The suspected hacker, who claims to have initiated the attack “for fun :),” took hundreds of millions in digital assets after discovering a bug in Poly Network’s system as a way to “keep it safe” from more malicious actors.
Hackers Steal, Then Promise To Return $611M
Around $611 million worth of digital assets were stolen in a cyberattack this week in what appeared to be one of the largest cryptocurrency thefts ever. Now, a person claiming responsibility for the hack has returned nearly all of the money and even refused a $500,000 reward from their victim.
The situation largely began Tuesday morning when the blockchain provider Poly Network publicly announced the theft and said it sought to establish a line of communication with the hacker or hackers involved. In its statement, the company also urged the culprit(s) to return the hacked assets to thousands of victims on its platform.
On Wednesday, in what became the first of several strange turn of events, the hacker(s) told Poly that they were “ready to return” the assets. Several hours later, Poly reported that it had recovered an initial $4.8 million.
So far, we have received a total value of $4,772,297.675 assets returned by the hacker.— Poly Network (@PolyNetwork2) August 11, 2021
ETH address: $2,654,946.051
BSC address: $1,107,870.815
Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS
At first, it was unknown why the hacker(s) had started to send the money they stole back to Poly.
Tom Robinson, a chief scientist of the blockchain analytics firm Elliptic, told CNBC, “I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics.”
“In this case the hacker concluded that the safest option was just to return the stolen assets.”
Others have theorized that the hacker(s) grew afraid of being exposed and prosecuted after researchers found potentially identifying information, including an email and IP address.
Suspected Hacker Says It Was All “For Fun”
Later Wednesday, a person claiming to be behind the attack instead offered a different explanation, saying it was all just “for fun :).”
“Cross chain hacking is hot,” they said.
According to that person, after spotting a bug in Poly’s systems, they took the money to protect it from bad actors who might also find the bug and run off with the money for good.
“I had a mixed feeling,” the reported hacker said. “Ask yourself what to do had you fac[ed] so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion!”
“I can trust nobody! The only solution I can come up with is saving it in a _trusted_ account while keeping myself _anonymous_ and _safe_.”
Hacker Reportedly Turns Down $500,000 Reward
As of Friday morning, Poly said all but $33 million in frozen Tether, a “stablecoin” with a value attached to the U.S. dollar, had been recovered.
However, another $238 million remains locked behind an account that requires passwords from not only Poly Network but also from the hacker.
“It’s likely that keys held by both Poly Network and the hacker would be required to move the funds — so the hacker could still make these funds inaccessible if they chose to,” Robinson said in a blog post-Friday.
That said, the suspected hacker has promised to provide the final key “when _everyone_ is ready.”
In another message, the reported hacker said Poly Network has offered them immunity and even claimed to have turned down a $500,000 “bug bounty” from Poly for returning the money and “helping us improve [our] security.”
Tech organizations tend to offer bug bounties to those who report security vulnerabilities to them. As such, Poly actually ended up thanking the hacker and has begun referring to them as a “white hat,” a term meant to denote ethical hackers who expose system flaws.
“After communicating with Mr. White Hat, we have also come to a more complete understanding regarding how the situation unfolded as well as Mr. White Hat’s original intention,” Poly said in a statement to Reuters.
However weirdly this story may have played out, it nonetheless highlights the inherent risks of decentralized finance platforms and the lack of safeguards they employ compared to traditional banks and exchanges.
Mental Health Startup Cerebral May Have Harmed Hundreds of Patients, Leaked Documents Reveal
The company is being investigated by multiple federal agencies for its questionable practices, which have come under increasing scrutiny in recent weeks.
Over 2,000 Incident Reports Shed Light on Recklessness
A Silicon Valley mental health startup called Cerebral may have harmed hundreds of patients by flagrantly disregarding medical standards, according to a cache of documents reviewed by Insider, as well as over 30 interviews with current or former employees by the outlet.
Founded in 2020, Cerebral provides mental health treatment to customers through talk therapy and medication for conditions such as depression, anxiety, insomnia, and ADHD.
With people quarantined during the pandemic, it became one of the largest virtual therapy firms in the United States, attracting some $462 million from investors.
Cerebral employees filed at least 2,060 incident reports during seven months in 2021, according to Insider. They show that the company enrolled patients with complex conditions like bipolar disorder, then assigned them to clinicians and other staff members with insufficient training, oversight, and support to treat such cases.
It also put dozens of patients on questionable treatment plans and misdiagnosed many others, the reports say, with company medical providers prescribing potentially lethal combinations of drugs or addictive drugs to patients with histories of addiction.
Additionally, many patients were left stranded without care for extended periods due to technology issues or the company’s failure to retain clinicians.
As a result, Cerebral shuffled patients from one provider to the next and even bungled their prescriptions, sometimes leading them to suffer drug withdrawal or take the wrong medication.
Patients Tell Their Stories
One patient reportedly spent two weeks waiting for a referral to a clinician, later saying she spent eight days in a psychiatric ward.
Another patient told CBS News she was prescribed a drug for her anxiety but afterward could not reach her prescriber for instructions on how to switch to the new medication safely.
“Any time I needed help, she was never available,” she said.
After she did not get a response for six days, she began taking the drug anyway, which caused her to break out in a rash.
