Some cryptocurrency platforms that have watched millions of dollars vanish in digital heists have made an unusual pitch to their attackers: Keep some of it, but give back the rest.
The pleas amount to last-ditch entreaties to convince hackers to return most of the stolen funds. Victims have offered as much as $10 million in these efforts, and have likened them to the bug bounties paid to security researchers for uncovering software flaws.
Similar to ransom payments, the deals may make business sense, allowing a company to get back to normal after a cyberattack, security experts say. But branding them as “bug bounties” has incensed vulnerability specialists. To them, the practice legitimizes thieves by conflating them with white-hat hackers, who report software flaws for a fee. Ethical hackers deal directly with companies, including to multinationals, such as
, or go through third-party platforms.
“That dilutes all of the work that people have done to do the right thing,” said
founder and chief technology officer of bug-bounty platform Bugcrowd Inc. “I have to step back from the keyboard now and then when it comes up.”
Hackers have plundered digital-currency projects over the past year, with North Korean-linked groups stealing more than $1 billion, largely from decentralized financial platforms, according to crypto-research firm Chainalysis Inc. The multimillion-dollar heists have continued, even as cryptocurrencies have gone into a vortex.
This month, DeFi trading platform Crema Finance disclosed a theft of roughly $8.8 million of crypto, and its developers quickly teamed up with third-party sleuths to trace the stolen funds across blockchains, or digital public ledgers.
Days later, Crema tweeted that it had established contact with its attacker.
After “a long negotiation,” Crema said, the hacker agreed to keep the equivalent of nearly $1.7 million as “ the white-hat bounty.”
Social-media followers applauded Crema for making the best of a bad situation. Crema’s own reaction was muted. “From our perspective, we actually don’t think that the final outcome is perfect,” the company said in a statement.
The firm didn’t respond to a request for comment on how it vetted the attacker before making the deal, and it declined to make developers available for an interview.
“We are afraid that a discussion on the negotiation process with too many details actually provides more help for hackers than for the DeFi community,” Crema said.
Other such offers by other DeFi platforms appear to have failed. In January, lending platform Qubit Finance posted a
message offering $2 million as a “well-earned bounty” in exchange for hackers returning the balance of an $80 million theft.
People with access to an Ethereum address associated with the Qubit exploit transferred millions in stolen funds into a blockchain-based mixing software, known as Tornado Cash, that is often used for money-laundering. Stolen Ether valued at nearly $35 million remains at that address.
Hackers behind an April theft of roughly $80 million from Rari Capital, a DeFi lending platform, temporarily stopped sending stolen funds into Tornado Cash after developers with the platform tweeted that they would forfeit $10 million, “no questions asked,” in exchange for the rest of the money.
“I was hopeful that he was contemplating whether or not he would send the money back and get the bounty,” said Jack Lipstone, a Rari co-founder. But the attacker eventually resumed funneling the money into Tornado Cash in an apparent bid to obscure its source.
“It’s like the worst feeling ever,” Mr. Lipstone added.
Last month, as DeFi crypto project Harmony responded to a heist of about $100 million, it tweeted that it would offer a $1 million “bounty” to hackers in exchange for the rest of the funds.
“Harmony will advocate for no criminal charges when funds are returned,” it said. The company later bumped its offer to $10 million.
Blockchain analytics experts suspect North Korean-linked hackers stole the funds, and also funneled the crypto into Tornado Cash. Harmony declined to comment.
“The criminal is able to steal money and is happy to accept a much smaller amount of clean money in order to be able to walk away scot-free.”
co-founder and chief technology officer for bug-bounty platform HackerOne, said cyber incidents on such new and largely unregulated systems can range from accidental exploits to criminal heists. If in the latter category, post-exploit payments are like “a form of money-laundering, almost,” he said.
“The criminal is able to steal money and is happy to accept a much smaller amount of clean money in order to be able to walk away scot-free,” Mr. Rice said.
U.S. officials, who have expanded their efforts to trace stolen crypto and to sanction hacking groups, discourage companies from paying hackers after ransomware attacks. The Treasury Department didn’t respond to requests for comment and the Justice Department declined to comment on the more nascent form of post-exploit payouts.
Amid the spate of high-profile hacks, some crypto platforms have begun offering traditional bug bounties preemptively. In June, an infrastructure platform known as
paid $6 million to a white-hat hacker for spotting a vulnerability.
Mr. Rice said HackerOne does have crypto-based companies as customers, but it won’t work with DeFi platforms with non-traditional operating structures. Many aren’t registered as actual businesses and are governed by people who hold tokens and get to vote on how projects are managed.
“It’s not clear who you’re actually entering into a contract with, who’s legally responsible if some type of crime is committed, or an invoice needs to get paid,” said Mr. Rice, whose firm’s customers include
General Motors Co.
But most DeFi crypto platforms haven’t reached out about starting bug-bounty programs, he said.
“It’s not widespread,” Mr. Rice added. “We operate in the in the modern business world, which means we need proper business entities to enter into business relationships with.”
Write to David Uberti at email@example.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8