The story of how Poly Network lost--and then recovered most of--$600 million in the largest cryptocurrency heist ever is something like a Christopher Nolan film. There are a lot of gaps and twists that make very little sense, even after you watch it a few times.
First, a hacker exploited a vulnerability in the software that allows users to transfer cryptocurrency from one ledger to another and made off with a $600 million haul. I mean, that alone would be a good movie, but it gets better.
Next, the company made the hack public with a "Dear Hacker" letter posted to Twitter. The letter asked politely if the hacker would mind returning the various crypto coins to the tens of thousands of affected accounts. Certainly, the hacker wouldn't want to be pursued by law enforcement, the letter warned.
Poly Network also offered the hacker a "bug bounty" of $500,000 for finding the flaw they exploited, though the hacker turned them down. I mean, at this point, it's simple math. $600 million is more than $500,000, so unless the hacker is a really nice guy (or gal), it's not all that surprising.
Except, as if this weren't strange enough, the hacker started to give the money back. At this point, all but around $30 million has been returned, though $200 million of that sits in an account requiring a key from both Poly Network and the hacker.
Finally, Poly Network has offered the hacker, which it now refers to as "Mr. White Hat," a job. The whole thing is entirely bizarre, but offering Mr. White Hat a job as chief security adviser is not a twist I saw coming. Then again, it's kind of brilliant. I'll get to that in a minute.
"White hat" is a term used for hackers who attempt to find vulnerabilities and report them to affected companies to help them defend against malicious actors. Plus, the company has worked hard to make it clear that it isn't interested in prosecuting Mr. White Hat.
Instead, it has stated publicly that it views their actions in exploiting the flaw as someone working to defend the system by highlighting a flaw that could be exploited, instead of as an international crypto wallet thief.
Here's why Poly Network's response makes so much sense:
From the perspective of the hacker, I suppose that $500,000 and a get-out-of-jail-free card probably sounds better than living the rest of your life--with any amount of money--just waiting to get caught. Imagine being the person who stole $600 million, gave it back, and walked away without a scratch--or, more important, a criminal record.
For the company--which is obviously having a pretty bad week--this could be the best-case scenario. Losing $600 million doesn't exactly inspire the kind of confidence you value when you're asking people to trust you with their money.
Framing it as someone who found a bug, and not a major heist, might actually make people a little less anxious. Bringing the hacker on board could even inspire a greater degree of confidence that the company is serious about shoring up security.
More than that, it provides a lesson for every business, which is that trust is your most valuable asset. Losing $600 million doesn't exactly instill a lot of trust, and Poly Network cannot survive if its users don't trust that it can protect their money.
Even if the company's moves seem counterintuitive, if they end up restoring trust, that's the only thing that matters. In that sense, the response is brilliant.