Crypto firms make thieving hackers an offer: Keep some, give back the rest

Like ransoms, the agreements can make business sense, allowing a company to return to normal after a cyberattack, security experts say. But labeling them “bug bounties” has outraged vulnerability specialists. To them, the practice legitimizes the thieves by conflating them with white-hat hackers, who report software bugs for a fee. Ethical hackers deal directly with companies, including multinationals, such as Microsoft corp.

or go through third party platforms.

“It dilutes all the work that people have done to do the right thing,” said Casey Ellis, founder and chief technology officer of bug-bounty platform Bugcrowd Inc. “I have to step back from the keyboard every now and then when it comes up.”

Hackers have plundered digital currency projects in the past year, with North Korean-linked groups stealing more than $1 billion, mostly from decentralized financial platforms, according to crypto research firm Chainalysis Inc. The multimillion-dollar heists have continued, even as cryptocurrencies have entered a tailspin .

This month, DeFi trading platform Crema Finance disclosed the theft of roughly $8.8 million in crypto, and its developers quickly teamed up with third-party sleuths to trace the stolen funds across blockchains, or digital public ledgers.

Days later, Crema tweeted that they had established contact with their attacker.

After “a long negotiation,” Crema said, the hacker agreed to keep the equivalent of nearly $1.7 million as “the white hat prize.”

Followers on social media applauded Crema for making the best of a bad situation. Crema’s own reaction was muted. “From our perspective, we actually don’t think the final result is perfect,” the company said in a statement.

The firm did not respond to a request for comment on how it investigated the attacker before the deal, and it declined to make developers available for an interview.

“We are afraid that discussing the negotiation process with too many details actually helps hackers more than the DeFi community,” Crema said.

Other such offerings from other DeFi platforms appear to have failed. In January, lending platform Qubit Finance posted a Twitter message offering $2 million as a “well-deserved bounty” in exchange for hackers returning the rest of an $80 million theft.

Individuals with access to an Ethereum address linked to the Qubit exploit transferred millions in stolen funds to a blockchain-based mixing software known as Tornado Cash, which is often used for money laundering. Almost $35 million worth of stolen Ether remains at that address.

Hackers behind an April theft of around $80 million from Rari Capital, a DeFi lending platform, temporarily stopped sending stolen funds into Tornado Cash after developers with the platform tweeted that they would lose $10 million, “no question,” in exchange for the rest of the money.

“I was hoping he would consider sending the money back and get the bounty,” said Jack Lipstone, one of the Rari co-founders. But the attacker eventually resumed sending the money into Tornado Cash in an apparent attempt to hide its source.

“It’s like the worst feeling ever,” Mr. Lipstone added.

Last month, when DeFi crypto project Harmony responded to a heist of around $100 million, it tweeted that it would offer a $1 million “bounty” to hackers in exchange for the rest of the funds.

“Harmony will advocate for no criminal charges when funds are returned,” it said. The company later set the offer to $10 million.

Blockchain analytics experts suspect that North Korean-linked hackers stole the funds, and also funneled the crypto into Tornado Cash. Harmony declined to comment.

Alex Rice, co-founder and chief technology officer of bug-bounty platform HackerOne, said cyber incidents on such new and largely unregulated systems can range from accidental exploitation to criminal heists. If in the latter category, post-exploitation payments are like “a form of money laundering, almost,” he said.

“The criminal is capable of stealing money and is happy to accept a much smaller amount of clean money in order to walk away free,” Mr Rice said.

US officials, who have stepped up efforts to track stolen crypto and sanction hacker groups, are discouraging companies from paying hackers after ransomware attacks. The Finance Ministry did not respond to requests for comment, and the Justice Department declined to comment on the nascent form of post-exploitation payouts.

Amid the wave of high-profile hacks, some crypto platforms have begun offering traditional bug bounties in advance. In June, an infrastructure platform known as Aurora paid $6 million to a white-hat hacker to discover a vulnerability.

Mr. Rice said HackerOne has crypto-based companies as customers, but it will not work with DeFi platforms with non-traditional operating structures. Many are not registered as actual businesses and are run by people who hold tokens and get to vote on how projects are managed.

“It’s not clear who you’re actually entering into a contract with, who’s legally responsible if some type of crime is committed, or an invoice needs to be paid,” said Mr. Rice, whose firm’s clients include Starbucks corp.

and General Motors Co.

But most DeFi crypto platforms haven’t reached out about starting bug bounty programs, he said.

“It’s not widespread,” Mr. Rice added. “We operate in the modern business world, which means we need proper business entities to do business with.”

Write to David Uberti at [email protected]