
The largest DeFi heist in history, filled with bizarre and absurd twists
TechFlow Selected TechFlow Selected

The largest DeFi heist in history, filled with bizarre and absurd twists
Which comes first: code rules or legal rules? Should DeFi be regulated? Should Tether freeze assets? Where is the boundary of decentralization?

Poly Network suffered a theft of $610 million in cryptocurrency, making it the largest DeFi hack in crypto history—a mysterious, bizarre, and surreal event laced with elements of performance art.
How Was It Stolen?
On the evening of August 10, cross-chain interoperability protocol Poly Network suddenly announced it had been hacked. Assets worth $250 million on Ethereum, $270 million on BSC, and $85 million on Polygon were stolen across the three chains, totaling $610 million in losses.
There are two main theories regarding the cause of the breach.
Security firm BlockSec released an analysis suggesting the attack may have resulted from leaked private keys used for cross-chain signatures, or a logic flaw in the signing program that allowed malicious transactions to be signed.
Shortly after, security company SlowMist published its own analysis, arguing that the attacker had carefully crafted data to alter the "keeper" address in the Ethereum cross-chain contract to one controlled by the hacker—contrary to rumors claiming the incident was due to a leaked keeper private key.
Blockchain data platform Breadcrumbs’ analysis leans toward supporting SlowMist’s conclusion.
Poly Network operates a series of smart contracts that manage funds stored on the network. On Ethereum, three key Poly Network contracts are involved:
Ethereum Cross-Chain Manager
0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270
Ethereum Asset Proxy
0x250e76987d838a75310c34bf422ea9f1AC4Cc906
Ethereum Cross-Chain Data
0xcf2afe102057ba5c16f899271045a0a37fcb10f2
A critical variable stored in the Ethereum Cross-Chain Data contract determines which address is the "consensus keeper." This keeper has the authority to withdraw funds from the Ethereum Asset Proxy contract, which holds all of Polynetwork's assets.
The hacker called the Ethereum Cross-Chain Manager with specific data, setting the keeper variable to their own address. This change was executed in the following Ethereum transaction:
0xb1f70464bd95b774c6ce60fc706eb5f9e35cb5f06e6cfe7c17dcda46ffd59581
After setting their address as the Ethereum keeper, they withdrew 10 different assets from the Ethereum Asset Proxy to their own address.
They then repeated this exact process on Binance Smart Chain and the Polygon network.
The stolen assets are now primarily concentrated on Ethereum and Binance Smart Chain, mostly consisting of USDC.


Was It a Domestic Attack?
Could such a large-scale hack have been carried out by insiders or individuals affiliated with the team?
Sushi’s security researcher Mudit Gupta suggested that while the hacker might have obtained keys through some means, it's also possible they colluded with someone inside the team—an assertion requiring deeper investigation.
Tracking the attacker’s address revealed a particular exchange—Hoo (Tiger Exchange).
With technical support from SlowMist and multiple exchanges including Hoo, it was discovered that the hacker’s initial funding source was Monero (XMR), which was later exchanged on an exchange for BNB, ETH, MATIC, and other cryptocurrencies, then withdrawn to three separate addresses shortly before launching attacks across the three chains.
In other words, the hacker first deposited Monero into an un-KYC’d Hoo account, converted it into BNB, ETH, and MATIC for gas fees needed in the attack.
Following the incident, Hoo promptly issued a statement regarding the PolyNetwork theft:
1. Hoo immediately provided relevant information to well-known security firms to assist in tracking;
2. Hoo immediately suspended deposits and withdrawals for affected tokens, blocking all stolen funds from entering the exchange;
3. Hoo will closely monitor developments, uphold industry integrity, and combat hackers.
SlowMist stated that through on-chain and off-chain intelligence, they had identified the attacker’s email, IP address, device fingerprint, and other details, indicating this was likely a premeditated, organized, and well-prepared operation.
Thus, suspicions grew within the community that the attack was carried out by someone domestic—and possibly an insider.
Performance Art
Amid the theft, a deeply ironic subplot emerged.
An address named hanashiro.eth sent a message to the hacker’s wallet, informing them that USDT had been frozen and advising against using it.

Perhaps in gratitude, the hacker transferred 13.37 ETH to that address.
Word spread quickly, attracting a wave of opportunists who began sending messages to the hacker’s address, hoping to receive rewards.
Some declared themselves the hacker’s child, others sought mentorship, while some lamented their tragic trading experiences...

Yet everyone overlooked why hanashiro.eth received exactly 13.37 ETH.
Leet, spelled 1337, also known as hacker speak, is a writing system originating from Western BBS, online gaming, and hacker communities. Here, it seems to convey: I am a skilled hacker.
hanashiro.eth, previously active in transactions with Binance, perhaps fearing liability, donated all received ETH to Binance Charity, Infura, Rekt, Archive.org—in increments of 1.339 ETH—leaving behind poetic verses and song lyrics on-chain, staging a grand act of performance art.

Recipient: Binance Charity
Message:
We are the world
We are the children
We are the ones who make a brighter day, so let's start giving.
We are making a choice
We are saving our own lives
It's true, we'll make a better day, just you and me.
Recipient: Etherscan
Message:
Oh, give your heart to them
Let them know you care
Their lives will be stronger and free
As God showed us turning stones to bread
So we must all lend a helping hand
Recipient: Infura
Message:
When you're down and seem to have no hope
But if you believe, we can't fall
Alright, alright, alright, let's realize
Oh, only when we stand together can change happen
When we stand together, yeah, yeah, yeah
Recipient: Rekt
Message:

A Japanese song

A Japanese song
Recipient: Archive.org
Message:
We can't go on pretending day by day
That someone, somewhere will soon make a change
We are all members of God's great big family
The truth is, you know, love is all we need
Recipient: Self
Message:
I'm just a passing crypto enthusiast who checked the hacker's tether/circle blacklist status and sent that message.
Who Is Nervous?
Perhaps this was the hacker’s wealthiest moment ever. They broadcast two messages on-chain:
“If I transfer out a bit more 'shitcoin,' this becomes a $1 billion event! Haven’t I saved the project? I’m not interested in money. Now I’m considering returning part of the tokens—or just leaving them untouched.”
“What if I issue new tokens, and let a DAO decide where they go?”
The hacker’s bravado carried a hint of fear. How about the attacked project? On one hand, they projected strength. PolyNetwork released an open letter stating:
We hope to connect with you and urge you to return the stolen assets.
The amount you stole is the largest in DeFi history. Any country's legal system would treat this as a major economic crime. You will be pursued.
Conducting any further transactions is unwise. These assets belong to thousands of community members. You should talk to us to seek a solution.

But starting with “Dear” might mean PolyNetwork had already lost.
Face to face on a narrow path, the game of psychological warfare begins—technical pursuit versus counter-tracking. Who will ultimately prevail?
In the end, the pain is borne entirely by the owners of the stolen assets.
It is reported that victims of this theft were mainly high-net-worth individuals from Shanghai, with even industry leaders losing over $100 million.
“Working hard to earn small money, wiped out in one theft”—never underestimate any potential black swan event.
Finally, a deeply ironic observation:
Before the theft: Code is law. DeFi doesn't need government, police, courts, or laws—screw the government!
After the theft: Hey… police? We got hacked. All our money is gone. Please help.

Code first or law first? Should DeFi be regulated? Should Tether freeze assets? Where lies the boundary of decentralization?
Perhaps, these questions deserve deep reflection.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














