The Poly Network Hacker Gave the Money Back, and Also a Job Offer Happened
Poly Network confirms nearly all $611 million from its August 10 hack has been returned after the attacker handed over the final private key.
I’ve been following the Poly Network saga since the hack broke on August 10, and the ending is somehow stranger than the crime itself. On August 23, the attacker who drained $611 million across Ethereum, Binance Smart Chain, and Polygon shared the private key needed to unlock the multi-signature wallet holding the remaining stolen funds. By August 25, Poly Network confirmed it had recovered nearly all of it. About $33 million in frozen USDT stablecoins is still stuck and unreturned, but everything else is back where it belongs.
Let that sink in for a second. One of the largest thefts in crypto history, and the thief just… gave it back, in installments, over about two weeks.
How we got here
The initial hack itself was a masterclass in exploiting cross-chain bridge logic — the attacker found a way to trick Poly Network’s contracts into authorizing withdrawals they had no right to make. What made this incident different from the usual smash-and-grab was the attacker’s behavior afterward. Instead of trying to launder the funds or vanish, they engaged in a running public dialogue with Poly Network, embedded in transaction data on-chain, at one point claiming the hack was done “for fun” and to expose the vulnerability before someone with worse intentions found it.
Whether that’s the full truth or clever spin after getting cornered by the sheer visibility of moving that much stolen crypto, we’ll probably never know for certain. But the practical effect was a slow, negotiated return of funds that no law enforcement action forced.
The bug bounty twist
Here’s the part that still feels almost absurd: Poly Network offered the attacker a bug bounty and even floated a “chief security advisor” title. It’s a remarkable pivot from victim to potential employer, and it says a lot about how this industry still operates in gray areas where “hacker” and “security researcher” are separated by a decision made after the fact, not before.
I’m skeptical this becomes a template anyone should rely on. Most attackers don’t have a crisis of conscience, and most stolen funds don’t get returned. What actually made the difference here was almost certainly the difficulty of cashing out that much value without getting flagged by every exchange and blockchain analytics firm watching those addresses in real time. Visibility, not virtue, is probably the real hero of this story.
Still, as a case study in incident response, this is worth remembering. Poly Network’s team kept communication open, avoided inflammatory rhetoric, and left the door open for a resolution instead of just posting bounties for information leading to arrest. That approach, plus the sheer traceability of on-chain funds, got them back the vast majority of $611 million. The remaining $33 million in frozen stablecoins is a reminder that even in a “happy ending,” crypto’s plumbing has friction points that don’t resolve cleanly. Whether Tether unfreezes that USDT is the next thing worth watching.