New alarming research* from Naoris Protocol, a global cyber security firm, reveals many people believe black hat hackers – criminals who break into computer networks with malicious intent – should be paid a percentage of the funds they steal and face no prosecution if they return the majority of their spoils.
Some 48% of people who took part in a Naoris Protocol poll which ran across its social media channels and partner communities in December, said they agree with this view, with 38% saying they disagreed, while 13% were unsure. Those taking part in the poll work across cyber security, CeFi, DeFi and traditional Web2 and Web3, or have an interest in these areas.
Debate has been raging around the question of whether it should be an accepted practice that hackers go unprosecuted because they could be seen as performing a cybersecurity clean-up function. For some, this may be palatable if the hackers gave back 100% of whatever was stolen and provided the security fix in exchange for a reasonable bounty fee.
Naoris Protocol says there is a strong movement supporting the role of legitimate, ethical hackers that work within the confines of the corporation’s bounty rules. Many companies are now viewing bounties as an integral part of their cybersecurity budgets. For example, the total bug bounty market was valued at $223 million in 2020, and according to research company ATR, it’s expected to grow 54% per year, reaching $5.5 billion by 2027.
Monica Oravcova, Co-Founder & Chief Operating Officer, Naoris Protocol said: “Letting hackers get away with their nefarious activities not only undermines the entire ethos of a decentralised financial system, but it also promotes behaviour that fosters distrust, and it will not assist in the mass adoption of blockchain and decentralised systems to replace outdated centralised processes.
“Therefore, it cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change. The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed.
“It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and will result in a destabilised market.”
There are instances where the hackers have been offered huge bounty payments and employment contracts in return for sharing how the breach occurred and returning the funds. LodeStar Finance, which was hacked to the tune of around $6.9m at the end of last year, put out a plea for the return of funds with a ‘generous negotiable reward’ as part of a white hack settlement.
However, these are not always taken up. Qubit Finance offered $2m that was ignored after an $80m hack. Similarly, Harmony offered $1m that also fell on deaf ears. This may be because hackers can make larger gains by using systems like Tornado Cash (allowing crypto users to obscure the history of their transactions making it extremely hard to trace) and the high rewards are too good to miss.
On some occasions this incentive has worked and has seen hackers return part of the stolen funds as seen with the Poly Network $600m hack where most was returned. Although Ronin and Nomad Bridge also saw some of the funds returned from the hacks they suffered, it was still an insignificant amount compared to the amounts stolen.
Monica Oravcova added: “The notion that it’s acceptable for a hacker to steal – and it is definitely theft – money from a protocol or platform by doing a hack and then getting paid for that malicious hack with money from the platform, could in fact incentivise hacks, making it a legitimate business practice. So just because a hacker is nice enough to return part of the funds doesn’t make it a good practice. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy to say the least.”
Naoris Protocol warns that these types of breaches will continue to happen because there is no accountability or criminalisation of hacking activity. It says a “just pay the hacker” approach is going to increase the risk for DeFi and other centralised and decentralised platforms because the fundamental weaknesses are not resolved. Naoris Protocol warns this creates what amounts to a bounty for hacking a platform and will not have the desired effect as the payout is simply too high for hackers to be satisfied with a single payoff.
It warns it could even precipitate massive syndicates colluding to skim as much money as they can out of the system. Naoris Protocol says this is not only unhealthy, but it could also signal the demise of the entire ecosystem.