Could the Poly Network Crypto Heist Have Been Prevented?

Posted on August 31, 2021 by yafit

read the article
One of the largest cryptocurrency heists ever has been recently in the news, after hackers stole $600 million worth of crypto. The attack, which took place on August 10., saw hackers exploiting a vulnerability in the system of Poly Network, a blockchain-based financial service, also known as DeFi (decentralized finance) – a technology that looks to cut out intermediaries such as brokerages and exchanges.
Poly Network's tweet following the attack

In the hours following the hack, the hacker began returning the funds, on August 10-11. Following a letter tweeted by Poly Network urging the thieves to “establish communication and return the hacked assets”, he returned $258M to 3 different crypto addresses. Initially, he made small transfers of a few dollars to the online wallets controlled by Poly Network, but they soon began making significantly larger deposits, reaching hundreds of millions of dollars.

A bit about DeFi Breaches

As mentioned before, DeFi is the term used for “decentralized finance”. As of July 2021, DeFi-related breaches totaled $361 million — triple the total of amount from similar breaches in 2020, according to cryptocurrency compliance company CipherTrace. Cryptocurrency system companies, such as Ether and Binance, were developed to cope with this type of incidents. Crime losses in the cryptocurrency market fell by $521m to $681m, against $1.9bn in 2020 and $4.5bn in 2019.

Could the Poly Network heist have been prevented?

One of the first steps of preventing a hacking attack is collecting early indicators of a possible attack. Using our Cyber API, we were able to find an early indication of the vulnerability that was used in the attack against Poly Network already in December 2020. In a post by a hacker on Raidforums, he stated he could exchange cryptocurrency through a connectivity vulnerability.

Here’s the post from our Cyber API:

When a company is mentioned on various dark web platforms, it might indicate that a future threat or leak is underway. We usually find suspicious posts on hacking forums, paste sites and chat applications such as Discord and Telegram. These posts include discussions around new vulnerabilities, developing capabilities, hacking code reviews, and, of course, data breach of PII, personally identifiable information.

So how can companies spot early indication of an attack or breach in the making?  Using a good Cyber API, you can identify posts that include a variety of alarming indicators like information or code, hacking guides, or discussions on initial preparations of attacks before they take place. Often, hackers will post a sample of hacked data as well as a description of content or data and the compromised fields that are leaked. Then, they post a link to purchase the whole breach for those who were satisfied with the sample they had received and are interested in purchasing the remainder of the hacked data. This you can often find in the dark web chatter we cover.

Hacking threats which lead to big data breaches usually include mentions of assets of companies, such as: databases, files, passwords, logins, sessions, cookies, IP, admin rights etc. The data is published on a daily basis on several networks and platforms including Telegram and Discord, hackers forums, paste sites and datastores. You can easily search for leaks via our search engine, using the Network or the Site.type filters. 

Examples of content

In addition to the post we featured above from the  popular hacking forum Raidforums.com, we also come across other posts that can can serve as early indicators of future attacks in the making, here are a few examples:

Covering these types of chatter can help you boost your detection capabilities and set you on the right track to investigating and even preventing the next hacking attack. 

Want to learn more about how Webhose can help you scale your early detection capabilities? Contact our data experts today!