A hacker who stole just over $600m (PS433m) worth of cryptocurrency was offered $500,000 and immunity as a reward for returning the money.
Poly Network made a controversial offer after the hacker pledged to send back the money.
The attack was uncovered on Tuesday when Poly Network publicly pleaded with the hacker to help.
One former FBI official said, “private companies have no authority to promise immunity from criminal prosecution.”
This attack is the biggest hacking heist in history. Poly Network claimed that the attacker had exploited an insecure feature of its system.
Most of the money has now been given back, although the hacker says they are not interested in the reward.
Shortly after the hack, the anonymous individual posted notes to the publicly available blockchain taunting the company and asking for advice on how to launder his stolen riches.
Later, the criminal claimed “not to be interested in money” and promised to return it all.
By Thursday evening, Poly Network said most of the remaining assets in the hacker’s possession had been transferred to a digital wallet controlled by both the hacker and the company.
Poly Network says it is still waiting for the repayment process to be fully completed but that it is working with the hacker.
A portion of the stolen coins was frozen shortly after the attack have not yet been transferred but can’t be used by the hacker anyway.
“The hacker still holds $33.4m of stolen Tether [tokens] – because it has been frozen by Tether themselves,” Tom Robinson, co-founder of Elliptic, London-based blockchain analytics and compliance firm.
He added that it could be seen on the blockchain that “A few thousand dollars worth of various other tokens” were being held onto by the hacker.
However, it was unclear if these were stolen assets or donations that the hacker asked people to send on Thursday to thank them for their return of the money.
Other money outstanding also includes a 13.37 Ether tip ($40,000), which the hacker sent to a user who warned them that the Tether tokens had been frozen by its developer.
The anonymous hacker posted a three-page Q&A online, claiming that he or she did the heist to have fun and encourage Poly Networks to improve its security.
Poly Network appears to have accepted the explanation and dubbed the hacker “Mr. White Hat.”
White hat hackers are ethical security researchers who use their skills for good to help organizations find security flaws.
Poly Network confirmed that it sent a note to the attack saying, “we believe that your action is white hat behavior, we plan to offer you a $500,000” reward.
The firm stated that it would not hold you responsible for the incident. “
The alleged move has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions.
Katie Paxton-Fear, a white hat hacker and lecturer at Manchester Metropolitan University, says that “labeling this hack as a white hat is just really disappointing.”
Mrs. Paxton-Fear has found over 30 vulnerabilities in organizations ranging from the US Department of Defense (DoD) to Verizon Media.
“White hat hacking is all about having a scope, not touching some systems, working with the team, writing professional reports detailing our findings, not going further than we have to demonstrate risk,” she said.
“Our approach is “first, do no harm,” potentially verifying that fixes have been implemented and not putting users’ data at risk. “
Charlie Steele, Partner at Forensic Risk Alliance and former Department of Justice and FBI official, is also concerned about the alleged offer from Poly Network.
“Private companies have no authority to promise immunity from criminal prosecution,” he told the BBC.
“In an event where a hacker took $600m ‘for entertainment’ and then returned most, it is unlikely to lessen regulators’ concerns about the many risks presented by crypto-currencies. “