October 10, 2023

Do Crypto Hacking Bounties Work?

Hacking incidents against Web3 companies have become more frequent recently. But an interesting trend is emerging in some of the recent attacks: some of the hackers end up returning the funds they have stolen in exchange for bounty rewards and guarantees that they will not be exposed to law enforcement agencies. Cooperating hackers may be considered "gray hat" hackers because they started acting maliciously at first but ultimately chose to return the funds in the end.

A recent instance of this trend involves a major global crypto exchange. On September 24, HTX (formerly Huobi Global) was attacked by an unidentified hacker (0xdb1d) who stole about 5,000 $ETH (about $7.9M) from one of the exchange's hot wallets. Soon after, the company reached out to the hacker, offered a 5% "white hat" bonus, and threatened to expose its identity if 95% of the funds were not returned by Oct. 2. The HTX hacker complied with the ultimatum by returning the funds on October 7 and saying that an HTX hot wallet's private key was leaked. HTX then sent the 250 $ETH reward to the address provided by the hacker (0x1Fc8). The hacker's addresses haven't shown activity after the incident, according to Scopescan data.

Past Crypto Hacking Bounties

During the third quarter of 2023, Web3 has seen a 153% increase in hacks compared to the same quarter last year, resulting in the loss of $685.5M in funds just for that quarter. The biggest hack during the quarter was the $200M theft at Mixin Network, an incident that seems more complicated than the usual hack, as we covered in a previous article. Many of the other recent hacks involve the North Korean cybercrime group Lazarus. With the recent spike in attacks, the practice of offering bounties to hackers themselves has received renewed attention, especially given that big Web3 companies like HTX are not above doing so as well.

Post-hacking cooperation between Web3 companies and hackers have become a common occurence, as it provides a win-win solution for both parties. The hacked companies have employed this strategy to more effectively recover funds and save themselves further inconvenience by going through with investigations and legal actions. Some hackers agree with this arrangement to protect themselves from further investigation, while also keeping a significant amount of the stolen funds. Of course, this practice is essentially a ransom payment that might even encourage more hacks in the future, but ultimately, it has resulted in favorable resolutions on hacking incidents.

In 2022, at least 20 hacked Web3 companies offered bounties in an attempt to recover lost funds, with eight of them cumulatively getting back over $160M in the process, according to TRM Labs. The companies ended up offering between 5% and 50% of the stolen funds as bounty rewards. An example of a successful recovery involves NFT lending platform XCarnival, which lost $3.8M in crypto tokens in a hacking incident in June 2022. The platform offered about 50% of the stolen funds as its "white-hat" bounty for the hacker, which promptly returned $2M in $ETH in exchange for avoiding legal action from the project's team. The 0xScope team has illustrated a diagram of the hack and recovery transactions below.

In another hacking incident last year, Ethereum scaling solution Optimism lost about $16M worth of $OP tokens. The hacker ultimately accepted a bounty of about $1.6 million, or 10% of stolen funds, from Optimism, sending Ethereum founder Vitalik Buterin a message that says, "Hello, Vitalik, I believe in you, just want to know your opinion on this. BTW, help to verify the return address and I will return the remaining after you. And hello Wintermute, sorry, I only have 18M and this is what I can return. Stay Optimistic!" Here's the 0xScope team's outline of the whole incident, from the attack to the recovery:

This year, we saw at least one more instance when providing bounties to hackers led to the return of funds. A hacking incident in July resulted in Curve Finance's loss of $70M in funds from its liquidity pools. Affected DeFi platforms, including Alchemix and JPEG, offered a 10% bounty for the return of lost funds. The hacker took the offer, returning "a total of 4,819 $alETH and 2259 $ETH so far," Alchemix said in August.

However, the success of HTX, XCarnival, Optimism, and Curve Finance in recovering funds from hackers through bounties is not a sign that hackers will always be willing to negotiate.

Why Crypto Hacking Bounties Can Fail

Looking back at how the HTX hack unfolded, it can be argued that the exchange was able to recover the stolen funds because it has sufficiently threatened the hacker, scaring it into returning the funds. In other words, the bounty itself might not be enough for hacked companies that want to retrieve their assets from attackers. This is particularly true in instances when attackers are potentially part of larger cybercrime organizations like Lazarus. After all, if a hacker is ethical or "white hat," chances are they already participate in bug bounty programs by companies such as Immunefi, which rewarded a total of $52M to bug bounty participants last year.

For example, after suffering a $55M theft in September 2023, crypto exchange CoinEx offered a "generous bug bounty" to hackers if they return the stolen funds. As of today, the offer did not result in the recovery of the funds. The CoinEx hackers are identified as part of Lazarus, therefore putting the compromised exchange in an unfavorable position of going against a state-backed crime group that will be hard to take down via law enforcement.

In fact, over 50% of public bounty offers made last year failed to result in fund recovery. Hackers in these instances are either confident in their chances of remaining anonymous or are part of state-sponsored hacking groups.

In conclusion, offering bounties to hackers after attacks can be seen as a pragmatic solution to the problem of lost funds, but it will likely embolden hackers to continue what they are doing, while Web3 companies continue to be deficient in implementing adequate security measures to stop these hacks from happening in the first place. The recent rise in hacks against Web3 companies also highlight the importance of crypto tracking solutions such as 0xScope and Scopescan in detecting suspicious behavior and investigating attacks.

Visit 0xScope

0xScope | Scopescan | Link3 | X | Telegram | Youtube | Discord