back to article $600m in cryptocurrencies swiped from Poly Network

Poly Network, a Chinese biz that handles transactions across various blockchains, urged thieves to return $600m of digital cash stolen from it in what it called the “biggest [attack] in DeFi history.” DeFi is short for decentralised finance. Poly Network's technology can be used to exchange cryptocurrencies; it can be used to …

  1. IGotOut Silver badge

    Oh poor deluded fools.

    “Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions"

    You know this Chinese crypto company you used, you know the ones from the country where cypto transactions are banned? Well they know these blokes in North Korea who are absolutely pissing themselves laughing at the moment.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh poor deluded fools.

      Well, it handily takes $600 million out of the crypto pool, locking it as 'stolen assets'. So there is $600 million less to compete with if you're liquidating another account and exiting due to China's crackdown on crypto.

      So, whenever I see one of these "someone stole our crypto", or "CEO dies in India and took the password with him and that's why we collapsed"... I immediately wonder if that is true.

      The fake theft scenario runs like this:

      Suppose that China is to crack down further on crypto .

      People connected to PolyNetwork want to ditch their crypto, but they know that will tank and collapse their fake asset. They need to lock in others to keep the crypto afloat while they, themselves, exit.

      Fake theft happens. This handily locks in $600 million, while they sell off. After they sell off, those crooks can return said crypto.... now worth $0. Company winds up, job done.

      Does that make a lot of sense? Well for one thing, if China then does do a major new crackdown, and crypto-crapto is tanking ahead of that, (as if they are aware of impending crackdown), then in my mind that would confirm my hypothesis.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh poor deluded fools.

        To the downvoters, there known as "exit scams", they make far more sense than theft.

        Somebody steals crypto-crapto and transfers it to their 'swag' bag, and everybody in the blockchain can trace every amount transferred in and out of that 'swag' bag. Not just the stolen crypto-crapto, but anything else in that bag.

        At some point that crypto would have to hit the real world, and the crypto-crapto would be traceable to the thief.

        It's like stealing the ultimate in marked bills: Where the bill phones home and reports its every whereabout TO EVERYONE ALL THE TIME.

        Theft of crypto makes no sense. Whenever I see the claim, I suspect shenanigans! SHENANIGANS!

        So here I'm pointing out how a thief can ACTUALLY take their winnings, and that is simply to be the person exiting the Ponzi scheme ahead of the others. And doing that by locking out the others with a fake theft.

        Same theft, but now there is a way for the crooks to take their ill gotten gains. An exit-scam.

        It doesn't have to be a theft, it can be "oops our CEO died in India and took the password with him luckily he signed a will 12 days earlier" or "oops our exchange staff disappeared and so did all this crypto".

        Quite common to claim theft too.

        e.g.

        https://www.bloomberg.com/news/articles/2021-06-23/s-african-brothers-vanish-and-so-does-3-6-billion-in-bitcoin

        Africrypt : "The first signs of trouble came in April, as Bitcoin was rocketing to a record. Africrypt Chief Operating Officer Ameer Cajee, the elder brother, informed clients that the company was the victim of a hack. He asked them not to report the incident to lawyers and authorities, as it would slow down the recovery process of the missing funds."

        https://news.bitcoin.com/court-summons-mirror-trading-international-executives-btc-global-scam/

        Mirror Trading International: The court document explains that between September 2017 and March 2018, the defendants “conducted business under the names and style of BTC Global or BTC.” This scam claimed to allow clients to invest in a trading pool managed by a “master trader” called Steven Twain...there is no evidence that Twain ever existed. In addition, when investors could not withdraw their funds from the scheme, they were informed that Twain was attacked in his home and his equipment was stolen."

        Lots and lots of exit scams, heres a tiny list:

        https://selfkey.org/the-ultimate-list-of-exit-scams-how-to-spot-one/

        PlusToken – $2.9 Billion

        Bitsane

        Coinroom

        Pure Bit

        MapleChange

        Modern Tech

        Centra

        LoopX

        BitConnect

        1. Jeff LeCoat

          Re: Oh poor deluded fools.

