Crypto Firms Make an Offer to Thieving Hackers: Keep Some, Return the Rest

Similar to ransom payments, the deals can make business sense, allowing a business to return to normal after a cyberattack, security experts say. But calling them “bounties” has infuriated vulnerability specialists. For them, this practice legitimizes thieves by confusing them with hackers, who report software flaws for a fee. Ethical hackers deal directly with companies, including multinationals, such as Microsoft Corp.

or go through third-party platforms.

“It dilutes all the work that people have put in to do the right thing,” said Casey Ellis, founder and CTO of bug-bounty platform Bugcrowd Inc. “I have to get away from the keyboard of once in a while when it comes upstairs.”

Hackers have plundered digital currency projects over the past year, with North Korea-linked groups stealing more than $1 billion, much of it from decentralized financial platforms, according to the security firm. Chainalysis Inc. cryptography research have entered a vortex.

This month, DeFi trading platform Crema Finance exposed the theft of around $8.8 million worth of crypto, and its developers quickly teamed up with third-party sleuths to trace the stolen funds through blockchains or cryptocurrencies. digital public registers.

A few days later, Crema tweeted that she had made contact with her attacker.

After “a long negotiation,” Crema said, the hacker agreed to keep the equivalent of nearly $1.7 million as “the white hat bounty.”

Social media followers applauded Crema for making the best of a bad situation. Crema’s own reaction was muted. “From our perspective, we don’t believe the end result is perfect,” the company said in a statement.

The company didn’t respond to a request for comment on how it vetted the forward before closing the deal, and it declined to make the developers available for an interview.

“We are concerned that discussing the trading process in too much detail will actually provide more help to hackers than to the DeFi community,” Crema said.

Other such offers by other DeFi platforms seem to have failed. In January, lending platform Qubit Finance published a

Twitter post offering $2 million as a “well-deserved bounty” in exchange for hackers returning the balance from an $80 million theft.

People with access to an Ethereum address associated with the Qubit exploit have moved millions of stolen funds into blockchain-based mixing software known as Tornado Cash, which is often used for money laundering. Stolen Ether valued at nearly $35 million stay at this address.

The hackers behind an April theft of around $80 million from Rari Capital, a DeFi lending platform, temporarily stopped sending stolen funds into Tornado Cash after the platform’s developers -form tweeted that they would lose $10 million, “no questions asked,” in exchange for the rest of the money.

“I was hopeful that he was considering whether or not to send the money back and get the bounty,” Rari co-founder Jack Lipstone said. But the attacker eventually started funneling the money back to Tornado Cash in an apparent attempt to obscure its source.

“It’s like the worst feeling ever,” Mr Lipstone added.

Last month, as crypto project DeFi Harmony responded to a roughly $100 million heist, it tweeted that it would offer a $1 million “bounty” to hackers in exchange for the rest of the funds.

“Harmony will plead for no criminal charges when the funds are returned,” he said. The company then increased its offer to $10 million.

Blockchain analysis experts suspect that North Korea-linked hackers stole the funds and funneled the crypto to Tornado Cash as well. Harmony declined to comment.

Alex Rice, co-founder and chief technology officer of bug bounty platform HackerOne, said cyber incidents on these largely unregulated new systems can range from accidental exploits to criminal heists. If in the latter category, post-mining payments are like “a form of money laundering, almost,” he said.

“The criminal is capable of stealing money and is happy to accept a much smaller amount of clean money so he can get away with it,” Rice said.

US officials, who have stepped up efforts to track down stolen crypto and sanction hacking groups, are discouraging companies from paying hackers after ransomware attacks. The Treasury Department did not respond to requests for comment, and the Justice Department declined to comment on the most nascent form of post-exploit payments.

Amid the wave of high profile hacks, some crypto platforms have started offering traditional bug bounties as a preemptive way. In June, an infrastructure platform known as Aurora paid a hacker $6 million for spotting a vulnerability.

Rice said HackerOne has crypto-based businesses as customers, but it wouldn’t work with DeFi platforms with non-traditional operating structures. Many are not registered as real businesses and are governed by people who hold tokens and can vote on how the projects are run.

“It’s unclear who you’re actually contracting with, who is legally responsible if some type of crime is committed or if a bill has to be paid,” said Rice, whose company customers include Starbucks. Corp.

and General Motors Co.

But most DeFi crypto platforms haven’t attempted to launch bug bounty programs, he said.

“It’s not widespread,” Mr. Rice added. “We operate in the modern business world, which means we need appropriate business entities to engage in business relationships with.”

Write to David Uberti at [email protected]