[ON HOLD] Thoughts: paying hackers to get accounts back: ethical or not?

[LoyceV]

Hacked accounts don't get recovered. I've seen people offer to pay for recovery, but money isn't what stops Admin from recovering accounts.
I have another idea, with pros and cons, and would like to get community feedback first.

What if I start a service, in Meta, like this:
1. I tag hacked accounts after sufficient proof (usually a signed message) has been provided (I already do this). Example:
Stolen account, see Reference link.
Dear thief, please give it back.
2. I add "The owner is willing to pay you $25, no questions asked" to my tag if the real owner is willing to pay $25 to get it back.
3. If the thief/hacker/buyer agrees, he'll send me the account details.
4. The real owner sends me $25 (), I change the email and password, and wait 2 weeks so it can't be locked.
5. I pay the thief $25 (minus the lowest possible transaction fee), give the account back to the real owner, and remove the red tag.
6. We can use the thief's Bitcoin address for a small chance to hunt him down

If the original owner doesn't pay in step 4, I won't change the account details and the account thief keeps it. I love to trick account thiefs, but if they can't rely on my service, this won't work.
If the hacker locks the account, he won't get paid.

Notes:
All communication (except for transfering account details in steps 3 and 5) about this has to happen in public, not through PM.
"$25" is more or less arbitrary. I want it to be a fixed amount, less than what accounts are sold for, hopefully low enough not to encourage hacking accounts for the bounty, and non-negotiable ("take it or leave it").
I won't charge anything for this.
This service will end the moment theymos' planned automated account recovery is implemented, or when (a new) Admin recovers accounts again.

Thoughts? Ideas? Improvements? Please post!

[1714794803]

1714794803

[1714794803]

1714794803

[shasan]

It is a good idea. Actually many account holders wait for a long time to get account back and for negative tag hacker also cant be benefited. But if you do this service then hacker as well as real owner both will be benefited. And this 25$ will be considered as punishment of the real owner as not to protect his/her account or mistake of his/her or any bug of the forum.
I have a suggestion. By this service it will take a lots of time of you. So it would be better if there is a little fee (considered as service fee) of you.

[LoyceV]

I have a suggestion. By this service it will take a lots of time of you so it would be better if there is a little fee (considered as service fee) of you.

Good point. If it becomes too time consuming, I'll have to charge a fee too. I don't want to end up with a backlog on recoveries like Admin has now. But instead of charging a fee, it's probably better if more DTs will join the effort.

[yahoo62278]

hopefully low enough not to encourage hacking accounts for the bounty, and non-negotiable ("take it or leave it").

I think you already answered you own question. This will most definitely lead to more account hacks and even though you mentioned you would keep it a fixed fee, it could also lead to higher ranked accounts(even if we use new passwords every so often to help prevent hacks) being targets for a higher ransom/reward/bounty.

[mdayonliner]

4. The real owner sends me $25 (), I change the email and password, and wait 2 weeks so it can't be locked.

You don't need to wait 2 weeks. When you change the email you do this...
- Use a useless email address (like yopmail and let no one know about it). The confirmation email goes to the original account holder's email who has the current account.
- Now change the email again with your desire email address. The confirmation email goes to the useless email address which you only know.

This way the original account holder lose the activation/confirmation code 

[eddie13]

I have mentioned before that this is about the only way to get your account back to offer the guy some coin to give it back.

I doubt it will be the actual "hacker" you are dealing with. I think the hacker probably just sells them and then whoever actually bought the account is also screwed when it is outed.

I don't think it is unethical depending on how you feel about paying ransoms. In that case the "hacker" guy would probably be best off to demand a ransom for the account in the first place but this is more like an offer to return lost property.

I guess you could set up a specific escrow for this particular situation but what are you going to do for awareness? Offer your service to every "help account lost" thread?

So hacker gets account and sells it to a spammer (often plagiarist) and get paid, then the spammer that bought the account gets screwed when his bought account gets red trust but he can get $25 of his money back if he gives the account back. He might do it if he knows the deal is available.

Kinda dealing with some dirty folks.

it's probably better if more DTs will join the effort.

What do DTs have to do with it? It's just $25 but DT doesn't equal escrow..
You will just have to convince whatever DTs tagged it to remove them once the original owner gets them back..

It might make you look like you are running an account hacking racket though. If you are profiting off of it and have success it might look like you are the one getting the accounts to make a few bucks as a tagged hacked account is basically worthless other than this ransom you are thinking of.

[shasan]

I doubt it will be the actual "hacker" you are dealing with. I think the hacker probably just sells them and then whoever actually bought the account is also screwed when it is outed.

