On Thursday, Poly Network confirmed on Twitter that $268 million (R$1.4 billion) in Ether tokens have already been redeemed.
In the past 24 hours, the hacker returned the company with $342 million in exchange for three cryptocurrencies.
The individual also posted several pages of annotations on the blockchain (a chain of digital blocks with encrypted code that stores some type of data), revealing why the company was hacked and the offers from Poly Network for them.
In a development that worries some cybersecurity experts, the hacker claims that the company offered $500,000 (2.6 million Brazilian reais) if it returned the stolen assets, as well as a promise of immunity from criminal prosecution against him.
However, the hacker says he did not accept the offer.
- Do you use your cell phone while charging it? So you need to keep in touch
- NFT Fashion: Why do people pay real money for virtual clothes
Hackers steal $600 million from cryptocurrency exchange
On Thursday night, Poly Network published an update stating that most of the remaining assets in the hacker’s possession have been transferred to a digital wallet controlled by the hacker and the company.
But some money is still due.
The hacker still owns $33.4 million in Tether [token baseado em uma plataforma de tecnologia blockchain] “It was stolen — because it was frozen by Tether itself,” said Tom Robinson, co-founder of Elliptic, a London-based compliance and blockchain analysis firm.
He added that it can be seen from the blockchain that the hacker is holding “a few thousand dollars of other tokens.”
However, it was not clear if it was part of the stolen assets or donations that the hacker asked people to send on Thursday to compensate any user who may have lost money from the hypothetical attack.
Other outstanding funds also include a bounty of 13.37 Ether (around $40,000 or R$210,000), which the hacker sent to a user who warned them about the freezing of Ether tokens by their developer.
The hypothetical attack occurred on Tuesday, when blockchain website Poly Network said hackers exploited a vulnerability in its system and stole thousands of digital tokens such as Ether.
The company, in a message posted on Twitter, urged thieves to “establish contacts and return the compromised assets.”
The anonymous hacker claimed that he stole for fun and to encourage cryptocurrency exchange Poly Networks to improve its security.
Poly Network said on Twitter that it was still waiting for the refund process to be completed, but that it was working with the hacker, whom the company dubbed “Mr. White Hat.”
White hat hackers are ethical security researchers who use their skills to help organizations find security holes.
Polly Network referred to the hacker in this way in several public posts. The hacker claims to have received a message from the company via the blockchain, saying, “Since we believe your behavior was white hat behavior, we plan to offer you a $500,000 reward.”
According to him, the company added, “We guarantee that you will not be held responsible for this incident.”
The alleged move has angered some in the security world, who fear it may set a precedent for hackers to cover up their crimes.
“Describing this process as white hat is really disappointing,” says Katie Paxton-Fear, a white hat hacker and professor at Manchester Metropolitan University in the UK.
Paxton-Fear has discovered more than 30 vulnerabilities in organizations ranging from the US Department of Defense to Verizon Media.
“White hat hacking involves having scope, not touching certain systems, working with the team, writing professional reports detailing our findings, and not going beyond what is necessary to demonstrate risk,” she said.
“Our approach is ‘do no harm first’ and will likely verify that repairs have been implemented and that no user data is compromised.”
Charlie Steel, a partner at the international consulting firm Forensic Risk Alliance and a former employee of the Department of Justice and the FBI, is also concerned about the alleged bid by Poly Network.
He told the BBC that “private companies do not have the authority to promise immunity from criminal prosecution”.
“In this case where a hacker stole $600 million “for fun” and then returned most of it, everything remained anonymous, but this is unlikely to allay regulators’ concerns about the variety of risks posed by cryptocurrencies.”