Crypto startup Nomad is offering 10 percent bounties to retrieve as much as $190 million in digital currency seized in a massive hacking attack this week.
Nomad offers 10 percent bounty in $190 million cryptocurrency hack
“Nomad continues to work with the community, law enforcement and blockchain analytics firms to ensure all funds are returned,” the company wrote.
The theft occurred when a vulnerability in Nomad’s code allowed hackers to make off with nearly $190 million worth of tokens. More than $20 million had been recovered as of Friday morning, according to Etherscan, a blockchain analytics platform.
Nomad acts as a blockchain bridge, allowing users to move assets from one blockchain to another – for example, from bitcoin to ethereum. But it also leaves them vulnerable to what security experts call “both sides,” weaknesses on both blockchains.
Blockchain analytics company Elliptic Connect said the Nomad breach was the seventh major incident involving a crypto-bridge in 2022, and the eighth-largest crypto theft of all time. Another crypto bridge, known as Ronin, suffered a $625 million theft earlier this year. In that case, hackers infiltrated the underlying blockchain that powers the popular video game Axie Infinity and made off with around 174,000 Ethereum.
“Bridges have long been known to be attractive to cyber hackers,” Elliptic Connect wrote in an unsigned blog post. “They typically have great liquidity, as users looking to convert funds across blockchains typically lock their assets within their contracts. They also operate on blockchains that are relatively less secure.”
The Nomad attack was known as a “free for all” because the original hacker’s code allowed anyone to copy it, opening the floodgates for anyone to join the fray and cash out. Elliptic Connect said it has identified more than 40 “exploiters,” including a hacker who collected just under $42 million by automating the withdrawal process.
By effectively paying hackers, Nomad uses a strategy technology companies have long relied on to evaluate and improve their networks.
Microsoft, for example, proclaims “let the hunt begin!” on its own bug bounty site, offering as much as $60,000 for vulnerability reports on the company’s Azure cloud platform, or $20,000 for vulnerability reports on the Xbox Live online gaming platform. Comparable valuations for Hyper-V, a code virtualization program, can go as high as $250,000. In 2016, the Defense Department launched a separate bug bounty program called “Hack the Pentagon.”
Nomad is also not the first crypto firm to engage directly with hackers.
Last August, a crypto platform called Poly Network was the target of a major attack in which someone stole more than $600 million in tokens, according to CNBC. The thief had exploited a vulnerability in the company’s network code that allowed users to transfer money to their own accounts.
But in an unusual twist, the hacker opened a dialogue with Poly Network employees and eventually returned the money, CNBC reported. According to press reports, the company issued a statement calling the hacker “Mr. White Hat,” offering a $500,000 bounty and extending an invitation to become the platform’s “chief security advisor.”
Cryptocurrencies in general have seen sharp declines throughout 2022 as bitcoin, ethereum and other digital currencies have sold off along with the broader stock market. As of Friday morning, bitcoin stood at about $23,000, up about 14 percent in the past month. That compares to more than $66,000 in November 2021.