If negative tag before selling the account then anyone will not buy the account. And if anyone buy account then the pharmacist will tag him/her. So, his/her account will not have any value. And in this case 25$ will be considered as something is better than nothing.

This will most definitely lead to more account hacks and even though you mentioned you would keep it a fixed fee

I don't think so. I think hacker do not hack account for such a small amount. Hacker usually hack account to sell or to scam a large amount. Eg: make reversible transaction, take loan and default, take payment first and never complete the deal and something like this.

You don't need to wait 2 weeks. When you change the email you do this...
- Use a useless email address (like yopmail and let no one know about it). The confirmation email goes to the original account holder's email who has the current account.
- Now change the email again with your desire email address. The confirmation email goes to the useless email address which you only know.

I think still hacker can lock the account as s/he has received email but Not sure.

[LoyceV]

I think you already answered you own question. This will most definitely lead to more account hacks and even though you mentioned you would keep it a fixed fee, it could also lead to higher ranked accounts(even if we use new passwords every so often to help prevent hacks) being targets for a higher ransom/reward/bounty.

Possibly. But making $25 from a hacked account can be done already, while the account value drops hard once it has red trust.

This way the original account holder lose the activation/confirmation code  

It's the "click this link to lock the account" that makes me wait 2 weeks.

I guess you could set up a specific escrow for this particular situation but what are you going to do for awareness? Offer your service to every "help account lost" thread?

I was thinking of one thread in Meta where people can report their hacked account with evidence.

So hacker gets account and sells it to a spammer (often plagiarist) and get paid, then the spammer that bought the account gets screwed when his bought account gets red trust but he can get $25 of his money back if he gives the account back. He might do it if he knows the deal is available.

My thoughs exactly

What do DTs have to do with it? It's just $25 but DT doesn't equal escrow..

Red trust from DT is the part that makes the account worthless for most signature spam purposes. Anyone who can't be trusted with $25 shouldn't be on DT anyway.

It might make you look like you are running an account hacking racket though. If you are profiting off of it and have success it might look like you are the one getting the accounts to make a few bucks as a tagged hacked account is basically worthless other than this ransom you are thinking of.

I realized this possibility after I opened this topic. If my motives are questioned, I won't do it.

[eddie13]

If my motives are questioned, I won't do it.

Nah, you're pretty legit

[mdayonliner]

This way the original account holder lose the activation/confirmation code  

It's the "click this link to lock the account" that makes me wait 2 weeks.

Yes, I was talking about this locking the account link in the email. Sorry I messed it up with confirmation/activation terms   You can bypass this 2 weeks waiting times if you do this two email steps because once you add your second email then the locking the account link goes to your first email (the temporary email) and the older locking the account link in the main account's email do not work anymore.

[actmyname]

the older locking the account link in the main account's email do not work anymore.

I'm not so sure that's how it works. If the older link was void then there would be no point in the 2-week lock, as there are a slew of disposable emails online.

I don't dare to test this hypothesis, though.

[EmailAcctLockingerTesting]

I'll test it.
Change my email twice and see if the first email can lock it still.

[eddie13]

I'll test it.
Change my email twice and see if the first email can lock it still.

It locked from the original email account after 2 changes.

"Sorry EmailAcctLockingerTesting, you are banned from using this forum!
For security, your account has been locked. Email locked...@bitcointalk.org"

[shasan]

I'll test it.
Change my email twice and see if the first email can lock it still.

That means

This way the original account holder lose the activation/confirmation code 

is wrong.

I think still hacker can lock the account as s/he has received email but Not sure.

Now it is confirmed.

[AverageGlabella]

Although, its a good idea. I think encouraging hackers to basically take ransom payments is not a good idea. A lot of the hackers will reject it anyway because they can earn more with it or sell it on for more and those who finally got a conscious will likely give it back without any sort of payment. I think leaving it to the admins who can research thoroughly into each case and determine the rightful owner is the best way. I don't like encouraging hackers to give it back for a price as that's just morally wrong in my eyes. Of course right now we have a problem with accounts not being recovered even with sufficient evidence and I have pleaded and created a thread asking for theymos to promote Hilariousandco or give someone the permissions to recover accounts. I expect most of the accounts being hacked are a result of the 2015 hack and once the backlog has been got through there won't be too many requests to do per week. I think giving someone a dedicated job to recover these accounts isn't a bad idea at all.

So instead of taking things into your own hands maybe we can sign some sort of petition for theymos to see that we are sick and tired of seeing hacked accounts on meta and then not even being replied to. I think creating a support system which would tell you where you are in the queue and its actually being worked on could help reduce the amount of threads too.

