The Poly Network logo displayed on a phone screen with a physical representation of some cryptocurrencies.

Jakub Porzycki | NurPhoto via Getty Images

Almost all of the $ 600 million stolen in one of the biggest cryptocurrency heists of all time has now been returned by hackers, according to the platform the hack targeted.

Poly Network said Thursday that all funds were returned except for the $ 33 million digital tether coin.

The issuer of Tether, a so-called stablecoin that is pegged to the US dollar, used a built-in failsafe to freeze the assets shortly after the theft.

In an unusual twist of events on Wednesday, an anonymous person claiming to be the hacker said he was “ready to return the money.” The identity of the hacker (s) is not known.

Poly Network asked them to send the money to three digital wallets. In fact, by Thursday, the hacker had returned more than $ 342 million of the money to those wallets.

But there is a catch. While almost all of the transport was returned to Poly Network, the last $ 268 million in assets are locked in an account that requires Poly Network and the hacker passwords to gain access.

“It is likely that keys will be needed by both Poly Network and the hacker to move the funds – so the hacker could still make those funds inaccessible if they so choose,” said Tom Robinson, chief scientist of the blockchain – Analysis firm Elliptic, in a blog post Friday.

In a message embedded in a digital currency transaction, the alleged hacker said he would “provide the final key when _ everyone_ is ready”.

Record ‘DeFi’ hack

Poly Network is a so-called “decentralized financial system”. DeFi projects aim to use blockchain – the technology underlying most cryptocurrencies – to replicate traditional financial services like lending and trading.

In the case of Poly Network, the DeFi system allows users to transfer tokens from one blockchain to another.

Someone has exploited a vulnerability in Poly Network’s code that allows the hacker to transfer tokens to their own crypto wallets. According to researchers from security firm SlowMist, the platform lost more than $ 610 million in the attack.

Poly Network called it “the largest in Defi history”.

The self-proclaimed hacker claims to have carried out the theft “for fun” and it was “always the plan” to finally return the money.

CNBC was unable to independently verify the authenticity of the messages.

In another message, the hacker claimed that Poly Network offered them a $ 500,000 bounty to return all of the money and that they refused. The hacker shared an apparent statement from Poly Network promising that they will “not be held accountable for this incident,” which effectively grants them immunity.

Poly Network has not returned a request for comment from CNBC at the time of publication.

“Offering immunity may have sounded like a smart move by Poly Network to dangle a carrot, but the authorities are unlikely to approve or even allow this decision,” said Jake Moore, a specialist at cybersecurity firm ESET.

“This attack has likely been watched closely by cyber criminals and law enforcement alike, potentially opening up the possibility of counterfeit attacks.”

Identify the hacker

Robinson said the hacker “could still be prosecuted by the authorities”.

“Your activities have left numerous digital breadcrumbs on the blockchain that law enforcement agencies have to follow.”

Cryptocurrencies are often the first choice for cyber criminals, especially in ransomware attacks that lock down corporate systems or steal data while demanding a ransom payment to restore access.

This is because the people who send and receive digital currency do not reveal their identity. However, it has become possible to track the location of funds by analyzing the blockchain, which contains a public record of all historical crypto transactions.