It has recently come to light that a controversial deal has taken place between a cybercriminal and their victim. Poly Network, a US based finance company, had more than $600 million worth of cryptocurrency stolen in one of the largest crypto-heists of all time. After finding out they had fallen victim to a hacker Poly Network decided to do something unusual by offering the hacker a special deal if they agreed to return the stolen currency.

Poly Network is a ‘decentralized finance’ system, also known as a DeFi system. The DeFi system allows users to trade and transfer various cryptocurrencies from one blockchain to another. As we’ve discussed previously, cybercriminals are constantly on the look out for vulnerabilities that they can exploit. Unfortunately for Poly Network, an anonymous hacker exploited one of these vulnerabilities in the DeFi system and transferred themselves approximately $610 million into their crypto-wallet, leaving Poly Network with a huge dilemma.

What was the deal?

Poly Network made the bold move of offering the hacker $500,000 in return for the stolen currency, adding that they want to ensure the individual is not held accountable for the incident. It appears Poly Network believes that the hacker was a ‘white hat hacker’ – a hacker that uses their skills for good by working with organisations to identify security flaws.

Poly Network said “we believe that your action is white hat behaviour, we plan to offer you $500,000”. A former FBI official pointed out that although the monetary reward can be promised, organizations are unable to ensure immunity from legal prosecution. Poly Network’s statement has come as a big disappointment for many in the community too, with people worrying that this sets a precedent for future criminal hackers to white-wash their actions. Katie Paxton-Fear, an official white hat hacker and lecturer, says that “labelling this hack as white hat is just really disappointing”.

Was this a success?

Shortly after the offer was made the hacker publicly taunted Poly Network, mockingly asking for advice on how to launder their stolen money. But then to most people’s surprise, the cybercriminal started to return the cryptocurrency. They currently still hold over $30 million of currency, although a large portion of this is due to the cryptocurrency itself being frozen due to the situation.

In a three-page Q&A posted by the hacker they claimed that the entire ordeal had just been “for fun” and it was “always the plan” to return the stolen funds. From the Q&A you can get the impression that this hacker thinks of themselves as a vigilante, saying “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”. Whilst this is true, the damage done to Poly Network’s reputation is likely to be beyond repair at this point.

In summary, although Poly Network has had the vast majority of their stolen currency returned, it has to be asked ‘At what cost?’. As a financial platform people expect security, so they have suffered huge reputational damage as a result of the hacking. On top of this they have caused upset amongst many cybersecurity and white hat professionals in their attempt to retrieve the money. It is still unclear what the hacker’s true intentions were – were they really a white hat hacker? Or did they adopt that name once given the chance?

If you’re worried about the cyber-safety of your business then Euclid Security offers a range of professional cybersecurity services, including consultation & advisory, and security assessment services. Get in touch today for a no-obligation discussion.