. Yes, you see a lot of hacks, but most of them are not as pleasant as a real hacker. Some stupid code resulted in a lot of damage, but it wasn't challenging. It's like going up against a teenager.

I admit, the Poly hack isn't as fancy as you might think, but I definitely got to experience something new from this project. I would say that figuring out the blind spots in the Poly network structure will be one of the best moments of my life.

With the development of the crypto world, I already have enough money. I've been searching for the meaning of life for a while now. I want my life to be made of unique adventures, so I like to learn and hack everything in order to fight against fate. Destiny is in my heart.

secondary title

August 12 at 03:12

secondary title

August 12 at 03:34

Guys, ask yourself, is the Poly team the owner of the assets? They're just fund managers, you'll teach them how to trigger them"back door"victim

for"victim"secondary title

August 12 at 6:09

secondary title

August 12 at 23:40

secondary title

August 13 at 3:18

The hacker left a message on the chain, expressing his apology for the innocent people affected by his adventure:

Message hash address: 0x78b8d13618af4d1b8facfde5906cb40972ff70b04574de3aa6b2b403329c7b44

secondary title

August 13 at 6:18

The hacker left a message on the chain, explaining the background of the hacking incident to the community.

Hash: 0xf34ee3551be7be57df6643d4ec7e4bdf9fd047d925c3c32a74e64e7428e5f8a9

Q: Why the AMA? your confession?

A: It's more like a diary. Something I'm proud of.

Q: Why return all funds?

A: As I said, I don't care about money or capital.

Q: Trash English?

A: English is not my first language (identity disclosure). I just expressed my true feelings without embellishment. Typing while holding down the "Shift" key isn't easy.

Q: Black hat or white hat?

A: I also enjoy the superiority of judging others, but it's never easy. Not only can a legitimate person be a white hat, but a black hat can also be a good person. People are changeable. Have you ever heard of gray?

Q: Shouldn't white hats notify developers?

A: Read P1Q1234. DEFI is a dark forest where hundreds of projects run away every year. I don't trust anyone.

Q: Why hide in the dark?

A: Even if you are legal, you could be at risk for any reason. Security people do care about security.

Q: Why do you need to explain so much?

A: Read P4Q2. The mentoring part means a lot to me. I want to share how I overcame my arrogance and greed. I don't think the mental challenge is any easier than the hacking part.
Honestly, I was so excited when EXPOLIT worked that I almost forgot the original plan because it was too much guesswork and unexpected (see P2Q1). The first message (see P3Q1) sparked my interest in doing something creative. I spent some time looking for interesting but reasonable ideas from my message list.
I'm (still) pretty confident in my hide, so I think I can handle this match as long as I don't do unbearable damage. Then I started to calm down because of those refugees. Yes, I realize that taking over the money even temporarily is still an unforgivable joke and it causes too much pain.
With the "billion shitcoins" joke, I mean the event's headline might be more dramatic, but the end result is the same: I'm not ditching shitcoins. It turned out to be a terrible joke. For the "DAO" joke, I asked the community how and when to refund. This is an irresponsible joke.
I'm not at all intimidated by exposure or money laundering issues (read my rookie course). I just realized that I should be cautious because my decision will change many people's lives! If I leave the tokens there and quit the game, I can enjoy being a millionaire and continue my quest as usual, but thousands of people will lose control of their own destiny. This goes against my personal philosophy (see P4Q2).
I once wrote an email to POLY, attaching a signed ETH transaction from an anonymous mailbox. If they receive the mail, they will be able to broadcast transactions through my address. It's not a smart move since I can't broadcast any new messages ahead of them. Guess that email must have been lost, I didn't get confirmation from ETH, but I waited hours for this error.
The next part of the story is what you already know. I stopped playing and got my money back as I planned.

Q: You're not exposed, but they have clues, so you're scared!

A: I am more confident than anyone else.

I'm a known hacker in the real world (identity leak 2). I work in the security industry and have been working as a hacker (identity leak) since I was a kid. Seriously, as security researchers, our job is to save the hidden world.
I know security consulting is hard work, and public relations and reputation mean a lot. I don't mind the security team making an ad based on my incident, especially if it helps them. Raising safety concerns is also the calling of our careers.
If any hacker can find my social identity within a month, I want to send him my personal gift. Otherwise, I may or may not have given away another clue to my identity. Shall we play a game?
Even though I'm recognized I'm still proud of my integrity :)

This article is from Babbitt, reproduced with permission.