Bounties Playing Prominent Role in Stolen Cryptocurrency Recovery Efforts

TRM InsightsInsights
Bounties Playing Prominent Role in Stolen Cryptocurrency Recovery Efforts

Hacked cryptocurrency companies and platforms are increasingly turning to bounties as part of incident response efforts to recover stolen funds, with hacked platforms offering bounties in at least 20 hacking incidents so far in 2022, according to a review by TRM Labs of publicly-reported incidents. Agreeing to a bounty provides hackers a way potentially to minimize the likelihood of discovery while keeping a portion of the illicit gains. According to public reporting, bounties have helped facilitate the return of over $160 million worth of stolen cryptocurrency in eight hacks* in 2022, with bounty offers ranging widely from about 5% to 50% of stolen funds (see Figure 1).

Figure 1: Select hacks with bounty offers in 2022. Not all depicted bounties were accepted by the perpetrator.
  • In mid October, the Solana-based trading platform Mango Markets approved a $47 million bounty offer to the individual or individuals that exploited its platform for $114 million on 11 October. As part of the deal, Mango Markets agreed that it would not press charges even though the identity of at least one of the exploiters was publicly known. This is the largest successful bounty in absolute terms that TRM has detected.
  • In June, the hacker that stole $3.8 million in cryptocurrency from NFT lending platform XCarnival accepted a bounty offer of nearly 50% of stolen funds, returning approximately $2 million in ETH in exchange for XCarnival’s assurances that it would not pursue legal action (see Figure 2). As a percentage of stolen funds, this is the largest successful bounty TRM has detected this year.
  • In June, the hacker that made off with about $16 million in tokens from Optimism, an Ethereum scaling solution, accepted a bounty of about $1.6 million, or 10% of stolen funds, from the company.

Over half of public bounty offers so far in 2022 were declined or went unanswered, possibly because the hacker perceived a low likelihood of being identified or, in the case of state-sponsored hackers, was not concerned with the consequences of being identified.

*We define hacks broadly in this paper, to include smart contract and code exploits, as well as general security breaches, such as stolen private keys.

Blockchain Intelligence Tools, Greater Cryptocurrency Ecosystem Transparency Increases Risks to Hackers

Powerful blockchain analytics tools and growing transparency by hacked platforms have made it more challenging for hackers to steal, move, and launder funds without detection. In addition, recent high-profile arrests have highlighted the legal risk of undertaking hacking and laundering activities. 

  • Powerful blockchain analytics tools are making it harder for hackers to evade detection when moving stolen funds. Attackers aiming to cash out stolen funds often try to obfuscate their source by moving them through mixers, cross-chain swap services, and other complex transactions. The growing sophistication of tools like TRM Forensics – an investigative tool that can automatically trace through cross-chain bridges and swapping services, allows investigators to follow the flow of stolen funds in near real-time, often resulting in a stake out of the address or addresses where the funds are being consolidated, and in collaboration with law enforcement to freeze and recover funds. 
  • Increasingly, hacked platforms are quick to acknowledge attacks and publicize malicious transactions and addresses containing the stolen funds (see Figure 3). This transparency, combined with increased cooperation from services and individuals across the cryptocurrency ecosystem, can create effective roadblocks for hackers attempting to move or exchange stolen funds. Community-powered initiatives, such as the scam reporting platform Chainabuse, support this transparency by empowering anyone in the cryptocurrency economy to warn others about addresses or domains associated with scams, hacks or other fraudulent activity as they encounter them.

Public Bounty Offers Could Fuel Trend in Short-Term, May Transition to Pre-Hack Disclosure Model in Longer-Term  

TRM assesses that the public nature of bounties in cryptocurrency heists risks fueling the trend of post-hack bounty offers in the short-term if hackers perceive larger payouts from using their exploits to steal funds rather than simply disclosing a vulnerability. As the cryptocurrency ecosystem matures, pre-hack bounty programs may grow in popularity, helping prevent the exploitation entirely, much like how bug bounties are designed to work in the software industry. 

  • Post-hack bounty amounts may normalize over time as hackers are able to reference examples of other bounty offers to determine market rate. Bounties from blockchain hacks are often public as the victims need to broadcast the bounty offer (since they don’t know the identity of the hacker) and the repayment of the stolen funds from the hacker to the victim is typically captured on the public blockchain.
  • In early October 2022, the cross-chain decentralized exchange Transit Swap was exploited for nearly $30 million. Transit Swap responded by warning the hackers that it would publish their information if the stolen funds were not returned and offering a bounty, leading to the return of over $23 million. Transit Swap engaged in direct on-chain communication with the hackers, at least one of whom asked for a higher bounty offer in light of other hacking bounties (see Figures 5-8 for select on-chain messages between Transit Swap and the hackers).
  • Several pre-hack bug bounty programs for cryptocurrency have already been established, such as Immunefi, which offers bounties of up to $10 million. In early June 2022, Aurora, an Ethereum bridging and scaling solution, paid a $6 million bounty to an ethical hacker who discovered and disclosed a critical vulnerability in the Aurora Engine, according to press reporting. The exploit, had it been used, could have resulted in a theft of over $200 million.

Our Project Has Been Hacked – What Should We Do?

If your company has been the victim of a hack, TRM Labs can offer assistance through our Crypto Incident Response Services. Our cross-functional team works collaboratively with organizations to investigate and provide a bespoke response to cryptocurrency incidents. 

TRM Labs also offers incidence mitigation planning and advisory services designed to reduce the potential loss of funds and to protect your organization and customers. TRM’s proactive planning and advisory services will enable you to bolster your preparedness, response, recovery, and mitigation of incidents should they occur. Please reach out to our team today.

About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage cryptocurrency-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

TRM’s Global Investigations team conducts and supports cryptocurrency investigations to combat illicit activity and build trust and confidence in the cryptocurrency economy. Our investigators use TRM Forensics to trace NFT provenance, trace the flow of stolen assets and coordinate with relevant law enforcement partners.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.