Home > Blog > Why are large projects willing to pay hackers?



In early July, a hacker hacked the Crema Finance crypto project and stole $8.7 million. After lengthy negotiations, the hacker agreed to return the stolen funds, keeping about $ 1.65 million, although initially the company offered him a “bounty” of $ 800 thousand. And at the end of June, the XCarnival crypto platform agreed to leave the hacker half of the funds stolen by him — 1.5 thousand. ETH ($1.78 million) — for the return of the remaining part.

There is a practice in the industry when large projects hire hackers to search for vulnerabilities in cryptosystems. However, in the cases of Crema Finance and XCarnival, we are talking about hacking projects. And in both cases, the developers decided to negotiate with the attackers and pay them monetary compensation without starting legal proceedings.

Experts of RBC Crypto explained why crypto projects choose a strategy of negotiations with hackers instead of contacting law enforcement agencies and what this can lead to.

The path of least resistance

The choice of such an option is caused by the complexity of tracking the cryptocurrency and returning it to the legal field, said Mikhail Bystrov, partner, head of the FinTech & Crypto practice at DRC law firm. He also noted the significant amount of time and resources needed for the investigation.

According to the lawyer, if it comes to tracking a cryptocurrency that is “anonymous by design”, such as Monero, an anonymous iteration of ZCash and Dash, then there are basically no tracking tools for them.

Refunds in the legal field in cases of hacking sites can also be extremely difficult or even impossible, the expert explained. He added that for this it is necessary at least to identify the violator, and with serious professionals it is almost impossible.


“It is impossible to predict how much time and money it will take to search for and return cryptocurrencies in such situations. So I would call the option chosen by the sites the “path of least resistance”, aimed primarily at returning assets with the least losses,” the lawyer believes.
There is no other solution
There are quite a few alternative options for action here, according to Bystrov. He explained that if we are talking about a tracked cryptocurrency, such as bitcoin or Ethereum, then you can try to track its movement with the tools available on the market (Chainalysis, Crystal, Ciphertrace, etc.).

Usually, the stolen cryptocurrency is immediately converted into the already mentioned anonymous cryptocurrency, or passed through a new generation of mixers, and then traces of funds are lost, says Bystrov. He believes that it is possible to try to initiate an investigation with the help of international or local law enforcement agencies (Interpol / Europol, the FBI and others), but this is not easy either.

The specialist admitted that there are private cases when, when stealing substantial funds, companies on their own initiative hired “counter” hackers to track specific persons involved. And also resorted to the services of mercenaries for the “forceful return” of funds. Bystrov stressed that such actions, if they are committed, are clearly not in the legal field, and they cannot be considered as “standard” and recommended.

Now platforms are not always able to offer full security of crypto investors’ assets, which hackers use, according to Pavel Utkin, a leading lawyer at the Parthenon Joint Legal Center.

According to the expert, the return of funds to customers for remuneration for hackers seems to be the only more or less clear options for companies until the issue of cybersecurity is resolved.

“Given that crypto exchanges are actively reducing staff, and mining is becoming less and less profitable, investments in cybersecurity may sink in the next year or two,” Utkin warned.
Artem Deev, head of the analytical department of AMarkets, agreed with him. According to him, it is quite difficult to counteract fraud in this area by other methods, since it is necessary to invest in security systems, and these are additional funds. It is easier for companies to buy off criminals than to strengthen data protection systems and strengthen other security measures, the expert believes.

A wave of break-ins
Negotiations and payments of rewards to hackers will lead to an even greater increase in the number of hacker attacks on cryptocurrency resources, according to Deev. He recalled the principles of the actions of the special services: they do not negotiate with terrorists, they do not pay money to blackmailers.

“Cryptocurrency platforms act in such a way that they demonstrate to fraudsters and criminals a weakness that they may perceive as permissiveness. This is a sad experience that can lead over time to a multiple increase in crimes in the field of cryptocurrencies around the world,” the expert is sure.
However, the partner of the DRC law firm, Mikhail Bystrov, believes that even if such actions of the sites lead to a wave of hacks, this can have an exceptionally positive effect on the market. According to him, this will immediately reveal projects that are unfairly related to the security of funds and user data. It will also force the “white” platforms to strengthen their protection systems as much as possible, the expert is sure.

“I see only advantages in this, since it can help clear the market of outright scam projects and improve the work of “white” sites. And hackers who identify such system vulnerabilities will help with such a cleaning of the market and will give an opportunity to make good money,” concluded Bystrov.