          Exit scam does sound like the most likely scenario given the facts. If it is theft though, I don't think the tea leaf would be as stuck as you think.

          Assuming they find an exchange that isn't blocking the wallet address, can they not just flip the marked coins for a something untraceable like Monero? That or use a tumbling service? Or programmatically shunt the coins around to thousands of wallets making it impracticable for exchanges to block?

          You've still got the issue of having to liquidate $600m to useful assets but if patient it could be done without raising any flags.

        2. I ain't Spartacus Gold badge

          Re: Oh poor deluded fools.

          I don't know how traceable these currencies really are though. Because they have "tumblers" who mix up huge numbers of transactions, in order to make sure there still is anonymity. It would make sense for the legitimate businesses using these coins to refuse to have anything to do with coins that have recently (or even ever) been through tumbers - in order to incentivise legitimate users not to use them. Thus leaving them only for the criminals.

        3. Michael Wojcik Silver badge

          Re: Oh poor deluded fools.

          known as "exit scams", they make far more sense than theft

          I'd estimate an exit scam is about as probable as straightforward theft. It's not like we haven't had other massive cryptocurrency thefts (e.g. the DAO), and someone who finds a vulnerability that enables this sort of theft – highly probable – and is sufficiently unethical to exploit it – also probable – will likely take the chance even knowing it may not be possible to make use of all of the stolen assets. The associated risk is very low, so if you have no moral qualms, why not?

        4. Ken Moorhouse Silver badge

          Re: there is no evidence that Twain ever existed.

          Rudyard Kipling could have told you that.

  2. sitta_europea Silver badge

    I'd be terrified if I thought there was even the slightest suspicion that I'd stolen that amount of money from that many criminals.

    1. Anonymous Coward
      Anonymous Coward

      No honor among thieves, eh?

    2. Michael Wojcik Silver badge

      Shrug. Most of the victims are going to be legitimate cryptocurrency fans, high-risk investors, or small-time criminals. The chances of identifying the attacker are very low.

      The DAO attacker retained around $8.5M (circa April 2021; I haven't looked for more recent figures) in ETC even after the post-DAO hard fork of Ethereum, and hasn't been identified yet. Probably never will be.

      It wouldn't be hard to launder $300M in cryptocurrency, as long as you're patient and don't try to convert a lot at once. While there has been some promising work on de-anonymization and tracking of cryptocurrency transactions, including "tumbling" and other laundering operations, it's still quite limited, particularly against operators who have decent opsec.

      I'm certainly not endorsing this sort of thing, but as criminal enterprises go I think it's both lucrative and low-risk, and so I expect we'll continue to see quite a lot of it.

  3. FozzyBear

    “Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions"

    Interesting question: I'm not aware of any country that recognises digital currencies as legitimate currency, So is this a financial crime? You don't get government backed guarantees as you do with that country's issued "dollar". Computer intrusion crime definitely. Theft, maybe, financial crime, debatable. If they do ever catch the guy/girl it would be an interesting test case in court. Well for those countries that have a semblance of innocent until proven guilty.

    1. Andrew Hodgkinson

      *Unless*

      Innocent unless proven guilty, which looks like a small change but is really extremely important (otherwise, you're innocent until we prove you guilty - it's only a matter of time...). There are probably even fewer countries where that holds.

      1. Lil Endian

        *Until*

        UDHR Article 11.1

        Everyone charged with a penal offence has the right to be presumed innocent until proved guilty according to law in a public trial at which he has had all the guarantees necessary for his defence.

        It used to niggle me too, but it's logically sound, and fits with:

        REPEAT

        ...<Freedom>

        UNTIL boolGuilty

        So it satisfies the programmer in me! (Although I avoid bottom conditional loops, unless absolutely necessary and every clock cycle counts.)

      2. W.S.Gosset Silver badge
        Headmaster

        Practical example of "Until"

        Admiral Byng was scapegoated for a government cockup in 1757. The PM, Lord Newcastle, promised the public:

        "he shall be tried immediately; he shall be hanged directly"

        Admiral Byng remained entirely innocent UNTIL he was convicted and shot.

