About 120,000 Wrapped Ether tokens were taken in the attack — and the project has pleaded with the hacker to return the funds, promising to pay them a $10 million bug bounty.
Wormhole says the vulnerability that caused the hack has been patched, with the network adding ETH to ensure that wETH continues to be backed on a one-to-one basis.
"This demonstrates once again that the security of DeFi services has not reached a level that is appropriate for the huge sums being stored within them. The transparency of the blockchain is allowing attackers to identify and exploit major bugs."
Figures from Elliptic suggest this is the fourth-largest crypto theft of all time — and the second biggest ever to be recorded in the DeFi space. The company also noted that potential victims have been attempting to message the hacker directly, with one writing:
"I lost $100,000 in your attack. I am a nurse. These are all my savings. I hope you can return it to me. Everyone will get sick. Think of the nurses who care for you when you are sick. I wish you always healthy and enjoy the happiness of the world. GOD BLESS YOU."
Details remain sketchy at this stage — including the hacker's intentions.
While some act out of malice and for financial gain, others are white-hat hackers who simply aim to highlight vulnerabilities — later returning the funds.
In an interview, the person responsible (nicknamed "Mr Whitehat") said on social media that they had always planned to give the crypto back, adding:
"I know it hurts people when they are attacked, but shouldn't they learn something from it? … I didn't want to cause panic in the crypto world. I took important tokens and didn't sell any of them."