Cryptocurrency platform Poly Network has offered to pay a $500,000 ‘bug bounty’ to the hacker behind a high-profile breach earlier this week.
On Tuesday, the company fell victim to a serious cyber-attack. More than $610 million in cryptocurrency was stolen during the incident, making it the largest crypto heist in history and sparking apprehension across the crypto world.
The attack prompted Poly Network to appeal directly to the hacker responsible. In a message posted to Twitter on Tuesday, the firm urged the individual behind the attack to contact the firm and “return the hacked assets”.
“The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued,” the firm said.
“You should talk to us to work out a solution,” Poly Networks added.
In the wake of the apparent attack, crypto firm Elliptic published comments from the hacker claiming that the attack had been carried out ‘for fun’.
In a Q&A with Elliptic co-founder Tom Robinson, the hacker revealed it had always been their intention to return the stolen currencies.
“That’s always the plan! I know it hurts when people are attacked,” they said. “But shouldn’t they learn something from those hacks?”
“I didn’t want to cause real panic in the crypto world…I took important tokens and didn’t sell any of them,” they added.
— Tom Robinson (@tomrobin) August 11, 2021
Within hours, the individual behind the heist began returning stolen coins. Last night, Poly Network revealed that more than $260m in Ether tokens had been returned by the hacker.
In a statement today, the crypto platform thanked the ‘white hat hacker’ for exposing the firm’s vulnerabilities, returning stolen assets and helping to improve its security processes.
At the time of writing, Poly Networks revealed the hacker returned $340m in crypto assets and had transferred the remaining into a digital wallet – which the firm could access.
“After communicating with Mr. White Hat, we have also come to a more complete understanding regarding how the situation unfolded as well as Mr. White Hat’s original intention,” Poly Networks confirmed in a statement.
At this stage, it is unclear how – or in what currency – ‘Mr White Hat’ will be paid. Poly Network is yet to confirm whether they have accepted the bounty offer.
What is a ‘white hat hacker’?
‘White hat hacker’ is an industry term to describe ethical hackers who expose security vulnerabilities, either on behalf of an organisation or in a freelance capacity.
Declan Doyle, Head of Ethical Hacking at the Scottish Business Resilience Centre described this as essentially “hacking with permission”.
“While they [white hat hackers] use the same tools and techniques as a criminal hacker, the intent is completely different as the goal is to identify weaknesses,” he explained.
In recent years, white hat hackers have become increasingly important to organisations across a range of sectors, he said.
Some of the world’s top technology companies, including Amazon, Microsoft and Apple, have introduced dedicated ‘red’ and ‘blue’ teams and rely on white hats to keep tabs on software vulnerabilities.
“We’ve seen cybersecurity pros adopt a defensive strategy, with internal teams taking the role of either an attacker (red team) or defender (blue team) to recognise weaknesses in their IT or processes to defend the ‘castle’,” Doyle added.
“Ethical or white hat hackers, on the other hand, look at the ‘castle’ and try to predict how a criminal hacker might attack the castle.”
Doyle said there a range of benefits to working with ethical hackers, who often provide an “unbiased and intensive review” of an organisation’s systems.
Exposing these vulnerabilities can often result in a reward, known as a ‘bug bounty’. In the past, these rewards have proven to be very lucrative.
Santiago Lopez, a teen hacker from Argentina, made headlines in 2019 after becoming the world’s first ethical hacker to earn one million dollars from bug bounties.
In the UK, security expert Mark Litchfield became Britain’s first white hat hacker to surpass the $1m mark shortly after Lopez.
Since the onset of the coronavirus pandemic, bug hunting has experienced somewhat of a boom-time. In March, security platform HackerOne said it had experienced an increase in submitted vulnerability reports in over the previous 12-months.
The survey of more than 4,000 hackers worldwide revealed a 63% increase in the number of researchers submitting reports across a range of categories. Its research also suggested that more than one-third of hackers spent more time operating since the beginning of the pandemic.