Akropolis.io, a cryptocurrency loan and investment platform, offered hackers that stole the equivalent of $2 million from the service, $200,000 to return the money. The decision, say experts, sets a bad precedent that might destabilize an important security tool.
Over the weekend, Akropolis posted an open letter to the hacker on its official Medium, offering $200,000 as a “bug bounty” for the thieves to return user funds “as compensation for [finding an] exploit.”
“We have not contacted any form of law enforcement to pursue a criminal investigation,” the company wrote (emphasis theirs).
“We would like to propose that you return the funds of our community members within 48 hours and in return we will offer a $200,000 USD bug bounty. We will take measures to protect your identity as required.”
Bug bounties are traditionally payments for hackers to turn over vulnerabilities they notice in a system without first using them to sow chaos. This allows the companies to plug the leak. What Akropolis is doing strikes experts in bounty and disclosure programs as crossing a line – using the good works of bug bounties to paper over what is, in effect, a ransom.
“There’s no scenario in which a bug bounty should ever be used to pay off criminal hackers for information about an exploit. That’s dangerously close to encouraging extortion,” said Jay Kaplan, CEO of Synack, a company that brings vetted hackers for what are in effect closed bounties.
Akropolis’s offer harkens back to Uber’s 2016 breach, when the company paid hackers $100,000 in a supposed bug bounty payment to conceal evidence of massive data theft.
Uber’s misuse of the term lead to a hearing in Washington about the ethical use of bounties and disclosures.
One of the witnesses who appeared at the hearing was Katie Moussouris, CEO of Luta Security and a pioneer in bounties.
“Unfortunately, Uber’s data breach, which led the company to pay an extortion fee through its bug bounty program, seems to have set an incredibly dangerous precedent, confusing good-faith security research with encouraging data breaches, given the similarities with Akropolis’ recent offer,” said Moussouris.
The danger, said Moussouris, is normalizing hackers holding illbegotten data or funds hostage. That would “create the wrong kind of market.”
Akropolis did not respond to requests for comment.