The hacker who stole US$600 million in tokens from a cryptocurrency platform last week was offered a security job by the platform Tuesday.
Most of the money has been returned to the Poly Network, but more than $200 million in assets remains locked in an account controlled by the hacker, whom the crypto platform refers to as “Mr. White Hat.”
As a condition of releasing the remaining funds, the hacker has called for security improvements in the Poly Network platform.
In a post on Medium, the network noted it has been in contact with Mr. White Hat on a daily basis, keeping the hacker informed about the platform’s ongoing efforts to improve its security.
“We have made constant efforts to establish an understanding with Mr. White Hat and genuinely hope that Mr. White Hat will transfer the private keys as soon as possible so that we can return full asset control back to the users at the earliest,” the company wrote.
It also offered Mr. White Hat a job.
“[T]o extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the company wrote.
Risky Job Candidate
“I wouldn’t hire this guy,” said Giacomo Arcaro, a growth hacker and crypto entrepreneur based in New York City.
“Imagine what he could do if he worked for a company like this,” he told TechNewsWorld. “He could inject a random access Trojan into the system and hack all the users of the Poly Network.
“They should hire a cybersecurity expert, not a hacker,” he added.
Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla. noted that the Poly Network situation is an unusual one because the hacker appears to be returning stolen money to the crypto platform in good faith.
“However, by taking the money, and so much of it at that, the hacker went far beyond what could be called ‘ethical hacking,'” he told TechNewsWorld.
“Their actions could make a person question their state of mind and moral compass, even with the return of the money, so bringing them on as an employee would be a significant risk,” he continued.
“The offer to use them as a Chief Security Advisor may only be a contracted role, rather than a true employee relationship,” he said. “Much like law enforcement uses known criminals as informants, Mr. White Hat could be a source of valuable information and insight, even if they are kept at an arm’s length.”
“Before trusting them as an employee, both parties would need to trust each other and understand their motivation,” he added.
Matter of Trust
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz. maintained the Poly Network’s offer to Mr. White Hat reflects the amount of leverage the company has in its present predicament.
“Poly Network realizes the attacker has them over a barrel and is doing everything possible to play nice in hopes of recovering the stolen funds. They have 200 million reasons to do so,” he told TechNewsWorld.
“It really depends on Poly Network’s goals here,” he said. “If the motivation is to play as nice as possible in hopes the stolen funds are returned then, yes, this is very wise.”
“If they really intend for the attacker to have a meaningful say in their future security efforts, it’s probably unwise,” he observed.
“At some level, security boils down to trust,” he continued, “and an individual who has demonstrated the willingness to transfer funds that don’t belong to them rather than proactively reporting a security issue definitely hasn’t earned that trust.”
“Even if an actual proof of concept transfer would have been necessary to demonstrate the issue, it likely wouldn’t have required such a significant transfer, nor would it have prevented the attacker from immediately returning the funds once the issue had been proven,” he added.
Bug Bounty Offer
In addition to a job, the Poly Network has offered Mr. White Hat a $500,000 bounty for exposing the flaw in its software that allowed $600 million to bleed from its coffers.
The hacker initially refused to accept the bounty, but later stated the money should be given to the technical community who have made contributions to blockchain security. Blockchain is the technology that’s the cornerstone of cryptocurrency security.
“We fully respect Mr. White Hat’s thoughts, and to express our gratitude, we will still transfer this $500,000 bounty to a wallet address approved by Mr. White Hat for him to use it at his own discretion for the cause of cybersecurity and supporting more projects and individuals,” the company wrote.
“Whatever Mr. White Hat chooses to do with the bounty in the end, we have no objections,” it added.
The company also reiterated in its Medium piece that it had no intention of holding Mr. White Hat legally responsible for his actions, as it is confident he will return full control of all assets to the Poly Network.
“I think this is Poly Network attempting to motivate the attacker to do the right thing and return the funds rather than honest gratitude,” Clements observed.
“Bug bounties in general are a wonderful tool for organizations to use as part of a complete information security program but are typically governed by strict rules of engagement between the company hosting the bug bounty and the security researchers attempting to find flaws,” he added.
Kron also questioned the payment of a bounty by Poly Network.
“By actually stealing the money, the hacker crossed the line into a criminal act, even if they return the funds,” he said.
“Bug bounties are becoming more common and are very effective tools for organizations to keep their security tested, but they are typically designed in such a way as to provide payouts without the security researcher actually causing damage or stealing anything. In other words, they keep things legal,” he explained.
The color of Mr. White Hat’s chapeau was questioned by Quentin Rhoads, director of professional services for TeamARES at CriticalStart, a cybersecurity consulting and managed detection and response services company in Plano, Texas.
“It seems the hacker discovered he couldn’t launder the money he stole because Poly Network told a number of blockchain sites to block transactions containing the stolen addresses,” he told TechNewsWorld.
“Because he couldn’t launder the money, he changed his stance and said he stole the money for the betterment of the crypto world,” he continued.
“It was a case of I can’t get my money so I’m going to try to get something out of this,'” he said, “and Poly Networks assisted him by saying, ‘If you give the money back, we’ll give you some money and claim it as a bounty.'”