After the theft of more than $54 million, KyberSwap faced an existential crisis

Judging from most of the previous crypto theft cases, the project team often chooses to negotiate with the hacker on-chain to recover or partially recover the stolen funds. The hackers who recently attacked the DEX aggregator KyberSwap did not follow the routine, not only took the initiative to leave a message to negotiate, but also proposed settlement conditions such as “obtaining full control and all the property of Kyber”. This also makes the outside world wonder if the theft is a self-directed and self-staged drama by the team, but KyberSwap has already faced a test of survival.

Less than 10% of the stolen funds have been recovered, or it is not the first time the crime has been committed

On November 23, some users disclosed that KyberSwap was suspected of being attacked, and there were abnormally large transfers on multiple chains, with a total loss of about $47 million. Among them, Ethereum lost $7.5 million on the mainnet, $315,000 on the Base chain, $15 million on the Optimism chain, $2 million on the Polygon chain, and $20 million on the Arbitrum chain.

Subsequently, Kyber Network acknowledged that a security incident had occurred, stating that the team was working hard to investigate the situation and regularly update the information and advise users to withdraw their funds immediately.

Shortly after Kyber Network’s announcement, the attacker address left a message on-chain to its developers, employees, DAO members, and liquidity providers, saying that “negotiations will begin after a well-rested period of a few hours.” In response, KyberSwap released negotiation information to hackers on the chain, saying that it already knew how hackers carried out the attack, and the hackers were limited to returning 90% of the stolen funds to the address at the beginning of 0x8180 before 14:00 Beijing time on November 25, otherwise they would continue to hunt down the hackers. Hackers can leave 10% of the stolen funds as a bounty.

At the same time, according to Kyber Network, a total of about $54.7 million of user funds were stolen this time, and only about $4.67 million of user funds have been recovered, less than 10% of the total loss.

However, the attacker did not accept KyberSwap’s negotiating conditions, saying a few days later that he had received (mostly) threats, deadlines, and general unfriendliness from the enforcement team, and promised to issue a statement on November 30 about a (potential) negotiated treaty, provided that no further hostile treatment would be accepted.

It is reported that the hack is one of the most sophisticated attacks in DeFi history, and the attackers need to perform a series of precise on-chain operations to exploit the vulnerability. However, this does not appear to be the first time that the attackers have committed crimes, as PeckShield monitored on November 23 and revealed that the Kyber Network attacker transferred 1,000 WETH ($2.06 million) on Arbitrum to an address that started with 0x84e6, which had interacted with the attacker’s address 705 days earlier on the passive yield protocol Indexed Finance, which lost $16 million to the attack.

Hackers want to seize power?Take the control of the company and all the assets as a settlement condition

On November 30, the KyberSwap attackers proposed a series of settlement conditions on-chain, including full enforcement control of Kyber Corporation, temporary full control of KyberDAO’s governance mechanisms to implement legislative changes, and a request to surrender all documents and information related to the company/protocol. In addition, Kyber is required to hand over all on-chain and off-chain assets.

The attackers promised a series of compensation measures to company executives, employees, token holders, and investors once the demands were met. These include buyouts that provide executives with fair valuations, doubling employee salaries, 12-month severance and comprehensive benefits for employees who don’t want to stay, and guaranteeing the value of investors’ tokens. The attackers stressed that the settlement would break down if their demands were not met by December 10 or if they were contacted by any agent of a sovereign state. And in this negotiation letter, the attacker also identified himself as a director of Kyber.

In other words, the attacker does not intend to return the stolen funds and wants to take control of the company and all of its assets, which is unprecedented in the hacking world. In order to obtain the transfer of shares, the attacker may need to notarize the transfer of identity information such as name and actual address, and his identity may be exposed.

Kyber Network co-founder and CEO Victor Tran also responded on social media to the attackers’ settlement conditions, saying, "No one cares about Kyber’s users as much as we do. You (users) deserve the best. A statement will be issued on the Kyber Network’s official Twitter account on December 1. As of this writing, Kyber Network has not provided an updated response.

The attacker’s move sparked heated discussions in the market, with some community members saying that the attacker’s seizure of power was nothing more than a rhetoric that they did not want to repay the stolen funds, while others believed that it might be an official “golden cicada shell” ploy, or a former employee.

Since Kyber does not have any insurance program, there will be no compensation after the theft, which means that if KyberSwap is unable to reach a settlement with the attackers, users will not be able to recover their assets. Even if KyberSwap agrees to the terms of the settlement, it will be difficult for the hacker-led protocol to regain the trust of users, making the project unsustainable.