Last week, an unknown hacker or hackers stole around 2,100 BTC ($118,500,000) and 151 ETH ($679,000) worth of cryptocurrency tokens from a blockchain company called BadgerDAO.
Now, the blockchain "bridge" protocol BadgerDAO is pleading with the hacker to return the stolen funds.
“You have taken funds that do not belong to you, but we are willing to work with you and compensate you for identifying this vulnerability in the systems,” BadgerDAO wrote in a public announcement. “We are providing you with a direct line of communication to discuss a peaceful resolution without involving any outside parties. Contact us to discuss further and do the right thing on behalf of the community.”
The hack on BadgerDAO took advantage of an old-school web-based attack: The hacker was able to steal an API key that gave them control of BadgerDAO’s account on Cloudflare, the project’s content delivery network for its site. This gave the hacker the ability to inject a malicious script on the site that prompted users to give up wallet permissions, which then allowed the hackers to steal customers’ cryptocurrency.
Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
While asking a robber to return the proceeds of their heist may seem like a desperate, hopeless, strategy, it has worked before.
Earlier this year, the popular cryptocurrency platform Poly Network was hacked, and lost around $600 million. The company posted a public letter to the hacker, calling them “Dear Hacker” and “Mr. White Hat,” appealing to their goodwill. Surprisingly, after several public exchanges posted on the blockchain, the strategy worked and the hacker ultimately returned all the stolen funds.
People involved with BadgerDAO are, for now, cautious on whether this will work.
“[I am] not comfortable publicly sharing my personal opinion on it. We have professionals handling the strategy and don't want to possibly affect it,” a core team member of the Badger team, who goes by Jonto, told Motherboard in an online chat. “Team is largely focused on reopening the protocol and remuneration plans to bring forward to the community for discussion.”
It’s been a really bad week for cryptocurrency projects and exchanges. Over the weekend, hackers stole around $150 million from BitMart, an exchange that bills itself as “the most trusted crypto trading platform.” The company has promised to use its own reserve funds to compensate the victims, and—for now—it has not asked the hacker to return the loot.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.