DeFi platform Platypus says nearly $9 million in crypto stolen in flash loan attack

Decentralized finance (DeFi) platform Platypus said Thursday night that about $8.5 million in cryptocurrency was stolen by a hacker that the company is now in communication with.

Platypus wrote on Twitter that the hacker used a flash loan attack — a maneuver involving a fast, uncollateralized loan that artificially raises the price of a digital coin before the hacker dumps it at a profit.

On Friday afternoon, the company said it had worked with blockchain security firm BlockSec to recover $2.4 million worth of USDC, a cryptocurrency pegged to the U.S. dollar. It was not clear from the post how they had obtained the funds.

Platypus said in Thursday's statement that it had contacted the hacker to negotiate a bounty in exchange for the return of the funds. Only 35% of Platypus' user deposits are covered by other holdings, the platform said.

“We are currently working with several parties, including Binance, Tether, and Circle, to freeze the funds of the hacker and prevent further losses. Right now, the USDT has been frozen. We are also exploring options for compensation and reimbursement for affected investors,” they wrote.

DeFi operations tout their freedom from centralized authorities and independence from the mainstream financial industry, but those features can also make it much tougher for users to recover funds after a disruption.

Blockchain security researcher ZachXBT was allegedly able to trace the stolen funds back to a Twitter account that was immediately deleted when contacted. The researcher, who is working with Platypus, said they would “like to negotiate returning of the funds before we engage with law enforcement.”

The researcher explained that the transaction history of the accounts associated with the attack on Platypus could be traced back to an account on OpenSea — a platform facilitating the sale of NFTs – that was linked to the Twitter account.

The account also liked a Tweet about the Platypus hack before it was deleted. 

Blockchain security firm CertiK told The Record that the attack took place on Thursday and involved a complicated series of transactions that ended up draining Platypus of nearly $9 million.

Flash loan attacks have become one of the most popular ways hackers target DeFi platforms. Last year, scammers took $9 million from Crema Finance and stole $11.2 million worth of Binance Coin from DeFi platform Elephant Money.

Cream Finance — not to be confused with Crema Finance — was hit with three different flash loan attacks in 2021, costing the DeFi platform $130 million in October, $37 million in February and another $29 million in August. Two weeks ago, blockchain research company Chainalysis said more than $3.1 billion was stolen from DeFi platforms last year.

Some of the hackers behind these flash loan attacks have argued that they are not illegal because they simply take advantage of security lapses in the platform code.

The hacker Avraham Eisenberg publicly touted his $110 million hack of Mango Markets last year. But federal authorities disagreed with his assessment, arresting him last December and charging him with commodities fraud and commodities manipulation on the premise that he was effectively robbing other investors of their assets.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.