A cryptocurrency platform that was hacked and had hundreds of millions of dollars stolen from it has now offered the thief a “reward” of $500,000 after the criminal returned almost all of the money.
A few days ago a hacker exploited a vulnerability in the blockchain technology of decentralized finance (DeFi) platform Poly Network, pilfering a whopping $611 million in various tokens—the crypto equivalent of a gargantuan bank robbery. It is thought to be the largest robbery of its kind in DeFi history.
The company subsequently posted an absurd open letter to the thief that began “Dear Hacker” and proceeded to beg for its money back while also insinuating that the criminal would ultimately be caught by police.
Amazingly, this tactic seemed to work—and the hacker (or hackers) began returning the crypto. As of Friday, almost the entirety of the massive haul had been returned to blockchain accounts controlled by the company, though a sizable $33 million in Tether coin still remains frozen in an account solely controlled by the thief.
After this, Poly weirdly started calling the hacker “Mr. White Hat”—essentially dubbing them a virtuous penetration tester rather than a disruptive criminal. Even more strange, on Friday Poly Network confirmed to Reuters that it had offered $500,000 to the cybercriminal, dubbing it a “bug bounty.”
Bug bounties are programs wherein a company will pay cyber-pros to find holes in its IT defenses. However, such programs are typically commissioned by companies and addressed by well-known infosec professionals, not conducted unprompted and ad-hoc by rogue, anonymous hackers. Similarly, I’ve never heard of a penetration tester stealing hundreds of millions of dollars from a company as part of their test.
Nonetheless, Poly Network apparently told the hacker: “Since, we (Poly Network) believe your action is white hat behavior, we plan to offer you a $500,000 bug bounty after you complete the refund fully. Also we assure you that you will not be accountable for this incident.” We reached out to the company to try to independently confirm these reports.
The hacker reportedly refused to take the crypto platform up on its offer, opting instead to post a series of public messages in one of the crypto wallets that was used to return funds that purport to explain why the heist took place. The self-interviews, dubbed “Q & A sessions,” were shared over social media by Tom Robinson, co-founder of crypto-tracking firm Elliptic. In one of them, the hacker explains:
Q: WHY HACKING?
A: FOR FUN :)Q: WHY POLY NETWORK?
A: CROSS CHAIN HACKING IS HOTQ: WHY TRANSFERRING TOKENS
A: TO KEEP IT SAFE.
In another post, the hacker purportedly proclaimed, “I’m not interested in money!” and said, “I would like to give them tips on how to secure their networks, so that they can be eligible to manage the billion project in the future.”
So, yeah, what do we think here, folks? Is the hacker:
- A) a good samaritan who stole the better part of a billion dollars to teach a crypto company a lesson?
- B) a spineless weasel who realized they were in tremendous levels of shit and decided to engineer a way out of their criminal deed?
The answer is unclear at the moment, but gee, does it make for quality entertainment. Tune in next week for a new episode of Misadventures in De-Fi Cybersecurity. Thrilling stuff, no?
DISCUSSION
“Thefts” have happened in the past to make a point, but it’s also immediately returned or done so it looks like a theft happened but it, technically, didn’t.
On this order? Hard to say. Declassified documents across the world have shown similar situations with a lot of money/assets being played with to make a point when warnings go unheeded.
That said, you don’t get brownie points for returning what you stole. Truly ethical hackers just go scorched earth publicly about the vulnerability if they’re ignored. From announcement to eventual explicit details so anyone can then do it.
You’d be surprised how many people and parts of government LOVE willful ignorance. This person double backed, what that makes them I truly don’t care, it’s immaterial versus the company that had the vulnerability in the first place.
This wasn’t exactly highest level hacking. The company is an asshole no matter what and they seemed to have another one ripped open for them after this.