By Joe Tidy
Cyber security reporter, BBC News
https://www.bbc.com-image sourceGetty Images
A hacker who stole just over $600m (£433m) worth of cryptocurrency has now returned most of the stolen assets.
On Thursday, Poly Network confirmed on Twitter that $268m worth of Ether tokens had now been recovered.
Over the last 24 hours, the hacker has returned $342m worth of tokens relating to three crypto-currencies to the firm.
The individual also posted several pages of notes to the blockchain, disclosing why they hacked the firm and the offers Poly Network made to them.
In a twist that’s worrying some cyber-security experts, the hacker claims the firm offered to pay $500,000 if they returned the stolen assets, as well as a promise of immunity from prosecution.
However, the hacker says he did not accept the offer.
By Thursday evening, Poly Network posted an update that most of the remaining assets in the hacker’s possession had been transferred to a digital wallet controlled by both the hacker and the company.
But some of the money is still outstanding.
“The hacker still holds $33.4m of stolen Tether [tokens] – because it has been frozen by Tether themselves,” Tom Robinson, co-founder of Elliptic, a London-based blockchain analytics and compliance firm, told the BBC.
He added that it could be seen on the blockchain that “a few thousand dollars’ worth of various other tokens” were being held onto by the hacker.
It was not clear, however, if these were part of the stolen assets, or donations that the hacker requested people to send them on Thursday, to compensate any users who might have lost money due to the hack.
Other money outstanding also includes a 13.37 Ether tip ($40,000), which the hacker sent to a user who warned them that the Tether tokens had been frozen by its developer.
The Poly Network hack occurred on Tuesday, when blockchain site Poly Network said hackers had exploited a vulnerability in its system and taken thousands of digital tokens such as Ether.
In a letter posted on Twitter, it urged the thieves to “establish communication and return the hacked assets”.
The anonymous hacker claimed he or she carried out the heist for fun and to encourage cryptocurrency exchange firm Poly Networks to improve its security.
Offer of immunity from prosecution
Poly Network said on Twitter it was still waiting for the repayment process to be completed, but that it is working with the hacker, whom the firm named “Mr White Hat”.
White hat hackers are ethical security researchers who use their skills for good to help organisations find security flaws.
image captionCyber-security experts are concerned that offering to pay hackers to return stolen assets could set a bad precedent
Poly Network has referred to the hacker in this way in multiple public posts. The hacker alleges that they were sent a message from the firm over the blockchain, saying: “Since we believe that your action is white hat behaviour, we plan to offer you a $500,000” reward.
They claim the firm added: “We assure you that you will not be accountable for this incident.”
The alleged move has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions.
Katie Paxton-Fear, a white hat hacker and lecturer at Manchester Metropolitan University, says that “labelling this hack as white hat is just really disappointing”.
Mrs Paxton-Fear has found over 30 vulnerabilities in organisations ranging from the US Department of Defense (DoD) to Verizon Media.
“White hat hacking is all about having a scope, not touching some systems, working with the team, writing professional reports detailing our findings, not going further than we have to to demonstrate risk,” she said.
“Our approach is ‘first, do no harm’, potentially verifying fixes are put in place and not putting any users data at risk.”
Charlie Steele, Partner at Forensic Risk Alliance and former Department of Justice and FBI official is also concerned about the alleged offer from Poly Network.
“Private companies have no authority to promise immunity from criminal prosecution,” he told the BBC.
“In this event where a hacker stole the $600m ‘for fun’ and then returned most of it, all while remaining anonymous, is not likely to lessen regulators’ concerns about the variety of risks posed by crypto-currencies.”