On Monday, decentralized finance firm the Poly Network ended its strange journey with a hacker or hackers who stole $611 million, when nearly all funds were returned. It was a sequence of events so baffling, it will leave many people to wonder if common-sense rules for negotiations still apply.
They should, say experts.
The heist started as normally as these things could. Poly announced the theft via zero-day vulnerability on Aug. 10, quickly advising major cryptocurrency exchanges, wallets and even currencies to block transactions from the thieves' wallet. Poly then advised the hacker to return funds in a Twitter letter addressed "Dear hacker."
"Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution."
Then things got strange. The thief or thieves, calling themselves "Mr. White Hat," engaged with Poly. Poly offered a $500,000 "bug bounty" to return the money, which Mr. White Hat initially refused. Poly offered Mr. White Hat a job as chief security adviser to encourage returning funds (to which industry response was not positive).
But the whole counterintuitive response seems to have worked. Mr. White Hat, who two weeks ago had stolen $611 million, completed returning the money, less the $500,000, on Monday.
To talk to bug bounty experts or cybercrime negotiators, Poly's most jarring actions were nothing but wrong. Yet everything seemed to work out in the end.
So what can other companies make of the Poly debacle?
"There was a good outcome. But in terms of the precedent it has the potential to set, and the behavior it encourages, there will be a bad outcome," said Casey Ellis, founder and chief technology officer of bug bounty platform BugCrowd.
Whitewashing crime as bug bounties or job interviews is problematic, said Ellis and others. It can be problematic for the company itself in the future as criminals use it as an excuse to pilfer and — potentially — well-meaning people cause lasting harm.
"One principle we've discovered is important to making bounty programs and vulnerability disclosure programs successful is that you have to actually set expectations before you commit to the interaction," said Ellis.
Real bug bounties are based on rules, terms, and conditions. It demonstrates the program isn't a declaration of an outlaw territory, but a legitimate security feature.
Circumventing that damages the very idea of bug bounties.
"It's a setback to the reputation of the hackers that are acting in good faith," said Ellis. The force of hackers who participate in his programs don't want to be mixed in with people in it to steal.
“Minimizing crime, even in the name of negotiations, is not a good look for the security of the platform," said Bryce Webster-Jacobsen, director of intelligence operations at GroupSense, a firm that offers cybercrime negotiation services. There is no need to offer a criminal an executive position in the company during the negotiation, he said.
"I liken it to a bank offering a bank robber a security job," he said.
Webster-Jacobsen said there might be a few reasons Mr. White Hat returned the money. Poly's quick action to prevent Mr. White Hat from accessing stolen funds may have made walking away from the theft untenable. Mr. White Hat may have realized that a peer group of criminal hackers would not take kindly to decimating the cryptocurrency ecosystem they rely on. Mr. White Hat may have bitten off more than he could chew, and backed out before things got too final. Webster-Jacobsen says GroupSense has seen ransomware operators have crises of conscience during negotiations and turn back.
Generally, said Ellis, cryptocurrency-related businesses have been quick to engage with good security practices, including well-formed bug bounties.
"I've had the conversation with exchanges before that, as this shows, they sort of are offering a bug bounty whether they want to or not," he joked.
Beyond the realities of money holders always attracting thieves, Ellis said trust can be a key differentiator in cryptocurrency services, which still are viewed as somewhat risky. He points to Coinbase using security early on to establish its product.
Poly, on the other hand, may have established undesirable flexibility.
"It just makes me question, potentially their their own security posture and policies and hiring practices," said Webster-Jackson.