Huobi HTX Hack: Rewarding the Hacker Becoming More Common as Crypto Attacks Keep Rising
Rewarding hackers who return stolen crypto dissolves the traditional disinction between White and Black Hat hacking.
- HTX (formerly Huobi) has convinced a hacker to return 95% of the funds they stole.
- In return, the exchange has said it won’t attempt to identify or prosecute the hacker.
- Such instances of post-hack bounty payments are on the rise in the crypto space.
The distinction between “White Hat” and “Black Hat” hacking has long been used to distinguish between ethical and illegal forms of hacking.
White Hat hackers earn money through bug bounty programs that reward people for reporting software vulnerabilities. Meanwhile, their Black Hat peers seek to exploit vulnerabilities for personal gain. However, in the crypto space, an increasingly prominent third path sees hackers steal assets, but then return them after negotiating a reward.
In the latest instance of the phenomenon, a hacker who lifted 5,000 ETH from HTX (formerly Huobi) hot wallet has returned 95% of the stolen cryptocurrency.
HTX Hackers Return Funds in Exchange for Immunity
On September 25, a cyber attack successfully siphoned 5,000 ETH worth around $8M from one of HTX’s hot wallets.
in the immediate aftermath of the exploit, HTX advisor Justin Sun offered to reward the hacker with hacker5% of the stolen funds in exchange for their return.
On top of the reward, Sun also offered to hire the wallet drainer as a “security white hat advisor.”
However, he cautioned that “if the funds are not returned within 7 days, we will transfer the information to law enforcement authorities for further action and to prosecute the hacker.”
On October 7, Sun confirmed that the hacker had taken HTX up on its offer.
The Rise of Post-Hack Reward Payments
In the past year, Hacker rewards like the one paid out by HTX have surged in popularity.
For instance, when hackers exploited Curve Finance liquidity pools in July, resulting in the theft of approximately $70 million worth of cryptocurrency, several affected DeFi platforms incentivized the return of the stolen funds by offering a 10% bounty.
After offering the rewards, Alchemix and JPEG later announced that the Curve exploiter had returned the majority of the stolen crypto. As a result, the DeFi firms said they would cease efforts to identify the hacker and pursue legal action against them.
According to research by Immunefi, as a result of the Curve recoveries, as well as two other similar instances of reward payments, $61,169,000 worth of stolen crypto was returned in Q3 2023, representing 8.9% of the total losses for the quarter.
Indeed, the report reveals that crypto hacks resulted in a 66.1% increase in losses compared to the same quarter last year. What’s even more noteworthy is that the percentage of recovered funds more than doubled, jumping from a mere 4% in Q3 2022 .
Rewarding Hackers Makes Financial Sense
Of course, some might argue that rewarding hackers amounts to paying a ransom while doing little to discourage further crimes.
However, identifying hackers is notoriously difficult, let alone successfully convicting them or recovering funds. And post-hack bounties are significantly less costly than admitting defeat.
Meanwhile, from the hackers’ perspective, although a 5–10% reward is significantly less lucrative than keeping the entirety of their stolen loot, it still represents a higher payout than the typical White Hat bug bounty. And the promise of indemnity has clearly been enough to convince at least some hackers to take the reward.
