{harry,whg}.eth 🦊💙 Profile picture
Aug 10, 2021 38 tweets 11 min read Read on X
Why have most of us never heard of a protocol that has $600M TVL until it gets hacked? What is this space?!
40 minutes apart...

0x3a09c98f99edd9601ed017ff269652fd80c7e9aedcea57126990031128851043

0x552bc0322d78c5648c5efa21d2daa2d0f14901ad4b15531f1ab5bbe5674de34f ImageImage
~6 hours later, Poly team "reach out" to the hacker

Image
Hacker now asks if they should rely on community vote on where to direct stolen funds

0x4c102e972301b999318df70e3d3a067994dcc83951f07f7f37c45ff7e922beec Image
I found 2 keys belonging to PolyNetwork... 👀

(I need to verify they are prod keys, both armored, but interesting anyway)
Hacker: "READY TO RETURN THE FUND!"

0x7b6009ea08c868d7c5c336bf1bc30c33b87a0eedd59dac8c26e6a8551b20b68a Image
Hacker: "FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU"

0x79245fb1d1ae48a214118e25d6ad2f9324f514ec6708135a19ba9d4cfa6344f6

Looks like intentions are to return everything? Image
Hacker: "IT'S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO"

0xd239b01026c49b234d075e3d23a07efd1c3234239cfb440c0f90d5e84836fbe2 Image
Hacker: "ACCEPT DONATIONS TO "THE HIDDEN SIGNER" NOW. ENCRYPT YOUR MSG WITH HIS PUBKEY."

0x160231043b80c7824f658b3621163ebcc537ff29ad1dfb3572e658ebf0ddc2fd Image
616k $FEI moved - 0xd3327a266add4ec655ef5fe00fd042bdcdf1b886c26af3b5dd21b2e4ec9bde49

259,737,345,149 $SHIBA moved - 0x4d0c93ca9746d1c8a80c0ecf58bd5bba66654fefae3df320b4d138405d0cbc0e ImageImage
Hacker: "DONATE TO 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B IF YOU SUPPORT MY DECISION
ENCRYPT YOUR MSG WITH HIS PUBKEY IF YOU WANT TO TALK"

0x87715ad26621431c2c27f44d9214798e0c81a97d938ba5d4580dcd72f07ec6a8

Asks for community donations, and for Poly to encrypt their comms Image
Hacker: "DUMPING SHITCOINS FIRST!
HOW ABOUT UNLOCKING MY USDT AFTER RETURNING ENOUGH USDC?"

They ask for USDT to be whitelisted if they return more $USDC... interesting proposal - $33M USDT

0xa7cd9cb0211942998602e22ad6f7fd7d9c1eef9515f4e4154a76237d5fd71aa3 Image
Hacker is giving encrypt data to Poly

0x64eb495eba8b2000181498910748614dbd2c4bd7d6997af20cdb92c2518b2bce Image
Comms seems to be encrypted now - likely in (or soon to be) a communication channel with Poly for the entire network to watch

0x69534e330c5f8529759272b86e90bbacf7a5c4082683064c471e5539eacf53ba Image
I missed these but Poly seem to be in direct comms with the hacker onchain

They have received $1M+ on Polygon - unsure if verified to be Poly

0x59451c04dd5809958100c20a1263b7c1c6fc5080b38163b5117557418a473c47

0xf25ad2da525da68e7e254ecb5d780ae2c64f4df442baa14832fcbdff65dfb193 ImageImage
So far, using the addresses identified by Poly in tx278 (linked above)

0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f (ETH) - $2.6M received

0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc (BSC) - $1.1M received

0xA4b291Ed1220310d3120f515B5B7AccaecD66F17 (POLY) - $1M received
Poly connected to the hacker via email (it seems) and is offering a bounty to the hacker (after funds returned)

0xf6488e1efacd9c280eb91133d04ba357beca8016df8b0b0524b9a2e207b2ad7f

0x6b174ace1a83530bd2f33f07b213536699418b533cf2d3685556cf126e7061d8 ImageImage
The hacker just returned $120M to Poly on BSC

bscscan.com/tx/0xec9507edd… Image
Hacker: "JUST DUMPED ALL ASSETS ON BSC & POLYGON.
HACKING FOR GOOD, I DID SAVE THE PROJECT"

0x3de5a4eb6c1953ce2d0422bc5d0d16b2d9e54316cf0784bb793b3c67f09387b7 Image
I'm not monitoring BSC too closely, but they also returned $86M prior to this... so $200M+ returned on BSC to Poly

0x6e2317a437e7804b211ab03a11d61bf68d4fd3b87a5d0deb76d87febddca262b

Image
More encrypted comms going out to Poly... perhaps another big move by the hacker to arrange returning more funds?

