the money game

The Insane, Ongoing Saga of a $600 Million Crypto Theft

“Mr. White Hat” might or might not live up to his moniker. Photo-Illustration: Intelligencer; Photos: Getty Images

The thing to know about Mr. White Hat is that he doesn’t use that name himself. The hacker, location unknown, has divulged few personal details, and who knows if those are even true? English isn’t his first language, he has said, and he’s a cybersecurity professional who’s been breaking into computers since he was young. That’s about it. (He also says he recently saw the movie Wrath of Man, the heist flick where Jason Statham kills a bunch of bank robbers, but that might be a joke.) What’s clear, though, is that he — or she, or they — is the force behind the $600 million heist of a lively but relatively obscure cryptocurrency project called Poly Network. The theft is the largest-ever crypto hack and highlighted the level of uncertainty and vulnerability in the exploding world of decentralized finance, or DeFi.

Mr. White Hat was given his nickname by his victim, Poly Network. The term refers to the idea that there are ethical hackers out there who find flaws in code to make systems stronger, as opposed to the typical cybercriminal — your black hat. Poly, a company whose software makes otherwise incompatible cryptocurrencies tradable, first lashed out upon realizing it had been hacked, vowing legal action and demanding repayment after the hacker absconded with the money on August 10.

But then something changed. In the equivalent of a Hail Mary pass, Poly published an open letter asking for the money to be returned, pointing out that law-enforcement agencies will be interested. “You should talk to us to work out a solution,” it read. Miraculously, the plea — even though it was widely mocked on social media — was successful. Aside from some cryptocurrencies that were otherwise frozen, Mr. White Hat agreed to return the funds. Poly seemingly averted total disaster. The company expressed its gratitude not only by offering a $500,000 bounty, and later a job as its top security consultant, but by publicly giving its antagonist his moniker and announcing that they share the “same vision.” The holdup was merely a blip, and all would be back to normal in short order.

Or was it?

Since then, the hacker parked the equivalent of $240 million in a cryptowallet that’s purportedly shared with the Poly Network — and then refused to give it the access keys for a week. Mr. White Hat then raised the bar for when he will return the funds, making himself the sole decider of when people will be able to get their own money back. On Wednesday, another $100 million or so was returned — the timing, and the trigger for the rest of the money, remains unknown. The wait has curdled much of the community’s goodwill he earned by agreeing early on to return the funds, as people are desperate to get their money back. The White Hat name is starting to look either like crypto Stockholm syndrome, or a ploy in a cat-and-mouse game where the odds of a happy ending are narrowing fast.

“The Poly Network team is still negotiating with the hacker. And the primary goal is to get one key back from the hacker,” said Xuxian Jiang, the CEO of blockchain security firm Peckshield, which is working with Poly Network. “At this stage, we really don’t want to make the hacker angry to do something to jeopardize the funds.”

DeFi is one of the hottest, fastest growing areas of the cryptocurrency world, a mini-industry that promises to remove all the middlemen from finance — no banks, no brokers, no custodians. Like bitcoin, DeFi uses blockchain, the distributed ledger technology that crypto is built on, but takes that concept and squares it. Instead of one chain, there are many platforms — hence, the decentralized aspect — that can be used for all kinds of so-called smart contracts that trigger financial transactions when certain conditions are met. That’s where Poly Network came in. Like Mr. White Hat, there isn’t a lot of information about the company. An unsigned message from its communications email address declined to make any executives available or answer most questions. It’s unclear if it even has a base of operations, though ICANN’s registration data lookup tool says the company’s mailing address is in Shanghai.

In the quasi-libertarian world of the crypto community, it isn’t uncommon for people to regard hacks as intellectual pursuits and whatever is gained by them as rightful spoils. The difference between a feature and a bug is just a matter of perspective. “This is a currency that is not tied to any government agency, which, as a result, has an outlaw aspect to it, an unregulated aspect to it, which is incredibly attractive to the average person,” says Mark Reichel, a Sacramento lawyer who’s defended hacking cases. “When you hear about hackers who are able to do this, other than the people who lost their funds, there is an amount of reverence for the hacker who can do this.”

Mr. White Hat, it seems, agrees. In his missives, he waxes philosophical about the nature of life, dropping references to Martin Heidegger. “I have been exploring the meaning of life for a while. I hope my life can be composed of unique adventures, so I like [to] learn & hack everything in order to fight against the fate. Sein zum tode,” he said, using a Heideggerian term for a state of being that’s oriented toward one’s own death.

Despite the nomme de paix, this hacker is ambivalent about the idea that what he’s doing fits into any neat ethical category. In his communications, encrypted in publicly viewable ethereum transactions, he refers to the heist he orchestrated as a “game” nine times — one where the losers get what they deserve.

“It’s hard to prove that your loss is my fault, especially when you are already gambling beyond your capability,” he wrote in an all-caps message.

The turn of events has divided the crypto community. Only a quarter of respondents in a recent Twitter poll run by Peckshield said the hacker was the good guy. His languid pace has caused havoc in a lively Telegram group of Poly Network users demanding their money back. Mr. White Hat, in turn, responded with taunts. The hacker has rejected the $500,000 bounty on offer from Poly but has mused about using it against Poly. After Poly offered another half-million dollars to anyone who exposed technical flaws in its systems, he threatened to take the money and then doubly compensate another hacker for breaking in — going, if not full Joker, pretty close.

“If you are still confused, ask some richer friends, what is money for?” he wrote. “Money means little to me, some people are paid to hack, I would rather pay for the fun. I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network. (They can win double if they feel the current plan is awkward).”

Poly has since upgraded its systems to make them more secure but is still a ways off from being back to normal. It’s unclear when the rest of the money will get returned, if ever. “Who do you think is dominating the game?” Mr. White Hat wrote in a Q&A he posted in an encoded section of an August 16 ethereum transaction.

But even if the money gets returned in full, the saga is likely far from over. The hack occurred at a time when China — where many of the users live — is cracking down on its internet sector. Xuxian declined to answer questions about law enforcement, but if any of the hack’s victims are in the U.S., that could give the Justice Department a reason to dig in and file indictments against the purported hackers — even if the people at Poly don’t want it — for breaking the Computer Fraud and Abuse Act, a broad anti-hacking law.

“What is the narrative they’re trying to develop out of this event?” John Hamasaki, an expert in the CFAA who defended Anonymous-linked hacker Keith Downey, told Intelligencer. “Maybe acknowledging a vulnerability was better from a PR perspective than getting involved in the criminal-justice system.”

But, Hamasaki added, it may be too late for that.

“In our criminal-justice system, broadly speaking, it’s not the victim who brings charges, it’s the government,” he said.

Update: On August 23, the hacker behind the $600 million hack provided Poly Network with the authorization keys to receive the balance of the returnable funds. “Once again, we would like to thank Mr. White Hat for keeping his promise, as well as the community, partners and the multiple security agencies for their assistance,” Poly Network said in a statement.

Correction, August 24: A previous version of this article misstated who Hamasaki had defended. We regret the error.

The Insane, Ongoing Saga of a $600 Million Crypto Theft