        1. W.S.Gosset Silver badge

          "pour encourager les autres"

          This, btw, was the contemporaneous source of Voltaire's famous line in "Candide" that the English find it necessary to shoot an admiral from time to time, pour encourager les autres.

          1. Precordial thump

            Gallows Humour

            For black humour on the topic of gruesome executions, it's still hard to go past Samuel Pepys:

            I went out to Charing Cross, to see Major-general Harrison hanged, drawn, and quartered; which was done there, he looking as cheerful as any man could do in that condition.

    2. doublelayer Silver badge

      "I'm not aware of any country that recognises digital currencies as legitimate currency, So is this a financial crime?"

      Yes, it would usually be. None of the major countries recognize cryptocurrency as currency, but most do recognize it as a thing you invest in, so it will likely be treated like a crime involving securities, gold, or similar. Then again, most criminal statutes aren't very different between financial or nonfinancial--if you steal things or money, they'll usually use similar laws to charge you if you get caught. Extra laws exist for financial crimes of other types, but that's for things like tax evasion. While it has little meaning, I think the statement is essentially correct.

      1. lglethal Silver badge
        Trollface

        And remember, the more you steal the less time you will do. Steal a couple of hundred dollars in a burglary and you'll probably end up doing 5-10. Steal a couple of hundred million dollars and you'll do 3-5 in a minimum security prison (and be out in 2 or 3, probably with an offical pardon).

        Remember kiddies, go hard or go home...

        1. Fred Goldstein

          And steal more than a billion from the Feds and you can maybe pay a token fine and get elected to the Senate. Ask Rick Scott. (Okay, it's Florida. Of course.)

    3. Anonymous Coward
      Anonymous Coward

      Then you're not aware that El Salvador has declared Bitcoin its legal tender, along with the US dollar.

      Nor about the efforts made in the US and plenty of other countries to tax the income made using crapcoins, which definitely means it's officially considered something of value by governments, right there with stock and other assets.

      1. Blank Reg Silver badge

        Just because you sold something and made money doesn't mean that the government recognises that something as something of value. It's the money that you made that they recognise as something of value.

        1. Loyal Commenter Silver badge

          Indeed. I believe the current status in the UK, for example is that money made from dealing in cryptocurrencies (in fiat currency) is treated as money made from buying / selling any other investments and is subject to capital gains tax. The threshold for paying such is currently £12,300, so unless you're making serious money from it, it goes untaxed just the same as selling your old tat on eBay. Note that CGT is paid on profits as well, and not on amount, so if you bought £1M in bitcoin and sold it for £1,012,300, you'd still pay no CGT on it.

      2. Anonymous Coward
        Anonymous Coward

        El Salvador - Fools and their money are easily parted

        El Salvador's president can run whatever scam he wants but in reality the currency in El Salvador and between El Salvador and the rest of the world is the US dollar. This is a cheap stunt by a nasty dubious populist 'politician'. He'll siphon off funds for himself ready for when he has to skip the country.

        Fools and their money are easily parted.

    4. Charlie Clark Silver badge

      It doesn't matter whether they're recognised as currencies or not: they're tradeable assets and as soon as the trader is licensed the action can be treated as theft. Unlicensed trading is generally considered to be illegal.

      But the real problem is that the licences for trading have been handed out to easily. Regulators are now waking up to something that has been compared with "the wild west". Make no mistake: most people involved in the trading know that they are engaged in highly speculative assets but if things continue unchecked the next asset crisis is only a matter of time.

  4. Lil Endian

    Poly Says...

    Poly says her A/C hurts...

    1. Jedit

      Re: Poly Says...

      *waark*

      Poly want a cracker!

  5. W.S.Gosset Silver badge
    WTF?

    Blew my mask off my face

    > urged hackers to return $600m

    I haven't laughed that hard for ages.

    Thank you, Katyanna!

