New research from Naoris Protocol, a global cyber security firm, reveals that many people believe black hat hackers, who break into computer networks with malicious intent, should be paid a percentage of the funds they steal and face no prosecution upon returning the majority of their spoils.
Of people who took part in a Naoris Protocol poll that ran across its social media channels and partner communities in December, around 48% said they agree with this view, 38% disagreed, while 13% were unsure. Those who took part in the poll work across cyber security, CeFi, DeFi and traditional Web2 and Web3, or are interested in these areas.
People have been arguing about whether it is okay for hackers to not be punished even if they do something good like fix cybersecurity problems. Some people think it is okay if the hackers return everything they took and also help fix the problem so it does not happen again.
Naoris Protocol says that there are more and more people who support the role of ethical hackers who work within the rules of the company. Many companies are now seeing bounties as an important part of their cybersecurity budget. For example, in 2020, the total bug bounty market was worth $223 million. According to research company ATR, this market is expected to grow 54% every year and reach $5.5 billion by 2027.
Monica Oravcova, Co-Founder & Chief Operating Officer, Naoris Protocol said: “Letting hackers get away with their nefarious activities not only undermines the entire ethos of a decentralised financial system, but it also promotes behaviour that fosters distrust, and it will not assist in the mass adoption of blockchain and decentralised systems to replace outdated centralised processes.”
“Therefore, it cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change. The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed.”
“It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and will result in a destabilised market.”
In some cases, hackers have been offered a lot of money or a job if they tell how the breach happened and return the stolen funds. LodeStar Finance, which lost about $6.9 million in a hack at the end of last year, asked for the return of the funds with a “generous negotiable reward” as part of a white hack settlement.
However, these are not taken up always. Qubit Finance offered $2m after an $80m hack but was ignored. Similarly, Harmony offered $1m that was also not taken up. This may be because hackers are able to make larger gains using systems like Tornado Cash which allow crypto users to obscure the history of their transactions making it extremely hard to trace and also offer high rewards.
Sometimes this incentive has worked and has seen hackers return part of the stolen funds as is the case with the Poly Network $600m hack where most was returned. Although Ronin and Nomad Bridge got some of the funds returned from the hacks they suffered, and the amount was still an insignificant amount compared to the amounts stolen.
Monica Oravcova added: “The notion that it’s acceptable for a hacker to steal – and it is definitely theft – money from a protocol or platform by doing a hack and then getting paid for that malicious hack with money from the platform, could in fact incentivise hacks, making it a legitimate business practice. So just because a hacker is nice enough to return part of the funds doesn’t make it a good practice. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy to say the least.”
Naoris Protocol warns that these types of breaches will continue to happen because right now there are no consequences for hackers. It says that just paying the hacker when they breach a platform is going to increase the risk for DeFi and other centralised and decentralised platforms because the fundamental weaknesses are not resolved. It says that paying off hackers just encourages them to keep attacking because the rewards are too high.
The Naoris Protocol says that if people start colluding to skim money out of the system, it could be very bad for the ecosystem.