A cryptocurrency platform that was hacked and had hundreds of millions of dollars stolen from it has now offered the thief a “reward” of $500,000 after the criminal returned almost all of the money.
A few days ago a hacker exploited a vulnerability in the blockchain technology of decentralized finance (DeFi) platform Poly Network, pilfering a whopping $611 million in various tokens—the crypto equivalent of a gargantuan bank robbery. It is thought to be the largest robbery of its kind in DeFi history.
The company subsequently posted an absurd open letter to the thief that began “Dear Hacker” and proceeded to beg for its money back while also insinuating that the criminal would ultimately be caught by police.
Amazingly, this tactic seemed to work—and the hacker (or hackers) began returning the crypto. As of Friday, almost the entirety of the massive haul had been returned to blockchain accounts controlled by the company, though a sizable $33 million in Tether coin still remains frozen in an account solely controlled by the thief.
After this, Poly weirdly started calling the hacker “Mr. White Hat”—essentially dubbing them a virtuous penetration tester rather than a disruptive criminal. Even more strange, on Friday Poly Network confirmed to Reuters that it had offered $500,000 to the cybercriminal, dubbing it a “bug bounty.”
Bug bounties are programs wherein a company will pay cyber-pros to find holes in its IT defenses. However, such programs are typically commissioned by companies and addressed by well-known infosec professionals, not conducted unprompted and ad-hoc by rogue, anonymous hackers. Similarly, I’ve never heard of a penetration tester stealing hundreds of millions of dollars from a company as part of their test.
Nonetheless, Poly Network apparently told the hacker: “Since, we (Poly Network) believe your action is white hat behavior, we plan to offer you a $500,000 bug bounty after you complete the refund fully. Also we assure you that you will not be accountable for this incident.” We reached out to the company to try to independently confirm these reports.
The hacker reportedly refused to take the crypto platform up on its offer, opting instead to post a series of public messages in one of the crypto wallets that was used to return funds. Dubbed “Q & A sessions,” the posts purport to explain why the heist took place. The self-interviews were shared over social media by Tom Robinson, co-founder of crypto-tracking firm Elliptic. In one of them, the hacker explains:
Q: WHY HACKING?
A: FOR FUN 🙂
Q: WHY POLY NETWORK?
A: CROSS CHAIN HACKING IS HOT
Q: WHY TRANSFERRING TOKENS
A: TO KEEP IT SAFE.
In another post, the hacker purportedly proclaimed, “I’m not interested in money!” and said, “I would like to give them tips on how to secure their networks,” apparently referencing the blockchain provider.
So, yeah, what do we think here, folks? Is the hacker:
- A) a good samaritan who stole the better part of a billion dollars to teach a crypto company a lesson?
- B) a spineless weasel who realized they were in tremendous levels of shit and decided to engineer a way out of their criminal deed?
The answer is unclear at the moment, but gee, does it make for quality entertainment. Tune in next week for a new episode of Misadventures in De-Fi Cybersecurity. Thrilling stuff, no?