    1. FozzyBear
      Black Helicopters

      Re: Blew my mask off my face

      You hear it all the time on the nightly news. Police urge the offender(s) to turn themselves in. It is only a matter of time before we catch up with you.

      It rarely works.

      In this instance the better threat would be.

      "Whilst we present a legitimate business, in reality a majority of our clients are criminal enterprises. You have stolen the ill gotten gains from dozens of drugs cartels and criminal syndicates. Would you prefer the tender mercies of the Chinese government or hunted down by our customers?"

      1. Mr Sceptical
        Mushroom

        Re: Blew my mask off my face

        I dunno, $600 mill pays for your own private army, or any number of assassinations of irate gang leaders. It's just business so I'm sure they won't take it personally.

        On the other hand it's probably easier to move to a banana republic and pay off the chief of police for your protection - cheaper than the Merc army anyway.

        Put it this way, if you'd nicked a few Billion the idea you'd personally be in danger is fairly low as you simply how enough specialists to keep you safe, providing your actually follow their advice and don't start flaunting your ill gotten gains in public places.

        Just a thought...

      2. doublelayer Silver badge

        Re: Blew my mask off my face

        The only problem with that approach is that it's not true and the attackers know it. This isn't going to include funds from powerful criminal organizations. It will mostly include funds from small and pathetic criminal organizations and some actual investors, neither of which is usually willing to spend extra money on a mission of revenge. The places that perform acts like ransomware which result in crypto payments are made up of criminals, and they are large enough that they could attack someone who was getting in the way, but they don't have private armies or the assets to perform that kind of investigations. The large drug distribution groups are large enough that they don't need to bother with cryptocurrency unless they want to invest in it--they already use a more rigorous array of financial systems for handling their loot because they have so much of it and because they operate in such a large area that they can commandeer large chunks of the infrastructure that exists there.

        The only large organization that I know of that uses a lot of crypto is North Korea. If this was used by North Korea for international storage, the thieves may have an issue. However, based on the way North Korea usually stores the money we know about, it would seem much more likely that, if they're involved, they're the ones who stole the coins. They have a history of large thefts so it is in character.

  6. Anonymous Coward
    Anonymous Coward

    A Cryptocurrency 'Investor' and their money

    are soon parted.

  7. Anonymous Coward
    Anonymous Coward

    Reset the clock!

    So, £10 on this being another Exit Scam just like almost every other time a kleptocurrency exchange has been "hacked"?

    1. Michael Wojcik Silver badge

      Re: Reset the clock!

      Citation needed.

      Cryptocurrencies are highly vulnerable to theft. There's no evidence I'm aware of to demonstrate that a majority of high-profile thefts are fraudulent. Care to provide some?

    2. doublelayer Silver badge

      Re: Reset the clock!

      It's not every time. There are a lot of exit scams, but there are also a lot of real hacks. Investors who invest without learning how the thing they're investing in works don't seem to realize that cryptocurrencies function a lot like cash. They then act surprised when someone breaks into the inadequately secured storage and takes it and they don't have an automatic backout ability. That makes thieves quite eager to go steal from wallets or exchanges that didn't do their homework, especially if they think everybody will assume it's an exit scam.

  8. Lotaresco

    And this is why...

    This is why I have no interest in the use of Dunning-Krugerands, or indeed blockchain.

    1. Michael Wojcik Silver badge

      Re: And this is why...

      Merkle graphs have plenty of applications, including in filesystems and change-tracking mechanisms. Like, say, git. I'm not a fan of git myself, but it's pretty popular.

      Rebranding (degenerate1) Merkle trees as "blockchain" and using them for funny money may be a daft idea, but that doesn't make them an inherently bad idea.

      General Merkle DAGs are really popular in some industry sectors right now, such as IoT with IOTA and the Tangle, which for some reason many commentators are treating as something wildly innovative when it's Just Another Merkle Graph. But in any case it's being wide adopted and standardized, and arguably is a pretty good fit for the problem domain (unlike cryptocurrency, which in pretty much all of its diverse forms is full of stupid drawbacks).

