Poly Network attacker responds again: I am proud of my integrity (full text of five Q&As attached)

Organizer: Hu Tao

In the early hours of today, the Poly Network attacker once again transferred messages through the Ethereum network, answering some topics of interest in the color lake area in a Q&A format. The messages repeatedly mentioned potential identity clues, such as not being a native English speaker and having a background in the hacking industry, while also stating that raising people's concerns about security is a mission of their career.
Additionally, in a separate message on a different chain, the hacker indicated they were considering using a limited bounty as a source for a compensation fund for unintended victims, and if anyone was willing to help, they could send money to the donation address. "I feel sorry for any innocent person affected by my wild adventure," the hacker stated.
Below are the full transcripts of five Q&As organized by the chain catcher based on Ethscan's on-chain records:

Q&A Part Five:
Q1: Why AMA? Your confession?
A1: It's more like a diary. Some things I'm proud of.
Q2: Why all the money?
A2: As I said, I don't care about money.
Q3: Not good at English?
A3: Not a native English speaker. (Identity clue 1) I just expressed my true feelings without embellishment. It's not easy to type while holding down the "Shift" key.
Q4: Black hat or white hat?
A4: I also like to feel superior by judging others, but that's never an easy thing. Not only legal good things can be white hats. So-called black hats can also be good people. People are variable. Have you heard of gray areas?
Q5: Shouldn't white hats notify developers directly?
A5: Please read P1Q1234. DeFi is a dark forest, and hundreds of projects flee every year. I don't trust anyone.
Q6: Why hide at the beginning?
A6: Even if you're a legitimate good person, you can be in danger for any reason. Security personnel do care about security issues.
Q7: Why explain so much?
A7: Read P4Q2. The guidance part means a lot to me. I want to share how I overcame arrogance and greed with my thoughts. I believe the mental challenge is no easier than the hacking part.
Honestly, I was so excited when the attack was successful that I almost forgot my original plan because there were too many speculations, which was unexpected (see P2Q1). The first message (see P3Q1) sparked my interest in doing something creative. I spent some time looking for interesting but reasonable ideas from my message list.
I (still) have confidence in my hiding, so I thought as long as I didn't cause unbearable losses, I could handle this game. Later, because of those refugees, I began to calm down. Yes, I realized that even temporarily taking over this money is an unforgivable joke that causes too much suffering.
Regarding the "billion shitcoins" joke, I mean the title of this incident could be more eye-catching, but the outcome would be the same: I wouldn't abandon the shitcoins. As a result, it turned out to be a bad joke. Regarding the "DAO" joke, I was asking the community how and when to refund. This is an irresponsible joke.
I am not afraid of the trouble of exposure or money laundering (read my beginner's course). I just realized I should be cautious because my decisions will change many people's lives! If I left the tokens there and exited the game, I could enjoy the life of a millionaire and continue my explorations as usual, but thousands of people would lose control of their own destinies. This goes against my personal philosophy (see P4Q2).
Soon, I emailed POLY, attaching a signed ETH transaction from an anonymous mailbox. If they received the email, they could broadcast a transaction from my address. That wasn't a wise move because I couldn't broadcast any new messages before them. That email must have been lost; I didn't receive a reply from ETH, but due to that mistake, I waited for several hours.
The next part of the story is what you already know. I stopped my game and returned the money as I promised.
Q8: You didn't expose yourself, but they have clues, so you are scared!
A8: I am more confident than anyone else.
I am a prominent hacker in the real world (Identity clue 2). I work in the security industry and have been dedicated to hacking since I was young (Identity clue 3). Seriously, as security researchers, our job is to save the hidden world.
I know that security consulting is a daunting task, and public relations and reputation are significant. I don't mind security teams advertising based on my incident, especially when it helps them. Raising people's concerns about security is also a mission of our careers.
If any hacker can find my social identity within a month, I am willing to give them my private gift. Otherwise, I may or may not leak another clue about my identity. Shall we play this game?
Even if my identity is confirmed, I still take pride in my integrity :)
Q&A Part Four:
Q1: Why CEX? Newbie
A1: Whatever :)
The key challenge of this attack is calling some contracts from the ontology network (my favorite part). You have to get some "GAS" for the ontology network, called "ONG."
