268 Mil to Spend or an IT Job With Possible Jail Time?
Which would you choose?
The mysterious thief who stole $600m-plus in cryptocurrencies from Poly Network has been offered the role of Chief Security Advisor at the Chinese blockchain biz. It’s been a rollercoaster ride lately for Poly Network. The outfit builds software that handles the exchange of crypto-currencies and other assets between various …
although the old country tale of setting a poacher as game keeper DOES spring to mind
the sheer size of this 'draining of resources' does actually beggar belief
and maybe Mr White Hat IS a true old school gentleman, who has no interest in money from others
OR
Mr White Hat just banked an additional 500K for his 'troubles' :o)
In the '80s this happened with a major UK bank, one of the big five.
They knew one of their DP guys had fled the country with £Oodles. It was certainly "real money" and they knew he'd been putting it in a holding account before exiting-stage-left. But they had no idea where the funds had originated - there were no ledgers/transactions showing a loss, all balanced.
He was tracked down to Spain (I think). It was agreed the whole case would be dropped, he could keep the dosh and have a job as chief security bod at the bank if he spilled the beans and blocked whatever exploit he'd used. He accepted, and both parties held up their end of the deal.
How did he do it? He had noticed that in transactions involving exchange rates or interest etc, fractions of pennies [1] were being truncated not rounded - the fractions were disappearing into thin air. So rather than them evaporating he put those fractions in to an account he controlled. All real money, no trace.
[1] Many decimal places, word length I think.
PS. Does anyone else get pissed off with languages using "round half to even", aka bankers' rounding? It's crap for anything other than averaging out financial transactions, such as *anything using mathematics*. Fekkin bankers!
Two problems with this kind of poacher being turned into gamekeeper (in this case chief gamekeeper):
[1] as the starting point is inadequate ethics, loyalty can only be assumed until a better offer comes along (however that offer may be couched)
[2] just because this person carried out one breach successfully, there's no guarantee that they have the breadth of knowledge and expertise to protect the organisation against an entire threat landscape.
I don't disagree Mike. I may be incorrect in stating the post was head gamekeeper - unsurprisingly there's not a blog or Guardian article covering this. I've seen it in print somewhere, but dust in the wind.
[1] In security loyalty should always be assumed absent. No agent, double- or triple- should be trusted. But they exist and are used. Loyalties do change genuinely. This case is unusual in that, even though it's almost certainly a crime there really was no victim as the bank was just evaporating the cash anyway.
[2] Agreed. I don't comment (or have info, referenced or hearsay) regarding other aspects of his skill set. There was no (security) breach.
As I can't cite any references, it's understandable if the anecdote is treated as myth. I personally accept it, both as plausible and through those that have relayed it to me.
While this is going on, see what transactions people connected to Poly Networks are doing. You're busy looking at this ridiculous nonsense, and not looking at the exit scam scenarios.
Poly Networks would close down now, they've lost a huge amount of other peoples fluff-stuff, their network is not secure, and the cloud of suspicion is over them.
It was never *their* fluff-stuff, so they could never make such a promise of 'no-prosecution', they know that, he knows that, that makes no sense.
Sending back fluff-stuff and creating more IP and fingerprint data makes no sense.
Sending more fluff-stuff while asking for the return of old fluff-stuff, again makes no sense.
Stealing it in the first place, every transaction logged forever and public to everyone, again makes no sense.
You're focussing on ONE receiving account and been told this is the ONE thiefs account, that claim came from Poly Networks, a participant in this little dance going on! Poly says 'look over there' and you look!
It should be clear to everyone here, that this is worthless shit we're talking about. It is the value of monopoly money, in a game. At some point the Chinese authorities have to pull the plug on these crypto scams, and at some point the Chinese police have to start raiding these companies and ending these scams.
You want to be world leader China? Stop the chest-beating, start the leading....Start here, with a full crypto ban.
Many will be following China and Mr White Hat to discover the result and reward for a successful and virtually remote and relatively anonymous and failsafe secure penetrations test, for such appears to be case here which you have considered a charade, Anonymous Coward. Others however would ponder on it and wonder where it will lead for it is certainly unusual and quite different and sure to be generating a lot of monied interest interested in seeing/learning how such a charade/shenanigans can provide and guarantee a mutually beneficial profitable outcome.
That is China being a world leader, is it not?
Your posted negativity is rewarded with a downvote which is richly deserved.
Ps .... Given the utter hash the Five Eyed West and its allies are making with their warrior incursions and ill conceived foreign interventions on the global geo-political stage in support of status quo arrangements, a different lead to follow elsewhere would surely be extremely welcome, methinks.
Tagman,
See the future here. China will pull the plug on this crap, police raids will follow, and given the giant size of China's "fluff-stuff mines", the rest of the world will follow *their* more decisive lead.
You call him "Mr White Hat", I call him "Mr Poly in a different hat, with a stuck on moustache".
His hat only became white, when Mr Poly invented a bug bounty, and they/him pretended it was a bounty after the fact.
No.
An actual white hat would never have taken any money (or maybe just a few cents, to prove the possibility). He would have contacted the company and told them how it would be possible to take some.
This asshole took the money, got caught (well, detected and blocked), and only then pretended it was all in good faith.
Calling that scum a white hat is an egregious insult to actual, honest white hats everywhere.
An actual white hat would never have taken any money...
I fully agree.
However, it does seem more and more like an inside job, either a theft attempt or a publicity stunt.
---
Mr WH takes funds.
Mr Poly gets cosy with Mr WH.
Mr WH climbs into bed with Mr Poly and secures their systems "to infinity and beyond".
Mr Poly claims "We're so safe! Run with us!"
---
If Mr WH does not go onboard with Poly it was probably a theft gone wrong, if he does it's more likely publicity IMHO.
That was on my list of options too, but it really doesn't make sense. They've nicely publicized that they could be hacked and all the cash stolen. Some people might assume that it's better to employ someone who at least detected and prevented the attack, but others will decide that working with someone who has already been hacked once is a bad sign. In which case the publicity isn't very useful.
I'm a bit curious: who is PolyNetwork exactly? They've been vaguely described as "Chinese", but that doesn't say much, and I've not been able to find any information: no link on their website that I can see, and all searches only return articles about the hack.
So, where are they headquartered, who are their executives, that sort of thing? Thanks!