Crypto start-up Nomad is offering 10% bounties to retrieve as much as $190 million in digital currency that was seized in a massive hacking attack this week.
Nomad made the announcement in a Twitter post, which included the address to its crypto wallet, and said anyone who returns at least 90% of their share of the stolen funds will be considered a “white hat” – hackers who work with companies to probe their networks, in some cases taking payment in exchange for identifying security flaws. It promised not to pursue legal action against these people, but also reiterated its determination to recoup stolen funds one way or another.
“Nomad is continuing to work with its community, law enforcement and blockchain analysis firms to ensure all funds are returned,” the company wrote.
The theft occurred when a vulnerability in Nomad’s code allowed hackers to make off with nearly $190 million worth of tokens. More than $20 million had been recovered as of Friday morning, according to Etherscan, a blockchain analysis platform.
Nomad functions as a blockchain bridge, which allows users to move assets from one blockchain to another – such as from bitcoin to ethereum. But that also makes them vulnerable on what security experts call “both sides,” weaknesses on either blockchain.
The blockchain analytics company Elliptic Connect said the Nomad breach was the seventh major incident involving a crypto bridge in 2022, and the eighth largest crypto theft of all time. Another crypto bridge, known as Ronin, suffered a $625 million theft earlier this year. In that case, hackers infiltrated the underlying blockchain powering the popular video game Axie Infinity, making off with some 174,000 ethereum.
“Bridges have long been known to be attractive for cyberhackers,” Elliptic Connect wrote in an unsigned blog post. “They typically hold large liquidity, as users wishing to convert funds across blockchains typically lock their assets within their contracts. They also operate on blockchains that are relatively less secure.”
The Nomad attack was known as a “free-for-all” because the original hacker’s code allowed anyone to copy it, opening the floodgates for anyone to join the fray and pull funds out. Elliptic Connect said it has identified more than 40 “exploiters,” including one hacker who amassed just under $42 million by automating the process of withdrawing money.
By effectively paying hackers, Nomad is employing a strategy that tech companies have long relied on to evaluate and improve their networks.
Microsoft, for example, proclaims “let the hunt begin!” on its own bug bounty page, which offers as much as $60,000 for vulnerability reports on the company’s Azure cloud platform, or $20,000 for vulnerability reports on the online gaming platform Xbox Live. Comparable assessments for Hyper-V, a code virtualization program, can go as high as $250,000. In 2016, the Defense Department launched a bug bounty program of its own called “Hack the Pentagon.”
Nomad is not the first crypto firm to directly engage with hackers.
Last August, a crypto platform called Poly Network was the target of a major attack in which someone stole more than $600 million in tokens, according to CNBC. The thief had exploited a vulnerability in the company’s network code that allowed users to transfer funds into their own accounts.
But in an unusual twist, the hacker then opened a dialogue with Poly Network staff and ultimately returned the funds, CNBC reported. According to press reports, the company issued a statement calling the hacker “Mr. White Hat,” offering a $500,000 bounty and extending an invitation to become the platform’s “chief security advisor.”
Cryptocurrencies in general have suffered steep declines in value throughout 2022 as bitcoin, ethereum and other digital currencies have sold off along with the broader stock market. As of Friday morning bitcoin stood at roughly $23,000, up about 14% in the past month. That compares with more than $66,000 in November 2021.