However, it is not a tradable token in DeFi. I could only find it on some Chinese (?) CEXs. If you have to go through CEX, why bother trading on DEX? Why do you think I would leave traces on CEX?
Q2: Why refund? Coward
A2: Whatever :)
When you judge others, you are not defining them; you are defining yourself.
I have grown fond of the things I care about most: hacking and guiding.
Few hackers can understand the situation of DeFi security. Yes, you will see many hackers, but as a real hacker, most of them are not pleasant. Some silly code can lead to huge losses, but that is not challenging. It's like fighting with a teenager.
I admit the Poly attack is not as fancy as you might imagine, but I did experience something new from this project. I want to say that finding the blind spots in the Poly Network architecture will be one of the best moments of my life.
As the crypto world evolves, I have enough money. I have been exploring the meaning of life for a while. I hope my life can consist of unique adventures, so I love learning and cracking everything to fight against fate. Saint Tao.
Honestly, I do have some selfish motives to do something cool but harmless with the huge funds, like the idea of DAO. Then I realized that being a moral leader would be the coolest hack I could archive! Cheers
Q&A Part Three:
Q1: Why give 13.37 ETH as a tip?
A1: I felt the warmth of the Ethereum community.
I was busy investigating issues with HECO and debugging my script. I thought it was a network issue, which is why I couldn't deposit (I was behind a complex proxy). So I shared my goodwill with that guy.
Q2: Why ask about TORNADO and DAO?
A2: Having witnessed so many hacks, I know putting funds into TORNADO is a wise but desperate decision. It goes against my original intention. After encountering so many beggars, becoming a crowdsourced hacker is just my joke :)
Q3: Why refund?
A3: This has always been the plan! I'm not very interested in money! I know people suffer when attacked, but shouldn't they learn something from these hackers? I announced the decision to refund before midnight, so those who believe in me should rest well ;)
Q4: Why is the refund so slow?
A4: I really needed time to talk with the POLY team. Sorry, this is the only way I know to prove my dignity while hiding my identity. I needed to take a break.
Q5: Poly Network team?
A5: I have started brief conversations with them, and the logs are on Ethereum. I may or may not publish them. The pain they suffered is temporary but unforgettable.
Q&A Part Two:
Q1: What happened 30 hours ago?
A1: It's a long story.
Believe it or not, I was forced to play this game.
Poly Network is a complex system, and I couldn't manage to establish a local testing environment. I failed to create a POC at first. However, just before I gave up, the AHA moment came. After debugging all night, I created a SINGLE message for the ontology network.
I planned to launch a cool blitz to take over four networks: ETH, BSC, POLYGON, and HECO. However, the HECO network malfunctioned! The behavior of the relayer was different from other relayers, and the administrator directly relayed my exploit, and the keys were updated with some wrong parameters. It ruined my plan.
I should have stopped at that moment, but I decided to keep the show going! What if they secretly patched the vulnerability without any notice?
However, I didn't want to cause real panic in the crypto world. So I chose to ignore the junk coins, so people wouldn't have to worry about them going to zero. I took the important tokens (except SHIB) and didn't sell any tokens.
Q2: Then why sell/convert those tokens?
A2: The initial response from the POLY team made me angry.
Before I had a chance to respond, they urged others to blame and hate me! I certainly knew there were fake DEFI tokens, but I didn't take it seriously because I had no plans for money laundering.
Meanwhile, depositing into Curve could earn some interest to cover potential costs, giving me more time to negotiate with the Poly team.
Q&A Part One:
Q1: Why attack?
A1: For fun :)
Q2: Why choose Poly Network?
A2: Cross-chain attacks are popular.
Q3: Why transfer tokens?
A3: For security.
When discovering the error, I had a complex feeling. Asking myself what to do when faced with so much wealth. Politely asking the project team to solve the problem? Anyone could be a traitor! I couldn't trust anyone! The only solution I could think of was to keep it in a trusted account while keeping myself anonymous and safe.
Now everyone smells the scent of conspiracy. An insider? Not me, but who knows? I have a responsibility to expose the vulnerability before any insiders hide and exploit it!
Q4: Why so complicated?
A4: Poly Network is a nice system. This is one of the most challenging attacks hackers can enjoy. I had to quickly defeat any insiders or hackers, and I took it as a rewarding challenge :)
Q5: Did you expose yourself?
A5: No. Absolutely not. I understand that even if I don't do evil, there is a risk of exposing myself. So I used temporary emails, IPs, or so-called fingerprints that are untraceable. I prefer to stay in the dark and save the world.