- The PlayDapp hacker refused to take $1 million as a bounty and opted to continue his exploitation
- PlayDapp now wants to migrate the project to another contract to mitigate further losses
- The project is working with exchanges and law enforcement agencies to track the hacker
South Korean web3 project PlayDapp’s hacker has rejected a $1 million white hat bounty and has instead launched another attack on the platform. In the additional attack, he minted more of the project’s token, PLA, bringing the total losses incurred to around $290 million. PlayDapp is now working to transfer the project to a new smart contract to avoid further losses, an action that may be exploited by scammers to mislead unsuspecting PlayDapp users.
Over 1.5 Billion Tokens Maliciously Minted
According to on-chain security firm PeckShield, the attacker gained access to the web3 platform by getting hold of a private key. The first exploit happened on Feb 9 when the hacker minted $31 million worth of PLA tokens.
Blockchain researchers noted that the hacker managed to add themselves as the project’s smart contract operator, giving them permission to mint new tokens.
🚨ALERT🚨Our system has detected a suspicious transactions with @playdapp_io
It seems that deployer’s address has been compromised and attacker’s address is added as a minter at https://t.co/NnsLtdl1TW
The attacker has minted 200M $PLA tokens, $31M, with initial funding from… pic.twitter.com/0btkEz2Hmx
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 9, 2024
In a Medium post, the project disclosed that “attempts to negotiate with the hacker were unsuccessful,” adding that it had suffered another attack from the same exploiter. In the second exploit, the hacker minted 1.5 billion PLA tokens worth roughly $254 million.
Apart from collaborating with on-chain sleuths, exchanges and the police, PlayDapp revealed that it’s investigating the hacker’s “intrusion methods, […] tracking the minted and swapped tokens” and is working on contract migration solutions, including the possibility of conducting an airdrop.
Eisenberg Wants to Keep the Entire Loot
PlayDapp’s predicament comes eight months after Poly Network’s hacker gained access to the project’s smart contract and issued $4 billion worth of new tokens. It also comes roughly a year after Mango Markets hacker Abraham Eisenberg said that he wants to keep the entire loot despite his identity being unearthed.
With PlayDapp’s hacker not interested in a bounty, it’s to be seen whether he’s capable of evading web3 investigators and the police.
