Some cryptocurrency platforms that have seen millions of dollars disappear in digital heists have made an unusual pitch to their attackers: keep some, but give the rest back.
Pleas amount to ultimate pleas to convince the hackers to return most of the stolen funds. Victims have offered up to $10 million in these efforts and compared it to bug bounties paid to security researchers for discovering software flaws.
Similar to ransom payments, the deals can make business sense, allowing a business to return to normal after a cyberattack, security experts say. But calling them “bounties” has infuriated vulnerability specialists. For them, this practice legitimizes thieves by confusing them with hackers, who report software flaws for a fee. Ethical hackers deal directly with companies, including multinational corporations, such as
Microsoft Corp.
or go through third-party platforms.
“It dilutes all the work that people have put in to do the right thing,” said Casey Ellis, founder and CTO of bug-bounty platform Bugcrowd Inc. “I have to get away from the keyboard of once in a while when it comes upstairs.”
Casey Ellis, Founder and CTO of Bugcrowd.
Photo:
Sean Proctor/Bloomberg News
Hackers have plundered digital currency projects over the past year, with North Korea-linked groups stealing over $1 billionlargely from decentralized financial platforms, according to crypto research firm Chainalysis Inc. The multi-million dollar heists have continued even as cryptocurrencies have entered a vortex.
This month, DeFi trading platform Crema Finance exposed the theft of around $8.8 million worth of crypto, and its developers quickly teamed up with third-party sleuths to trace the stolen funds through blockchains or cryptocurrencies. digital public registers.
A few days later, Crema tweeted that she had made contact with her attacker.
After “a long negotiation,” Crema said, the hacker agreed to keep the equivalent of nearly $1.7 million as “the white hat bounty.”
Social media followers applauded Crema for making the best of a bad situation. Crema’s own reaction was muted. “From our perspective, we don’t believe the end result is perfect,” the company said in a statement.
The company didn’t respond to a request for comment on how it vetted the forward before closing the deal, and it declined to make the developers available for an interview.
“We are concerned that discussing the trading process in too much detail will actually provide more help to hackers than to the DeFi community,” Crema said.
Other such offers by other DeFi platforms seem to have failed. In January, lending platform Qubit Finance published a
message offering $2 million as a “well-deserved bounty” in exchange for hackers returning the balance of an $80 million theft.
People with access to an Ethereum address associated with the Qubit exploit have moved millions of stolen funds into blockchain-based mixing software known as Tornado Cash, which is often used for money laundering. Stolen Ether valued at nearly $35 million stay at this address.
The Tornado Cash website on a laptop and smartphone.
Photo:
News by Luke MacGregor/Bloomberg
The hackers behind an April theft of around $80 million from Rari Capital, a DeFi lending platform, temporarily stopped sending stolen funds into Tornado Cash after the platform’s developers -form tweeted that they would lose $10 million, “no questions asked,” in exchange for the rest of the money.
“I was hopeful that he was considering whether or not to send the money back and get the bounty,” Rari co-founder Jack Lipstone said. But the striker eventually started funneling the money back to Tornado Cash in an apparent attempt to obscure its source.
“It’s like the worst feeling ever,” Mr Lipstone added.
Last month, as the DeFi Harmony crypto project responded to $100 million heisthe tweeted that he would offer a $1 million “bounty” to the hackers in exchange for the rest of the funds.
“Harmony will plead for no criminal charges when the funds are returned,” he said. The company then increased its offer to $10 million.
Blockchain analysis experts suspect Hackers linked to North Korea stole the funds, and also funneled crypto into Tornado Cash. Harmony declined to comment.
“The criminal is capable of stealing money and is happy to accept a much smaller amount of clean money so he can get away with it unscathed.”
Alex Rice, co-founder and chief technology officer of bug bounty platform HackerOne, said cyber incidents on these largely unregulated new systems can range from accidental exploits to criminal heists. If in the latter category, post-mining payments are like “a form of money laundering, almost,” he said.
“The criminal is capable of stealing money and is happy to accept a much smaller amount of clean money so he can get away with it,” Rice said.
US officials, who have stepped up efforts to track down stolen crypto and sanction hacking groups, are discouraging companies from paying hackers after ransomware attacks. The Treasury Department did not respond to requests for comment, and the Justice Department declined to comment on the most nascent form of post-exploit payments.
Amid the wave of high profile hacks, some crypto platforms have started offering traditional bug bounties as a preemptive way. In June, an infrastructure platform known as
paid $6 million to a white hat hacker for spotting a vulnerability.
Rice said HackerOne has crypto-based businesses as customers, but it wouldn’t work with DeFi platforms with non-traditional operating structures. Many are not registered as real businesses and are governed by people who hold tokens and can vote on how the projects are run.
“It’s unclear who you’re actually contracting with, who’s legally responsible if some type of crime is committed or if a bill has to be paid,” said Rice, whose firm’s clients include
Starbucks Corp.
and
General Motors Co.
But most DeFi crypto platforms haven’t attempted to launch bug bounty programs, he said.
“It’s not widespread,” Mr. Rice added. “We operate in the modern business world, which means we need appropriate business entities to engage in business relationships with.”
Write to David Uberti at david.uberti@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8