Learn > Blog

The Hacker Poll: Robin Hoods or just hoods?

April 30, 2024

When you consider the intentions of a hacker, it’s difficult to be indifferent to the chaos they cause. If you or your organisation has escaped a hack, you are in the lucky minority.

Hacking is big business, it’s estimated that on social media platforms alone, $3.25 billion cybercrime  revenue is generated globally each year. More than 75% of all businesses admit that they have been the target of an attack, and the global cost of damages caused by hackers is set to tip $10 trillion by 2025. Web 3 blockchain protocols and applications are particularly vulnerable. In the first six months of 2022, Web3 projects have lost more than $2.32 billion to hacks and exploits - more than all of 2021 combined.

In January 2022 Crypto.com, lost $35 million after a hacker disabled two-factor authentication on the exchange, in March, Axie Infinity lost $625 million, (the largest-ever crypto hack measured in fiat dollars) after hackers gained control over a majority of cryptographic keys securing the play-to-earn game’s cross-chain bridge.

In April 2022 A “Robin Hood” hacker targeted Beanstalk, and took $182 million using a “flash loan,” where funds are borrowed and repaid in the same transaction. This accumulated enough assets to control the stablecoin’s governance protocol. They then passed a proposal donating funds to Ukraine before making off with the collateral.

In view of these and other alarming cybercrime stories and statistics, it’s a challenge to reframe our view of hackers from outright thieves to Robin Hoods that save exchanges, platforms and enterprises from the vagaries of poor cybersecurity. However, this is exactly what’s happening.

Hackers are raiding corporate coffers and charging a fee to return some of the spoils and a “get out of jail free” card.

Technically, the companies that have suffered this kind of attack should be thankful that a portion of the funds are returned, and they may be more than happy to pay the fee extorted from them, as the alternative is unthinkable.

Debate has been raging around the question of whether it should be accepted practice that hackers go unprosecuted because they could be seen as performing a cybersecurity clean up function. This may be palatable if the hackers gave back 100% of whatever was stolen and provided the security fix in exchange for a reasonable bounty fee.

Indeed, there is a strong movement supporting the role of legitimate ethical hackers that work within the confines of the corporation’s bounty rules. Many companies are now viewing bounties as an integral part of their cybersecurity budgets. For example, the total bug bounty market was valued at $223 million in 2020, and according to ATR (a research company) it’s expected to grow 54% per year, reaching $5.5 billion by 2027.

The team at Naoris Protocol have their own opinions on this debate, but before we discuss our views, have a look at a poll we set up to see what the views of our community and partners are. This is a mixture of web2 and web3 communities.

We asked the question:

“Should black hat hackers be paid a percentage of the funds they stole and face no prosecution if they return the majority of the spoils?"

The results were surprising. The total average score across all platforms:

Although there is no outright winning view, it is surprising that 48% of respondents believe that it’s an acceptable practice. Looking at individual platforms, certain trends and viewpoints emerged.

Telegram was a predictable result as it’s an ecosystem for crypto enthusiasts and crypto speculators / traders with a lot of token sales, that generally harness a very liberal viewpoint. As such, 66% superficially believe it's ok.

Discord surprised us being a gamer/blockchain/crypto and developer-based platform. In stark contrast to Telegram, 60% voted no. Perhaps it’s because developers see this as a personal attack on their work. LinkedIn members are more conservative with many respondents from traditional web2 enterprise companies. As such they voted overwhelmingly against such practices.

Twitter was more interesting. As the poll ran the split was 60% no, 33% yes and 7% unsure. However, as soon as a few of our blockchain partners shared the poll, this swung from ‘no’ to ‘yes’ with 47.8% in favour versus 37.5% in the ‘no’ camp, reflecting the wider acceptance of hacks in the crypto community.

In the comments around the poll there was a consensus that if hackers returned the funds and assisted with the fix, they should not be prosecuted and they deserve a fee. This viewpoint is more prevalent in the web3 / blockchain communities where large-scale hacks have become commonplace in the last few years. According to PeckShield, a blockchain security firm, hackers have stolen more than $2.32 billion in over 135 exploits, from the DeFi industry so far this year, 50% more than what was stolen from the entire sector for the whole of 2021.

Naoris Protocol does not condone hacker activities as it amounts to theft and extortion.

Letting hackers get away with their nefarious activities not only undermines the entire ethos of a decentralised financial system, but it also promotes behaviour that fosters distrust, and it will not assist in the mass adoption of blockchain and decentralised systems to replace outdated centralised processes. Therefore, it cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change.

The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed.

It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and will result in a destabilised market. There are instances where the hackers have been offered huge bounty payments and employment contracts in return for sharing how the breach occurred and returning the funds. LodeStar Finance is the latest company to have been hacked to the tune of $5.8m in recent days, and have already put out a plea for the return of funds with a ‘generous negotiable reward’ as part of a white hack settlement. 

However, these are not always taken up. Qubit Finance offered $2m that was ignored ($80m hack). Similarly, Harmony offered $1m that also fell on deaf ears.Perhaps this is because hackers can obtain larger gains by using systems like Tornado Cash (allowing crypto users to obscure the history of their transactions making it extremely hard to trace) and the high rewards are too good to miss. 

On some occasions this incentive has worked and has seen hackers return part of the stolen funds as seen with the Poly Network $600m hack which saw most of it returned. Although Ronin and Nomad Bridge also saw some of the funds returned, it was still an insignificant amount compared to the amounts stolen.

The notion that it’s acceptable for a hacker to steal (and it is definitely theft) money from a protocol or platform by doing a hack and then get paid for that malicious hack with money from the platform, could in fact incentivise hacks, making it a legitimate business practice. So just because a hacker is nice enough to return part of the funds doesn't make it a good practice. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy to say the least.

Web3 and its cybersecurity solutions still run-on web2 architecture, which means it is centralised. This is the elephant in the room that web3 platforms don't want to talk about.

If this is not solved via a decentralised solution, the standards for smart contract execution and publishing will not be fundamentally changed or improved.

These types of breaches will continue to happen because there is no accountability or criminalisation of hacking activity. A  “just pay the hacker” approach is going to increase the risk for DeFi and other centralised/decentralised platforms because the fundamental weaknesses are not resolved. This creates what amounts to a bounty for hacking a platform and will not have the desired effect, the payoff is simply too high for hackers to be satisfied with a single payoff. It could even precipitate massive syndicates colluding to skim as much money as they can out of the system. It's not only unhealthy, but it could also signal the demise of the entire ecosystem.

However, there is a caveat, perhaps a distinction needs to be made between ethical hackers that are encouraged by corporations to find bugs for a bounty, and those who hack with malice, but this is for another story.

What are your thoughts?