In a strange turn of events, the hacker behind the theft of more than $600 million in cryptocurrency from cross-blockchain decentralized finance platform provider Poly Network has started to return some of the stolen funds.

The hacker, who goes by the name of “Etherhood,” started by returning small amounts of the stolen funds, initially $4.8 million in a mix of Ethereum, Binance Smart Chain and Polygon assets. Then it just got weird.

Just prior to returning the first tranche of stolen funds, Etherhood was found to have created a token called “The hacker is ready to surrender” and sent it to a designated Polygon address. Etherhood then partially followed up on his promise, returning a further $256 million in tokens from the haul.

According to The Block, the hacker has now sent back nearly all of the assets on the Binance Smart Chain — more than 1,000 tokens worth $46.4 million, along with 26,629 ETH worth $86 million and $119 million worth of the stablecoin BUSD.

If a hacker willfully returning funds is not strange enough, Etherhood also gave an interview. Etherhood said their main motivation for the hack was “for fun” and that they had gone after the Poly Network as “cross-chain hacking is hot.”

The hacker went on to explain that they did not decide to conduct the operation lightly but decided to go ahead to “keep the funds safe” as they believed that the team behind the product was not to be trusted.

NewsBTC reported today that Etherhood went on to deny being part of an inside job and that the attack served as a way to uncover the vulnerability on the system before real “insiders exploit it.” Bizarrely, the hacker then added, “I prefer to stay in the dark and save the world.”

The remaining funds have been promised to be returned by Etherhood. They have not been transferred at the time of writing, at least as publicly disclosed by Poly Network on its Twitter account.

The decision to return the funds may be an attempt to avoid criminal charges. Researchers at Slowmist and others have tracked down identifying information, including email, an IP address and a Chinese cryptocurrency exchange the hacker is said to have used.

Image: Poly Network