A hacker, now called “White Hat,” who stole a record-breaking sum a week ago, has been offered the position of chief security advisor at the firm he hacked, in a made-for-Hollywood twist to the story of a heist.
Poly Network, a platform designed to create interoperability among multiple blockchains, said in a statement that it wants to extend thanks to the hacker they are now calling “Mr. White Hat,” for revealing the vulnerabilities of their system.
In order to extend those thanks properly, the Poly Network has invited “Mr. White Hat to be the Chief Security Advisor of Poly Network,” the statement continues. It also said it has “no intention of holding Mr. White Hat legally responsible.”
The hacker stole $604 million: $267 million in Ether tokens, $252 in Binance, $85 in USD Coin, depriving “tens of thousands” of users of what was theirs. But most of that money is now back under the management of Poly Network.
Poly Network operates via smart contracts that instruct the different blockchains to release assets to counterparties. The hacker figured out how to hotwire this system. As Poly Network has put it, the hacker “exploited a vulnerability between contract calls.”
The chief technology officer of Tether, a stablecoin company, said last week that Tether has frozen $33 million of its tokens that were lost in the attack.
The hacker has not returned the frozen $33 million. But it has returned the Binance Smart Chain (BSC) money in full. It has also returned $3.3 million from Ethereum, and $1 million from Polygon.
Polygon (MATIC) is an Ethereum-based token that acts as a scaling solution, offering faster and less expensive transactions using Layer 2 sidechains.
A Disturbing Tale
Let’s not forget the hacker is still holding back more than $200 million, roughly one-third of the amount originally taken. Those funds are locked in an account that requires a password both from Poly Network and from “Mr. White Hat,” apparently pending the satisfactory conclusion of further negotiations.
Assuming any remaining questions are settled, and all the money is accounted for and gets back to where it should be, there is much that is disturbing about the twist the tale has taken.
One can imagine future arrests of “black hat” hackers with no interest other than pocketing ill-gained funds for a vacation in Rio. The new normal defense will be, “Your honor, I thought this was now the standard way of filing one’s job application for a security position.”
Perhaps the best case scenario for a hacker is that vacation in Rio, and the medium result is a security job, and the worst case is the need to make that embarrassingly obvious defense argument.
Funny or Sad?
The whole incident, with this let’s-kiss-and-make-up resolution, is inspiring a certain amount of humor on social media. One person said that it was all “just another MATIC Monday,” punning on the symbol for Polygon as well as the name of a Bangles song (1986).
Another Twitter user, Dank CKB Mmes, suggests to the Poly Network, “You should write them another love letter, maybe they’ll teach you how to write smart contracts.”
Yet Poly Network was once considered the best cross-chain interoperability protocol on the market, so this humor has a tinge of how-the-mighty-have-fallen sadness to it.
White Hat’s name has not been made public, through if he is going to take a (presumably paid) position at the Poly Network one wonders how long anonymity can last. To whom will the checks be made out?
A Chinese security firm, SlowMist, has said that its analysts have identified the attacker’s email address, IP address, and even device fingerprint.