HONG KONG/SINGAPORE/LONDON (Reuters) -A cryptocurrency platform has lost an estimated $600 million in digital tokens after one of the sector’s biggest ever hacking attacks, according to details of the heist which emerged on Wednesday.
Poly Network, a decentralised finance platform (DeFi), announced the hack on Twitter and posted details of digital wallets to which it said the money was transferred, urging people to blacklist tokens from those addresses.
The value of the tokens in the wallets cited by the platform was just over $600 million at the time of the announcement, according to crypto trade publication The Block.
Poly Network did not immediately respond to a request for more detail about the incident. It was not immediately clear where the platform is based, or whether any law enforcement agency was investigating the heist.
The platform tweeted it planned to take legal action and urged the hackers to return the stolen funds to several of its digital addresses.
The plea looked to be gaining some traction, with around $2 million in stolen tokens returned by Wednesday morning, according to public blockchain records and crypto tracking firm Elliptic.
The theft appeared to be one of the biggest ever in cryptocurrency markets and compares with the $530 million in digital coins stolen from Tokyo-based exchange Coincheck in 2018.
The Mt. Gox exchange, also based in Tokyo, collapsed in 2014 after losing half a billion dollars in bitcoin.
The latest attack comes as losses from theft, hacks and fraud related to decentralised finance hit an all-time high, raising the risk of both investing in the sector and of regulators looking to shake it down.
DeFi refers to peer-to-peer cryptocurrency platforms that allow transactions without traditional gatekeepers such as banks or exchanges. Poly Network allows users to swap tokens across different blockchains.
“It is a massive hack … as large as Mt. Gox,” said Bobby Ong, co-founder of crypto analytics website CoinGecko, although he noted the fallout had not yet hurt major crypto prices.
“This project is finished in my opinion. (It is) going to take a lot to regain confidence,” Ong said.
The retrieval of some of the tokens underscored the difficulties of laundering large amounts of stolen crypto, said Tom Robinson, Elliptic co-founder.
“There’s so much public attention on this, and exchanges will be on the lookout for customer deposits linked to this theft,” Robinson said.
“This demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the broad use of blockchain analytics by financial institutions.”
Still, the stolen funds amount to more than the criminal losses registered by the entire DeFi sector from January to July of a record $474 million, according to a report from crypto intelligence company CipherTrace.
Proponents of DeFi say the technology will allow more people and businesses to access financial services. Yet it is mostly unregulated, with tech flaws and weaknesses in the code many platforms use leaving it vulnerable to hacks and heists.
Still, a message embedded in transactions from one of the wallets controlling the missing funds said: “I need a secured multisig wallet from you,” possibly in an attempt to try and return the loot.
“It’s already a legend to win so much fortune,” read a subsequent message.
The chief technology officer of Tether, a stablecoin, also said on Twitter the company had frozen $33 million connected with the hack, and top management at large crypto exchanges responded to Poly on Twitter saying they would try to help.
(Reporting by Alun John in Hong Kong, Tom Wilson in London and Tom Westbrook in SingaporeEditing by Jane Wardell and David Holmes)