‘Mr White Hat:’ The story behind a $600m crypto caper

How an alleged thief morphed into a self- styled vigilante policing the digital asset world

An hour after the world discovered an alleged hacker had made off with $600 million (€508 million) in one of the largest-ever cryptocurrency heists, the thief tipped a bystander $42,000 for warning that some of the assets were being frozen.

The apparent act of generosity was only the first unexpected twist in a virtual robbery that has gripped the crypto industry and left many observers scratching their heads.

The mystery hacker’s target was an obscure group called Poly Network, a project in the world of decentralised finance, known as DeFi, which links together some of the most widely-used digital ledgers. DeFi is the cutting edge of the digital asset world. Developers are building automated networks to allow individuals and companies to skip fee-charging intermediaries such as banks and exchanges.

In the crypto market, all transactions can be seen on digital ledgers. Poly took advantage of this feature in the same way a bank can alert authorities to the serial numbers on stolen cash. It called on other industry participants to “blacklist” the stolen loot, making it much more difficult for the hacker to move it without getting caught.


With escape routes rapidly closing down to move such a large sum, the hacker began making the case that they were an altruistic thief, out for a good time and to showcase Poly’s vulnerabilities for the greater good.

“I hope my life can be composed of unique adventures, so I like to learn and hack everything in order to fight against the fate,” the hacker wrote in messages that can be viewed on a blockchain. Working out the blind spot of Poly Network “would be one of the best moments in my life,” said the hacker, who has yet to be identified.

‘Mr White Hat’ speaks

As the incident unfolded this week, the hacker dubbed ‘Mr White Hat’ sent communiques via the Ethereum blockchain, which can be viewed publicly. The blockchain conversation reveals part of the hacker’s negotiations with Poly Network and gives some clues to the motivation behind the theft.

Here are some extracts from those messages:

“Not so interested in money, now considering returning some tokens or just leaving them here.” – Mr White Hat

“We can offer you a security bounty when you return all the remaining assets. We will provide a secure address through email.” – Poly Network

“I have been exploring the meaning of life for a while.” – Mr White Hat

“I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” – Mr White Hat

“Q: Why hacking? A. For fun :)” – Mr White Hat

After quoting German philosopher Martin Heidegger, the hacker then took on a Batman-style vigilante attitude. “I prefer to work in the dark and save the world,” they wrote.

To some, a homespun philosophy that mixed high and pop culture to justify taking $600 million may seem a stretch. The DeFi market already had a reputation for being the wildest of the Wild West in the largely unregulated crypto world. Last year, DeFi represented only 6 per cent of all cryptocurrency activity but accounted for a third of all digital asset thefts, according to Chainalysis, a crypto data company.

But as the dust began to settle, many crypto enthusiasts, a community that has long championed libertarian ideals, were already beginning to give him a sympathetic hearing. It had even given the hacker a nickname – “Mr White Hat” – in reference to supposed “ethical” hacking.

“The world has up to now been too forgiving of people deploying insecure systems which companies manage rather than fix. The wonderful thing about DeFi is that it is not forgiving in that way,” said Mark Miller, chief technology officer at Agoric, which provides software for DeFi transactions.

“We have an ecosystem here in which insecure participants get killed quickly so it gets to be populated by the survivors of the process.”

Rise to fame

The anonymous hacker’s sudden rise to fame began on Tuesday, after he identified a weak spot in Poly’s systems.

Poly had developed a computer protocol, or set of rules, that allows users to transfer tokens tied to one blockchain to a different network. Many of the world’s most widely used blockchains, such as Binance Smart Chain and Ethereum, operate independently. Their coins, offered as an incentive to users, run on separate technologies.

That means investors cannot easily move tokens to a different blockchain to trade them elsewhere. Poly acted as a bridge but Mr White Hat found a bug that gave him direct access the ledgers.

Shortly after 1.30pm London time, Poly alerted the world on Twitter that thousands of tokens had been removed from its network. Its response was to publish the unique alphanumeric addresses of the wallets to which the tokens had been sent, so other crypto players could identify and potentially block further transactions.

Exchanges such as Binance and OKEx said they were monitoring the situation. Tether, the stablecoin operator, said it froze about $33 million worth of its tokens. As the exchanges at the heart of the crypto system began to block the hacker’s path, the adventure took yet another turn.

Users of the Ethereum blockchain can create crypto trades and attach comments for the world to see. The hacker’s helpful informant used this feature to warn Mr White Hat the assets were being locked off. Others began tipping Mr White Hat with tokens, accompanied by messages asking for funds to be returned. While most tips were worth less than $1, a handful of the more than 1,300 transactions involved tokens worth hundreds of dollars in the hope of receiving a more substantial payout.

Poly left a message on Ethereum asking the hacker to contact them. Less than an hour later, Mr White Hat responded on the same channel. Attacker and target were communicating in public.

In more conciliatory language, Poly then offered a bounty worth $500,000 as a reward for finding the bug and returning the assets. “We hope it will be remembered as the biggest white hat hack in history,” the organisation said.

The appeal to the hacker’s vanity worked. He gave no indication he would take the money but, the next day, began transferring small amounts to a joint account. Like a police negotiator in a movie, Poly encouraged the hacker to continue: “You are moving things [in] the right direction.”


By Friday, Poly said almost all of the funds had been returned and it was preparing to take full control of the assets to hand back to their owners. As the hacker surrendered, the thief remained defiant; “Hacking for good, I did save the project”, he wrote via Ethereum.

For some the episode had represented an important lesson about the fallibilities of the system, especially protocols that look to connect blockchains such as Poly. “A blockchain can be extremely secure but only in its own world. The moment it needs to talk to something else outside the blockchain that potentially opens up problems,” said Kevin Werbach, an academic at the University of Pennsylvania’s Wharton business school.

Lawyers said it was unclear whether users whose funds were caught up in the caper would or even could launch a legal challenge. Poly’s website offers no terms governing its use, nor does it reference a legal entity.

DeFi systems use software programs called smart contracts to transfer cryptocurrencies, removing any human intermediary and complicating the task of assigning liability to any one party. Some developers have argued that the rules created by software programs constitute the “law” – a notion that many lawyers contest.

But it may be the hacker who has the biggest impact on how aggressively regulators look to supervise DeFi activity, said Charlie Steele, a former US government lawyer and now partner at Forensic Risk Alliance, a regulation consultancy. “I don’t think regulators would be too comfortable relying on Robin Hoods out there to police the system.” – Copyright The Financial Times Limited 2021