      1A blockchain is just a Merkle tree (i.e. a Merkle graph, which is always a DAG, with a single root node) where all branches but one favored one are periodically pruned, converting it back into a singly-linked list.

  9. Anonymous Coward
    Anonymous Coward

    DeFi stands for decentralised finance

    no it now just stands for de-finance. which is wot happened here (again).

  10. Cuddles Silver badge

    Decentralisation

    "DeFi stands for decentralised finance."

    The big benefit of being decentralised is that there isn't a central store from which someone can swipe a big pile of money all at once. Oh, right.

    1. Jedit
      Headmaster

      Re: Decentralisation

      The crypto crew are learning the hard way that cryptocurrencies aren't decentralised, they're just deregulated.

      1. doublelayer Silver badge

        Re: Decentralisation

        No, that's not it. They have learned (hopefully) that if you put all your money in a central place, then you've drilled a hole through all the benefits that decentralization brings with it so you might as well use something that was designed to be centralized. You can keep your own crypto in a decentralized manner and it's usually more secure if you're careful, but a lot of people are too lazy to do so.

  11. Winkypop Silver badge
    Devil

    Oh how we laughed and laughed

    See title

  12. Anonymous Coward
    Anonymous Coward

    Who's the bigger fool?

    It would be hard to rob a bank of more than a million, yet crypto allows half a billion to be taken in one swoop.

    If Bitcoin etc are the answer, what's the problem?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who's the bigger fool?

      How to part money from others more easily?

    2. Michael Wojcik Silver badge

      Re: Who's the bigger fool?

      Oh, lord, yes. I don't know why financial criminals are wasting their time with anything else.

      Let's take ETH as an example. As of 7 July 2021, approximately 31% of ETH was tied up in smart contracts1, for a total of around 9M ETH.

      At the moment 1 ETH has a nominal price on exchanges of around $3200.

      So we have Ether smart contracts holding the nominal equivalent of about $3B USD. Three. Billion. Dollars.

      The DAO was a "leaderless organization" created with Ether smart contracts. In 2016 a bug in those contracts let someone steal 3.6M ETH, worth around $60M at the time, by forking the DAO. That led to a hard fork in Ethereum and its split into the current Ethereum and Ethereum Classic (ETC). The DAO attacker was able to keep about $8.5M worth of ETC.

      Writing safe, correct smart contracts appears to be extremely difficult. A 2018 paper found that around 95% of the smart contracts studied had exploitable vulnerabilities.

      Assuming the situation hasn't improved by more than 10% in the following three years (and I wouldn't be surprised if it hasn't improved at all), that suggests around $2.5B is there for the taking, with some degree of effort.

      While the largest bank robbery on record netted $282M, that was an inside job and an extreme outlier. In the US, at least, bank robberies average a few thousand dollars (e.g.$9521 in 2012), and a large portion are unsuccessful.

      1Which are neither.

      1. Blank Reg Silver badge

        Re: Who's the bigger fool?

        Digital bank robberies are likely even more difficult to pull off, at least at any large scale. I'm sure all kinds of red flags will pop up if some account that isn't normally transacting in 100's of millions suddenly gets 600 million transferred into it and then someone immediately tries to cash out or transfer the money elsewhere.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who's the bigger fool?

          From the Bangladesh Bank bank robbery, all you need to do is make sure you can spell. Only $81m i think it was got stolen, but only because they needed to check the spelling of a transfer as it was incorrect. Otherwise close to $1B would have been stolen.

          Focus on fraud has been on cards, not account to account transfers originating from within the bank, that is now changing (I work at a company that one of the things it does is fraud detection).

  13. Ian 55

    "Tether, a blockchain platform that converts real money into cryptocurrencies and vice versa"

    Wouldn't be so sure about the "vice versa", unless you're talking about Tether's owners.

    Or that every Tether in circulation was created in exchange for anything like "real money".

  14. ZekeStone

    Wishful thinking...

    "Poly Network urged the thieves to return the stolen coins:"

    Total wishful thinking on their part... LOL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021