Poly Network offers up $500k bug bounty reward to its own hacker

Poly Network logo seen on a mobile phone and a computer screen
(Image credit: Shutterstock)

Poly Network has offered its own hacker a $500,000 bug bounty reward for finding the vulnerability which allowed them to orchestrate what is now considered to be the largest cryptocurrency heist to date.

The blockchain platform reportedly offered up the prize after the hacker returned the remainder of the $610 million (£440 million) worth of Ether, Binance, and USDC tokens, stolen in a hack on the platform on Wednesday.

This is according to a Q&A published by the hacker and shared online by Tom Robinson, the co-founder of the London-based blockchain analytics and compliance company Elliptic. Robinson had found the messages “embedded in ethereum transactions sent from the account controlled by the hacker”.

In a note meant for the hacker, Poly Network is quoted as saying: “We appreciate you sharing your experience and we believe your action constitutes white hat behaviour”.

“We plan to offer you a $500,000 bug bounty after you complete the refund fully,” the company told the hacker, before adding that they won’t face any legal repercussions for the heist, describing it as “very helpful”.

The hacker stated that they hadn’t responded to Poly Network’s bug bounty offer, yet added that all the stolen assets will be sent back.


IT Pro 20/20: Does cyber security's public image need a makeover?

Issue 18 of IT Pro 20/20 looks at recent efforts to retire the 'hacker' stereotype, and how the threat landscape has changed over the past 20 years


Elliptic analysts had previously speculated that the decision to return the assets could have been motivated by their traceability: the hacker could be “pursued by the authorities” due to leaving “numerous digital breadcrumbs on the blockchain for law enforcement to follow, aided by blockchain analytics tools”.

On Thursday evening, Poly Network stated that “all the remaining assets on Ethereum (except for the frozen USDT) had been transferred to the multisig[nature] wallet controlled by Mr. White Hat and Poly Network”.

“The repayment process has not yet been completed. To ensure the safe recovery of user assets, we hope to maintain communication with Mr. White Hat and convey accurate information to the public,” it said, before adding that “any unfounded allegations and speculation may damage the extremely important process of asset recovery”.

The identity of the hacker continues to be unknown. However, in their Q&A, they had hinted that they do not come from an English-speaking country and had been engaged in hacking from a young age. They also described themselves as a “high profile hacker in the real world” working in the “security industry”.

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.