Cryptocurrency platform Poly Network has written an open letter to hackers whom it claims stole $600m (£435m) in digital assets, asking them to return the funds.
The value of the tokens dropped below $400m (£290m) following the news of the theft.
In monetary value, the heist would be one of the biggest to hit the cryptocurrency world, comparable to the theft of 850,000 bitcoin from the Mt Gox exchange in 2014 – worth $450m (£326m) at the time.
Poly allows users to swap cryptocurrency tokens across different blockchains. The company said a vulnerability in its system allowed the attacker to transfer these tokens to public blockchain addresses they controlled.
The stolen tokens amounted to more than $270m (£196m) from the ethereum blockchain, $250m (£181m) on the Binance Smart Chain, and $84m (£61m) on the Polygon network, according to Poly Network’s tweets.
In its open letter addressed “Dear Hacker,” the company said it wanted to establish communication with the thieves and stressed that the stolen funds “are from tens of thousands of crypto community members, hence the people”.
Senior executives at exchanges across the cryptocurrency community are offering to blacklist the addresses which the criminals sent the stolen funds too in an attempt to recover them.
As indicated by the immediate drop in the value of the stolen tokens, the incident highlights the perils of decentralised finance (DeFi) systems which are less regulated than traditional markets.
Amanda Wick, chief of legal affairs at Chainalysis, told Sky News how law enforcement works to recover stolen cryptocurrency: “So there’s a famous saying in crypto, and I’m going to paraphrase it, but it goes, whoever controls the private keys controls the coins.
“And that’s basically the answer to how you ‘seize crypto'”. She added that the term “size” was “somewhat of a misnomer, because you don’t actually obviously take coins but you change the control over who has access to the coins via software”.
“When we talk about ‘how does government seize crypto?’, they basically use private keys or recovery seeds to change control from the criminal into a government / law enforcement controlled wallet.
“Imagine a public block address as the equivalent of a bank account number. And a private key is like having the PIN that would give you access to actually make withdrawals. So when somebody has that PIN, with or without your permission, they could take those funds
“So having those private keys allows people to effectively take control over the funds, which is why when you read articles about law enforcement ‘seizing crypto’ it’s actually about getting access to that PIN number such that they can take the money.”
Poly Network tweeted that it had discovered the vulnerability which allowed the attacker to make the transactions, blaming an issue in a system for contract calls.
The simplest resolution would be for the attacker(s) to simply transfer back the stolen tokens, but as some have already been moved to other accounts this is unlikely.
However by Wednesday afternoon UK time, the Poly Network tweeted that it had received more than $4m back from the addresses to which the hacker transferred the stolen tokens.
So far, we have received a total value of $4,772,297.675 assets returned by the hacker.
ETH address: $2,654,946.051
BSC address: $1,107,870.815
Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS
Alongside the plea from the Poly Network, a number of people have sent messages to the addresses which have received the stolen tokens.
Many asked for donations, some seriously while others referenced memes. One user warned the attackers that some of their tokens had been blacklisted, a warning for which the attackers sent them $42,000 in ethereum.
Back in June, the Metropolitan Police seized about £114m of cryptocurrency as part of a money-laundering investigation.
The force said the confiscation was the largest of its kind in the UK, and one of the largest in the world.
Last year, US authorities said they had seized around $1bn (£718m) worth of Bitcoin connected to darknet market place the Silk Road, which was shut down in 2013.