The @PolyNetwork2 hack is the story of an audacious heist (which the hacker might still get away with π).
But, it's also a story of how the world of identity and crypto are intrinsically linked – and will collide even more so as regulations change
A 𧡠from our CTO @ankurb…
The hacker behind #PolyNetwork appears to have got lucky far beyond what they expected and didn't have an exit plan.
Getting crypto amounts that large out into fiat is extremely hard, since everything is on ledger and most exit ramps take users through KYC.
(image h/t @trmlabs)
Contrast this with the example of something equally audacious in the world of legacy banking, when North Korea’s Lazarus Group almost got away with stealing $1bn from Bangladesh’s national bank (they got away with $81mn) πΈ
The $1bn Lazarus heist hackers almost got away because:
– Timed perfectly, on a weekend, so that bank teams at the Federal Reserve Bank (!) in New York and Bangladesh Bank couldn't talk
– Warning messages weren't passed on because the hackers tampered with the printer (really!)
Can you imagine a blockchain network that only logged/audited messages during business hours on a weekday? π
Over the hours and days the #PolyNetwork drama unfolded, firms like @chainalysis were able to track EXACTLY where funds were moving π΅οΈ
Given the open nature of blockchains, there was an analysis available within hours on how the hack took place from @kelvinfichter
This entire (separate) thread is worth a read) π
How does this tie back to digital identity?
Even outside the context of a crypto hack, the question "Who ACTUALLY controls this wallet/account?" crops up all the time.
There is a use case for anonymous payments in crypto – but also where the identity of receiver can be verified
To take an example, when @cheqd_io took funds in $USDC from partners, we had to get on a Zoom call to receive a small test transfer.
We screenshared to confirm to senders when the transfer went through that we had control of the wallet. Only then did we proceed with the rest.
Imagine if it was possible to verify the identity of both senders and recipients through completely secure and privacy-preserving means.
This is precisely the kind of interaction that #selfsovereignidentity enables for CeFi and DeFi (and so many more!) use cases πͺ
Our CEO @fraser_again described the idea of confirmation of payees for crypto transfers and how @cheqd_io‘s technology can play a role in CeDeFi in this blog post we collaborated on with @unizen_io π
"But what about sending crypto transfers only to human-readable wallet destinations, such as .eth addresses?", you ask π€
For starters, forget any shred of privacy for transfers in/out of well-known .eth address that are tied to your real identity π
Also, just because a .eth address was registered at SOME point in time and claimed by a "real" identity (say, by publishing it in Twitter display name) does NOT mean the wallet is still in control of the original owner at a later date.
SSI credentials provide an alternative π§
Self-sovereign identity credentials can also provide assurance the credential was *actually* issued to the individual presenting it to someone else.
This is artfully explained by @brent_zundel in this blog post π
The crypto industry needs a better way to handle digital identity.
And at the same time, digital identity – which will increasingly move towards a user-centric model – will need business models that crypto rails can enable. π€
It remains to be seen whether the remainder of the #PolyNetwork funds are recovered.
We hope it does for the sake of the community who are anxious about being made whole ππ½
And one day, perhaps, we'll be able to know the ending of this saga…
Originally tweeted by cheqd.io (@cheqd_io) on 13 August 2021.