0x4d6490b47a82e548236b4448713a973d833e439ad9fff76513d38ad2f7cb4fa5 Image
$673k/14 BTC (renBTC) on the move!

0xd916036ed3f4fd356e32faf7a0849834e54d7555383c372058226cb32705916b Image
Hacker hacked "FOR FUN :)" and "CROSS CHAIN HACKING IS HOT"

0x1fb7d1054df46c9734be76ccc14fa871b6729e33b98f9a3429670d27ec692bc0 Image
Q&A part 2 just published!

0xd4ee4807c07702a3202f45666983855d7fa22eb1c230e4c1e840fc9389e54729 Image
Hacker claims they were "PISSED BY THE POLY TEAM FOR THEIR INITIAL REPONSE" which caused them to trade some of the stablecoins

Claims they planned to earn off the interest earned until they could negotiate with Poly

"I WAS PLANNING [...] TO TAKE OVER THE FOUR NETWORK"
Q&A Part 3 just dropped

0xe954bed9abc08c20b8e4241c5a9e69ed212759152dd588bb976b47eca353a5bc Image
Hacker claims they tipped hanashiro.eth 13ETH because they thought it was their own local script problem, not a contract-level logic check problem

Tornado cashout was a "BAD JOKE"

Hacked $600M and still sticking to "I AM _NOT_ VERY INTERESTED IN MONEY"

Plans to give all back
Side note: hanashiro.eth received the (stolen) 13ETH and "spent" it, but seems to be KYC'd with FTX - depositing $450k USDC

I wonder if hanashiro.eth will also return the 13.37ETH to Poly

etherscan.io/tx/0xd62dbc8e9…
Hacker is now outing scammer email addresses

0xe926ef4b6f4e3ff1b680df02a6a2456cd9b415d25f051bb894ea3e24cfa864f0 Image
Hacker: "DISCLAIMER: I HAVE NEVER ASKED FOR BOUNTY FROM POLY NETWORK
WHAT I HAVE SAID IS ON THE CHAINS"

0xa5371eda3e56a614cdecc2b875f4236c7651e8ab3822f798b108e14b2659aaaa Image
Q&A part four just published!

0xde330cbd5484e9ce808c60d3a76739f224eb8390b6b891a8e4d29dbdaeab826d Image
Hacker says "I WOULD ADMIT THAT THE POLY HACK IS NOT AS FANCY AS YOU IMAGINE [...] I WOULD SAY FIGUING OUT THE BLIND SPOT IN THE ARCHTECTURE OF POLY NETWORK WOULD BE ONE OF THE BEST MOMENTS IN MY LIFE"

"BEING THE MORAL LEADER WOULD BE THE COOLEST HACK I COULD EVER ARCHIVE!"
Hacker: "THE _POLYGON_ NETWORK IS SO UNRELIABLE
FOR MANY TIMES I THOUGHT I HAD SENT THE TRANSACTION BUT IT VANISHED. LOL"

Hacker is having some difficulties with Polygon L2 @0xPolygon

0xd2750ac3aad70c0a73fd4cd5aa854770f3253026526ab3cdc88fd561b8ccd5a0 Image
Hacker has now returned $83M to Poly on Polygon network

0xc32f8501c62a69218b4cdaae93cffcf7b214f331942af9ecca7c35be49e796b6

Brings the total to sent back to $344M across 3 networks Image
Hacker: "[...] DON'T WORRY, YOU ARE NOT REAL VICTIMES. I SAVED YOU!"

