New alarming research from Naoris Protocol, a global cyber security firm, reveals many people believe black hat hackers — criminals who break into computer networks with malicious intent — should be paid a percentage of the funds they steal and face no prosecution if they return the majority of their spoils.

Some 48% of people who took part in a Naoris Protocol poll that ran across its social media channels and partner communities in December 2022 said they agree with this view, 38% said they disagreed, and 13% were unsure. Those taking part in the poll work in cybersecurity, CeFi, DeFi, and traditional Web2 and Web3, or they have an interest in these areas. 

Debate has been raging around the question of whether it should be an accepted practice that hackers go unprosecuted because they could be seen as performing a cybersecurity cleanup function. For some, this may be palatable if the hackers gave back 100% of whatever was stolen and provided the security fix in exchange for a reasonable bounty fee.

Naoris Protocol says there is a strong movement supporting the role of legitimate, ethical hackers that work within the confines of the corporation’s bounty rules. Many companies are now viewing bounties as an integral part of their cybersecurity budgets. For example, the total bug bounty market was valued at $223 million in 2020, and according to research company ATR, it’s expected to grow 54% per year, reaching $5.5 billion by 2027.

“Letting hackers get away with their nefarious activities not only undermines the entire ethos of a decentralized financial system, but it also promotes behavior that fosters distrust, and it will not assist in the mass adoption of blockchain and decentralized systems to replace outdated centralized processes,” said Monica Oravcova, co-founder and chief operating officer, Naoris Protocol. “Therefore, it cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change. The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed. It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and will result in a destabilized market.” 

There are instances where the hackers have been offered huge bounty payments and employment contracts in return for sharing how the breach occurred and returning the funds. LodeStar Finance, which was hacked to the tune of around $6.9 million at the end of last year, put out a plea for the return of funds with a “generous negotiable reward” as part of a white hack settlement.

However, these are not always taken up. Qubit Finance offered $2 million that was ignored after an $80 million hack. Similarly, Harmony offered $1 million that also fell on deaf ears. This may be because hackers can make larger gains by using systems like Tornado Cash (allowing crypto users to obscure the history of their transactions, making it extremely hard to trace) and the high rewards are too good to miss.

On some occasions, this incentive has worked and has seen hackers return part of the stolen funds, like with the Poly Network $600 million hack where most was returned. Although Ronin and Nomad Bridge also saw some of the funds returned from the hacks they suffered, it was still an insignificant amount compared to the amounts stolen.

“The notion that it’s acceptable for a hacker to steal — and it is definitely theft — money from a protocol or platform by doing a hack and then getting paid for that malicious hack with money from the platform, could, in fact, incentivise hacks, making it a legitimate business practice,” Oravcova said. “So just because a hacker is nice enough to return part of the funds doesn’t make it a good practice. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy, to say the least.”

Naoris Protocol warns that these types of breaches will continue to happen because there is no accountability or criminalization of hacking activity. It says a “just pay the hacker” approach is going to increase the risk for DeFi and other centralized and decentralized platforms because the fundamental weaknesses are not resolved. This creates what amounts to a bounty for hacking a platform and will not have the desired effect, as the payout is simply too high for hackers to be satisfied with a single payoff, according to Naoris Protocol. 

The company warns it could even precipitate massive syndicates colluding to skim as much money as they can out of the system. Naoris Protocol says this is not only unhealthy, but it could also signal the demise of the entire ecosystem.