“I messaged back,” she said, “letting them know it was spreading and getting worse, and they said that they were still trying to get a hold of that prescriber… They make it seem like they want to help, and then they get you, and then they’re gone.”
A Cerebral spokesperson told Insider that the reports did not highlight enough patients to accurately reflect the company.
“Any incident reports you obtained show Cerebral’s dedication to quality,” the spokesperson said. “You can’t take a relatively small group of incident reports and draw conclusions about our care.”
Two former senior employees told the outlet those reports were monitored by just a couple of people who had other responsibilities at the company, adding that leadership frequently pushed off solving the systemic issues flagged.
Cerebral’s practices are currently being investigated by the Drug Enforcement Administration, the Department of Justice and the Federal Trade Commission.
See what others are saying: (Business Insider) (CBS News) (Fierce Healthcare)
Instagram Testing New Tools To Verify Users Are Over 18
The new tools include AI software that analyzes video footage of a person’s face to verify their age.
Instagram Cracks Down on Underage Users
Instagram is testing new features in the United States to verify the age of users who claim to be over 18 years old.
According to a statement from Instagram’s parent company, Meta, the tools will only apply to users who seek to change their age from under 18 to over 18. The platform previously asked for users to upload their ID for verification in this process, but on Thursday, it announced there will be two new methods for confirming age.
One of the strategies was referred to as “social vouching.” Using this option, people can request that three mutual Instagram followers over the age of 18 confirm their age on the platform.
The other method allows users to upload a video selfie of themselves to be analyzed by Yoti, third-party age verification software. Yoti then estimates a person’s age based on their facial features, sends that estimate to Meta, and both companies delete the recording.
According to Meta, Yoti cannot recognize or identify a face based on the recording and only looks at the pixels to determine an age. Meta said that Yoti “is the leading age verification provider for several industries around the world,” as it has been used and promoted by social media companies and governmental organizations.
Still, some question how effective it will be for this specific use. According to The Verge, while the software does have a high accuracy rate among certain age groups and demographics, data also shows it is less precise for female faces and faces with darker skin tones.
Issues With Kids on Instagram
Meta argues that it is important for Instagram to be able to discern who is and is not 18, as it impacts what version of the app users have access to.
“We’re testing this so we can make sure teens and adults are in the right experience for their age group,” the company’s statement said.
“When we know if someone is a teen (13-17), we provide them with age-appropriate experiences like defaulting them into private accounts, preventing unwanted contact from adults they don’t know and limiting the options advertisers have to reach them with ads,” it continued.
These changes come as Instagram has been facing increased pressure to address the way its app impacts younger users.
Only children 13 and older are allowed to have Instagram accounts, but the service has faced criticism for not doing enough to enforce this. A 2021 survey of high school students found that nearly half of the respondents had created a social media account of some kind before they were 13.
The company also recently came under fire after The Wall Street Journal published internal Meta documents revealing that the company knew that it harmed teens, including by worsening body image issues for young girls and women.
See what others are saying: (The Verge) (The Wall Street Journal) (Axios)
Elon Musk Threatens to Fire Employees Unless They Work in Person Full-Time
The world’s richest man in the world previously suggested that the popularity of remote work has “tricked people into thinking that you don’t actually need to work hard.”
“If You Don’t Show up, We Will Assume You Have Resigned”
On Wednesday, Electrek published two leaked emails apparently sent from Elon Musk to Tesla’s executive staff threatening to fire them if they don’t return to work in person.
“Anyone who wishes to do remote work must be in the office for a minimum (and I mean *minimum*) of 40 hours per week or depart Tesla,” he wrote. “This is less than we ask of factory workers.”
“If there are particularly exceptional contributors for whom this is impossible, I will review and approve those exceptions directly,” he continued.
Musk then clarified that the “office” must be a main office, not a “remote branch office unrelated to the job duties.”
“There are of course companies that don’t require this, but when was the last time they shipped a great new product? It’s been a while,” he wrote in the second email.
Later on Wednesday, a Twitter user asked Musk to comment on the idea that coming into work is an antiquated concept.
He replied, “They should pretend to work somewhere else.”
The Billionaire Pushes People to Work Harder
Musk has a history of pressuring his employees and criticizing them for not working hard enough.
“All the Covid stay-at-home stuff has tricked people into thinking that you don’t actually need to work hard. Rude awakening inbound,” he tweeted last month.
Three economists told Insider that remote work during the pandemic did not damage productivity.
“Most of the evidence shows that productivity has increased while people stayed at home,” Natacha Postel-Vinay, an economic and financial historian at the London School of Economics, told the outlet.
Musk is notorious for criticizing lockdown mandates and went so far as to call them “fascist” during a Tesla earnings call in April 2020.
Not long before that, Tesla announced that it would keep its Fremont, California plant open in defiance of shelter-in-place orders across the state.
In an interview with The Financial Times last month, Musk blasted American workers for trying to stay home, comparing them to their Chinese counterparts whom he said work harder.
“They won’t just be burning the midnight oil. They will be burning the 3 a.m. oil,” he said. “They won’t even leave the factory type of thing, whereas in America people are trying to avoid going to work at all.”
That same day, Fortune published an article detailing how Tesla workers in Shanghai work 12-hour shifts, six days out of the week, sometimes sleeping on the factory floor.