About a week after a hacker stole US$600 million from PolyNetwork in what was likely the biggest heist in history of so-called decentralised finance (DeFi), the victim has offered its attacker a job. On Tuesday, in an act of gratitude or perhaps exasperation, PolyNetwork offered Mr White Hat a job as "chief security adviser".
The hacker claimed the attack against the PolyNetwork platform - which lets users swop tokens across multiple blockchains - was an act of "hacking for good" to "save the project". The attacker has since promised to return the money and so far delivered about half of it.
PolyNetwork links some of the world's top digital ledgers and blockchains but it announced on Tuesday that a hacker or hackers had exploited a vulnerability in its system which allowed them to access various digital ledgers and transfer funds away from the network to their own online wallets.
The heist is thought to be a record for digital assets. It is similar in scale to attacks which previously took place on the exchanges Mt Gox and Coincheck. The value of the stolen digital coins plunged by around a third as news of the crime spread and crypto traders began a sell-off.
In the aftermath of the digital raid, PolyNetwork posted a series of tweets announcing the news, calling on crypto networks to blacklist the hackers and pleading with the hackers themselves to return the assets.
'Dear Hacker'
News of the theft casts further doubt over the area of cryptocurrencies and decentralized finance, given how dogged the sectors have been by claims they are excessively vulnerable to hacking. The lack of protection for the owners of the assets has also been highlighted by the way in which PolyNetwork has attempted to engage the criminals.
"Dear Hacker," an online "letter" from PolyNetwork began.
"We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in the defi (decentralized finance) history. Law enforcement in any country will regard this as a major economic crime and you will be pursued."
"It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of cryptocommunity members, hence the people. You should talk to us to work out a solution."
As well as this letter, PolyNetwork posted online addresses used by the hackers — long, multi-letter-and-number codes — and called on affected blockchain and crypto exchanges to blacklist tokens coming from the addresses, in an attempt to freeze out the hackers.
No guarantees
PolyNetwork's model allows users to transfer tokens across different blockchains and networks. That is a significant selling point in a sector where some of the world's biggest blockchains, such as Ethereum and Binance Chain, run on their own technologies, meaning it is not easy for owners to trade them for other investments on other platforms.
The idea behind this decentralized-finance model is that digital assets can be traded without intermediaries, processing fees or clearing houses.
According to the digital wallets of the hackers, the details of which were posted online by PolyNetwork, the assets stolen combined $270 million on Ethereum, $250 million on Binance Chain and $84 million on the Polygon network.
There will now be much focus on what happens with the stolen assets, given that a significant part of the appeal for cryptocurrency users is the anonymity and lack of regulation. Changpeng Zhao, chief executive of Binance, said "no one controls" its blockchain in the aftermath of the theft, and added in a tweet: "We are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can."
Regulating the Wild West
The lack of regulation in the sector will now come under even heavier scrutiny following the heist.
Owners of digital assets in the UK, the EU and the US have far less protection than those who own assets with banks, traditional brokers or asset managers.
"When it comes to consumer protections, the quick answer is there aren't any. Regulators and policymakers are still struggling to define what it is," Anthony Morrow, chief executive of financial advice service OpenMoney, told the Financial Times earlier this year.
The lack of protection available to owners of digital assets has been strikingly highlighted in the past by examples of owners losing their passwords or private keys to accounts and digital wallets and therefore losing access to their money, however much of it there is.
However, protection from fraud and theft is an even more basic expectation of consumers and investors.
Earlier this month, Gary Gensler, chair of the Securities and Exchange Commission (SEC), which regulates US markets, called on lawmakers to give regulators more capacity to fight such crimes on digital asset platforms.
"Right now, we just don't have enough investor protection [in crypto]," he said. "Frankly, at this time, it's more like the Wild West...this asset class is rife with fraud, scams and abuse in certain applications."
"There's a great deal of hype and spin about how crypto assets work. In many cases, investors aren't able to get rigorous, balanced and complete information, " he said, adding that if regulators didn't address these issues, he was worried that "a lot of people will be hurt."