0x078063e9574e1937a64b6552919b9fc0035429df1e601d79e200bf211e75f337 Image
Hacker has now returned an additional $1.2M

0x09fe1ec4a9ad2c159362e7ec23b0410de34d71db5f314c4b04247c48d812fcbf Image
Hacker is getting tired of the people asking for money saying "HELLO BEGGARS, WHY NOT ASKING MONEY FROM THE POLY MULTISIG WALLET? 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f"

81 comments, 1.4k txs asking for $

0x05ddbcc01736dfe478526b33837f54ccf4f0e1e8abf06276d0a3fb18b8751ea9 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with {harry,whg}.eth 🦊💙

{harry,whg}.eth 🦊💙 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sniko_

Jul 20, 2022
⚠️ Have you heard of MEV frontrunning bots? This scam tries to capitalise on this term with other technical jargon to steal crypto from users

Typically, it is advertised as "How to make $XXX/day on Uniswap"

With 97k views on a YouTube channel boasting 26.4k subscribers
This scam works by convincing users that their smart contract is capable of monitoring the mempool and frontrunning transactions to profit from DEX trades

When actually, it is a simple proxy contract to forward your ETH deposits to the bad actor...
But where is manager configured?

Well, you'll see it is initialised within the constructor. IT is not a parameter in the contract deployment, but instead imported from a remote
Read 7 tweets
Jul 11, 2022
⚠️ As of block 151,223,32, there has been 73,399 address that have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP's

Activity started ~2H ago
0xcf39b7793512f03f2893c16459fd72e65d2ed00c

cc: @Uniswap @etherscan
First, the malicious contract pollutes the event data so that block explorers index the "From" as the legitimate "Uniswap V3: Positions NFT" contract

You can read more about this attack here: harrydenley.com/bad-actors-abu…
Now that an address sees that "Uniswap V3: Positions NFT" sent them a token (without knowledge of the event pollution attack), they would get curious and check the token.

The token name directs them to a domain "/uniswaplp.com", which imitates the real @Uniswap branding
Read 13 tweets
May 22, 2022
🎁 Are you an #enstimekeeper? Well, now you have access to a shared Twitter account!

Let's see how popular this experiment gets with the #enstimekeepers (before it gets suspended)

cc: @24hClubOfficial @ensdomains

harrydenley.com/projects/ens-t…
This community twitter account (@EnsTimeKeepers) with authenticate your Ethereum address and (timekeeper) @ensdomains ENS before it allows you to tweet.

For example: If you own 14h20.eth, then you can tweet during 1400-1459 (inclusive) on the UTC timezone
I recently came across a very niche "subsection" of the EthereumNameService that involved people minting ENS names around the 24H clock.

Why does the community exist? I'm not sure.

Read 10 tweets
May 22, 2022
⚠️ Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.

0x7b69c4f2ACF77300025E49DbDbB65B068b2Fda7D
0xF305F6073CFa24f05FF15CA5b387DD91f871b983
Beeple is a 3D artist who is famous within the NFT world for selling his first 5,000 days at a record-breaking $69M at auction

We know the ATO is likely as Twitter is reporting the tweet source is "Twitter Web App" and not some API integration
Read 11 tweets
Mar 2, 2022
Since the airdrop from donating to Ukraine, ETH donations to the account has skyrocketed!

Donating because of an airdrop? 🤔 Probably.
In fact, announcing this airdrop, as of block 14307934, it has caused 16,719 NEW accounts to donate to them!

Impressive!

dune.xyz/queries/466264
Read 8 tweets
Jan 27, 2022
1 more sig on the treasury (0x355D72Fb52AD4591B2066E43e89A7A38CF5cb341) and $43M would be withdrawn to 0xSifu

Initiated by 0xad8F72A7612Bb91B2dfaB09E54464aaA5150914E at 2022-01-26T13:39:XX UTC+0, 17hrs before @danielesesta and @zachxbt tweets about the news ImageImage
dao* not treasury. multisig is 0x355d72fb52ad4591b2066e43e89a7a38cf5cb341

owners are
0x5DD596C901987A2b28C38A9C1DfBf86fFFc15d77
0x8A7f7C5b556B1298a74c0e89df46Eba117A2F6c1
0xad8F72A7612Bb91B2dfaB09E54464aaA5150914E
Abracadabra multisig (0x5f0DeE98360d8200b20812e174d139A1a633EDd2) also has signers from the Wonderland DAO multisig

Abra requires 6/10 to sign transactions

No pending txs from this multisig

Are there three other keys that are not uniquely owned on this multisig? Image
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(