A Crypto Crime: Poly Network Hacked​

By Robyn Ma​

The Story

It has been a rollercoaster for Poly Network. First, the decentralised finance (DeFi) platform saw $600 million stolen by hackers in one of the largest crypto thefts ever. Then, in a turn of events, the hackers returned $260 million.

DeFi refers to financial services without a central authority, like a bank. Through the use of cryptocurrencies, blockchain technology and smart contracts, the idea is that lending (and other services) can take place without the need for a third party intermediary.

What It Means For Businesses and Law Firms

The Poly Network hack reveals some of the flaws with DeFi technologies, and the challenges for cybersecurity in this area. What DeFi has been lauded for appears to be its very peril; it has been celebrated for its decentralised nature, “disempowering middlemen [...] and let[ting] users retain control over their money” (Finextra). However, without a centralised authority to govern this system, crypto hacks present a high risk to users.

In the UK, cryptoasset businesses must register with the Financial Conduct Authority under the Money Laundering Regulations. However, given the current lack of fundamental understanding the legal nature of cryptoassets themselves, it is still a largely unregulated market. Indeed, on its website, the Financial Conduct Authority states cryptoassets are considered “very high risk, speculative investments” (FCA).

With “DeFi-related hacks...up 270% in 2021 alone” (Decrypt), regulators must carefully consider how to govern cryptoassets. Given their transparent nature, issues of data privacy should be recognised. For instance, the smart contracts and blockchain technology underpinning DeFi platforms are typically “open source” and “therefore available for all [...] participants to review and audit” (Norton Rose Fulbright). The transparent nature of DeFi may therefore make it a cyber target because of the lack of consumer protections and data privacy rules in place.

Some believe that an “enforcement-first” approach will be taken by regulators (Markets Media). However, as DeFi systems operate beyond the traditional constraints of the financial services industry, others believe regulators need to respond to emerging technologies more quickly. Indeed, just recently, cryptocurrency exchange BitMEX agreed to pay $100 million to resolve a regulatory lawsuit (FxStreet). The company was accused of failing to comply with American laws on its trading platform, including accusations that it failed to properly verify users’ identities - exposing the platform to risks such as “dealing with money launderers [and] ransomware attackers” (Wall Street Journal). With Poly Network having taken a $600 million hit, these concerns do not appear unfounded.

Another point to consider is the peculiar nature of crypto-hackers. Poly Network’s hackers have proclaimed themselves as “white hats”, or “ethical hackers”, aiming to expose the platform’s vulnerability (Economic Times). Sceptics point out the hackers may have faced difficulties laundering the large sum of money. Indeed, stablecoin-provider Tether announced it had frozen the $33 million USDT stolen, preventing hackers from moving or transferring tokens (Reuters). If “white hat” hackers were truly altruistic in their intentions, why take the money in the first place?