Today I want to talk about bug bounties. You are probably sitting there thinking you have heard every pro, con, catch and opportunity these programs can offer. Well, maybe not.
In a move that will likely anger the majority of the cyber security community the term “bug bounty” has been hijacked, or perhaps “redefined” by some cryptocurrency platforms. These platforms have watched millions of dollars’ worth of digital assets vanish right under their noses and have now made a rather surprising move. They have decided to offer their attackers what they are calling a “bug bounty”.
In essence they are saying “keep some of what you stole and give us back the rest”. Not quite the definition of a bug bounty that I am used to reading about.
It ultimately seems to be a last-ditch attempt by these platforms to almost beg attackers to return some of the stolen funds. Some of the platforms have offered attackers even as much as $10m. Using the term “bug bounty” is almost certainly a move to make it look more “warm and fluffy” than it ultimately is. Perhaps the one thing more morally questionable than paying a ransom demand is freely offering your attacker a cut of their loot! In many ways the use of the term “bug bounty” legitimises the practice but undeniably dilutes the good work actual security researchers do.
Let’s hit pause on the Twitter outrage for a second though and examine the causes behind this move.
“White hat bug bounties” and many heists
Digital currency has been a focal point of attacks for a while with North Korean linked groups stealing over $1 billion from De-Fi platforms according to Chainalysis. Recently it has been multi-million-dollar heist after multi-million dollar heist.
Crema Finance, a De-Fi trading platform, experienced a theft of just shy of $9m worth of cryptocurrency. They desperately tried to trace the stolen funds across various blockchains. However after only a few days they released a curious communications statement. They claimed to have “made contact” with their attackers and that following a lengthy negotiation, they “agreed” to let them keep $1.7m of the stolen crypto as, and I’m not making this up, a “white hat bounty”. Yes, you read that correctly! Following this so-called bounty or deal or whatever you want to call it, Crema made another statement saying “we don’t think that the final outcome is perfect”. On that we are agreed!
How and why have we found ourselves here?
Why are we in a position where these platforms have to offer, or I suppose beg, for their money back?
The uncomfortable truth is that these cryptocurrencies aren’t easy to trace if you don’t want them to be. Crypto pros will often tell you that the platforms promote decentralised finance, positive anonymity and consensus which increases reliability and integrity. All of which is true. However, I’ve spent a lot of my free time diving into the blockchain and cryptocurrency world to investigate how ransomware groups are able to move and clean so much money. One thing I’ve realised (and I’m sure the crypto world will now vocally disagree with me) is that these platforms, “currencies” and the ideology it’s all built upon may well be a valiant effort to regain individual control of finance, but it has also provided the perfect money laundering machine for criminals.
I won’t delve into how this money laundering process works and the technical details of it here, however, suffice it to say, it’s difficult to accurately trace, freeze and seize these assets. As a result these platforms (who you could argue should have better visibility and control) have had to resort to bargaining with attackers to try to get some or any of the money back.
Disrupting the disruptive technology
Some law enforcement agencies, regulators and a few platforms themselves have had some luck in tracing and seizing assets but most of this success has been down to the attackers making a big mistake and getting caught. That said, there are some companies who are developing more advanced capabilities in this space. Ultimately all successful disruption by law enforcement and regulators does make a difference and makes the lives of criminals a little bit harder. Undoubtedly a good thing.
Issues with “white hat bounties” for criminals
So, there are some questions that I feel we need to ask here. Let’s start with the most morally challenging.
How do you check who you are paying?
We will look at this in more detail in another piece I’m writing about ransomware groups, but, limiting it to this crypto context for a moment, there are some big issues.
The platforms have generally been pretty open and often tweeted their offers to the attackers. But morally this puts them in a difficult position especially when they then need to negotiate with someone who just stole from them. Crypto platforms are running a business which, to a greater or lesser extent, have to follow and abide by the same laws as any other business. This could include the prohibition of paying a recipient who could be linked to a terrorist organisation or embarking in money laundering. How can platforms satisfy themselves to any reasonable extent that the recipient isn’t carrying out or supporting terrorism? Unlike ransomware groups that have a history and “brand” that to some degree could be checked that’s unlikely to be the case here. So are they just relying on some slightly dubious due diligence? Or perhaps hoping that their “bounties” don’t actually constitute payment because the attacker is returning the assets minus a pre-agreed amount? Who knows.
Why would the attackers accept the offer?
So you may now be asking – “if the attackers know they have pretty much got away with the theft why would they return all that money only to keep much less?” Well, the short answer is many attackers don’t.
Platforms haven’t had much luck yet. In January 2022 Qubit Finance actually tweeted that they would offer $2 million if the attackers gave the remaining $78m back. The attacker declined the offer. Harmony, another De-Fi crypto project, responded to the theft of around $100m with an offer of a $1m “bounty” to hackers as well as the promise of no criminal charges. They didn’t get a positive response, so actually increased their offer to $10m.
But some attackers do. There is actually a good reason to do so – clean money. That money has been “paid” as a fee to them and now is easy to off ramp to traditional finance and spend as they wish as it now comes from a legitimate source. They probably could reject the offers and continue to clean their stolen assets through mixers, privacy coins and chain hopping (we will cover these in a later post) but that’s a lot effort and maybe this could be the path of least resistance for some.
The big concerns for the cyber security community
So what is the problem? Are we just deeply offended by the use of language these platforms have employed? What problems does this actually create for us?
Damage to security researchers
One of my concerns actually goes beyond merely taking offence to the fact that a term popularised by my community has been effectively hijacked. This redefinition could in fact be seriously damaging to legitimate security researchers whose actions have already been under close scrutiny. In fact, many researchers have found themselves on the wrong side of rather antiquated laws whilst pursuing noble goals.
The cyber community is now pushing for legal protection for researchers so that vulnerabilities in products and services can be found, revealed and fixed without fear of repercussions. By incorrectly conflating legitimate security researchers with attackers, as the crypto platforms now have, there is a danger that law makers will understandably get confused and perhaps even put off providing such legal reassurance.
Feeding the problem?
Offering attackers a cut of what they stole isn’t a workable solution nor one that society will likely want to accept.
If you were to use this solution in the physical crime context of house burglary, you would think it was utterly ridiculous. “You can keep the TV if you give back the jewellery and the laptops”. This isn’t the kind of relationship we want with criminals. It will likely come back to haunt us in the future if this becomes common practice.
Cyber and Cryptocurrency collaboration
We have reached a point where the cyber community and the cryptocurrency community need to work more closely together. Our causes, like it or not, are more intertwined than we think and the money from ransomware attacks and other forms of digital crime is moving through the cryptocurrency world. A lot more visibility is needed to make it more difficult for attackers to move, clean and off-ramp cryptocurrency. We can’t have a situation where these heists are successful and effectively the perfect crime. We don’t want these platforms to be losing millions worth of crypto assets either. This scenario is not dissimilar to the ransomware debate we know so well, do you pay and save the company or refuse and risk losing everything?
I don’t think we ought to be calling these payments “white hat bounties”. Doing so legitimises what is prolific criminal activity. We have to remember these platforms are the victims. Nobody wants the victim of a crime to suffer but paying these fees likely sustains a parasitic ecosystem that ultimately makes all of our lives harder which we definitely do not need!