By Joe Tidy, Cyber security reporter, BBC News
A hacker who stole just over $600m (£433m) worth of cryptocurrency was offered $500,000 and immunity as a reward for returning the money.
Poly Network made the controversial offer after the hacker pledged to send back the money. The attack was uncovered on Tuesday when Poly Network publicly pleaded with the hacker to help. One former FBI official said “private companies have no authority to promise immunity from criminal prosecution”.
The attack is one of the largest hacking heists in history. Poly Network said the person had exploited a vulnerability in its system. Most of the money has now been given back, although the hacker says they are not interested in the reward.
Shortly after the hack the anonymous individual posted notes to the publicly available blockchain taunting the company and asking for advice on how to launder his stolen riches. Later, the criminal claimed “not to be interested in money” and promised to return it all.
By Thursday evening, Poly Network said most of the remaining assets in the hacker’s possession had been transferred to a digital wallet controlled by both the hacker and the company. Poly Network says it is still waiting for the repayment process to be fully completed but that it is working with the hacker. A portion of the stolen coins were frozen shortly after the attack have not yet been transferred but can’t be used by the hacker anyway.
“The hacker still holds $33.4m of stolen Tether [tokens] – because it has been frozen by Tether themselves,” Tom Robinson, co-founder of Elliptic, a London-based blockchain analytics and compliance firm, told the BBC.
He added that it could be seen on the blockchain that “a few thousand dollars’ worth of various other tokens” were being held onto by the hacker.
It was not clear, however, if these were part of the stolen assets, or donations that the hacker requested people to send them on Thursday as a thank you for returning the money.
Other money outstanding also includes a 13.37 Ether tip ($40,000), which the hacker sent to a user who warned them that the Tether tokens had been frozen by its developer.
In a three page Q&A posted online the anonymous hacker claimed he or she carried out the heist for fun and to encourage cryptocurrency exchange firm Poly Networks to improve its security.
Immunity
Poly Network appears to have accepted the explanation and dubbed the hacker “Mr White Hat”.
White hat hackers are ethical security researchers who use their skills for good to help organisations find security flaws.
Poly Network confirmed that it sent a note to the attack saying “we believe that your action is white hat behaviour, we plan to offer you a $500,000” reward.
The firm added: “We assure you that you will not be accountable for this incident.”
The alleged move has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions.
Katie Paxton-Fear, a white hat hacker and lecturer at Manchester Metropolitan University, says that “labelling this hack as white hat is just really disappointing”.
Mrs Paxton-Fear has found over 30 vulnerabilities in organisations ranging from the US Department of Defense (DoD) to Verizon Media.
‘No authority’
“White hat hacking is all about having a scope, not touching some systems, working with the team, writing professional reports detailing our findings, not going further than we have to to demonstrate risk,” she said.
“Our approach is ‘first, do no harm’, potentially verifying fixes are put in place and not putting any users data at risk.”
Charlie Steele, Partner at Forensic Risk Alliance and former Department of Justice and FBI official is also concerned about the alleged offer from Poly Network.
“Private companies have no authority to promise immunity from criminal prosecution,” he told the BBC.
He added: “In this event where a hacker stole the $600m ‘for fun’ and then returned most of it, all while remaining anonymous, is not likely to lessen regulators’ concerns about the variety of risks posed by crypto-currencies.”
Source: bbc.com