[Quickseller]

I am against using a fixed price. If an account owner is willing to pay $50, and a hacker wants $50 to give the account back, I don't see an issue with facilitating that if you are okay with facilitating a transfer for $25, or some other arbitrary number.

I would also obtain a separate signed message from the purported account owner to make sure someone is not effectively buying a stolen account. You should also solicit the opinion of theymos or another admin for each transfer prior to facilitating the transaction in order to give them an opportunity to voice concerns about giving the account back to the claimed owner.

If you are going to say your service is "no questions asked" and subsequently txid and/or address details, you will lose credibility with any hackers who want to use your service. Ditto if you later use that information for some kind of investigation. Also, you should keep in mind that a hacker may tell you to send the bounty to an innocent 3rd party's address in an effort to frame them as a hacker.

If implemented, the correct sub for this would be services, not meta.

I am on the fence if this is something I would offer myself, probably not. Although perhaps it would put pressure on the admins to put more effort into account recoveries.

[AverageGlabella]

I would also obtain a separate signed message from the purported account owner to make sure someone is not effectively buying a stolen account. You should also solicit the opinion of theymos or another admin for each transfer prior to facilitating the transaction in order to give them an opportunity to voice concerns about giving the account back to the claimed owner.

You think that they would reply back in a suitable time frame? Most account recoveries aren't being responded to when sent directly to them or posted publicly so I doubt that they would be willing to work with someone offering a service like this. You would probably require permission from theymos on whether this service could be allowed but I don't see why not. I'm just against it because its encouraging paying for ransom.

[Quickseller]

I would also obtain a separate signed message from the purported account owner to make sure someone is not effectively buying a stolen account. You should also solicit the opinion of theymos or another admin for each transfer prior to facilitating the transaction in order to give them an opportunity to voice concerns about giving the account back to the claimed owner.

You think that they would reply back in a suitable time frame? Most account recoveries aren't being responded to when sent directly to them or posted publicly so I doubt that they would be willing to work with someone offering a service like this. You would probably require permission from theymos on whether this service could be allowed but I don't see why not. I'm just against it because its encouraging paying for ransom.

I don't think a response from theymos should be required to move forward, only an inquiry to theymos to see if he has concerns about the transaction, he may not answer and the transaction may move forward after a day or two without a response, however if he does respond,  his advice can be taken into account.

[LoyceV]

It locked from the original email account after 2 changes.

Thanks for testing, that is as I expected. And it proves once again theymos isn't dumb

Although, its a good idea. I think encouraging hackers to basically take ransom payments is not a good idea. A lot of the hackers will reject it anyway because they can earn more with it or sell it on for more and those who finally got a conscious will likely give it back without any sort of payment.

Maybe. But what if it helps a few people get their account back?

I think leaving it to the admins who can research thoroughly into each case and determine the rightful owner is the best way

Definitely! But unfortunately, this isn't happening. I'm trying to find the next best thing to help some users.

I think giving someone a dedicated job to recover these accounts isn't a bad idea at all.

Theymos has said that if he would throw $100k at it, if that would make all this go away. Some say theymos has a hard time trusting people.

So instead of taking things into your own hands maybe we can sign some sort of petition for theymos to see that we are sick and tired of seeing hacked accounts on meta and then not even being replied to. I think creating a support system which would tell you where you are in the queue and its actually being worked on could help reduce the amount of threads too.

I tried, and others tried too. It didn't work, that's why I'm considering an alternative approach.

I am against using a fixed price. If an account owner is willing to pay $50, and a hacker wants $50 to give the account back, I don't see an issue with facilitating that if you are okay with facilitating a transfer for $25, or some other arbitrary number.

What I try to prevent with a fixed amount, is the hacker trying to raise the price by negotiating. They're still free to do so, but I don't want to get involved as a middle man.

I would also obtain a separate signed message from the purported account owner to make sure someone is not effectively buying a stolen account.

A signed message is already required to tag a stolen account.

You should also solicit the opinion of theymos or another admin for each transfer prior to facilitating the transaction in order to give them an opportunity to voice concerns about giving the account back to the claimed owner.

If Admins would respond to requests like these, I wouldn't have opened this topic in the first place. I don't think bothering Admin is going to help.

If you are going to say your service is "no questions asked" and subsequently txid and/or address details, you will lose credibility with any hackers who want to use your service. Ditto if you later use that information for some kind of investigation.

True, more or less. The account owner will know where he deposited the $25, and he can publish it afterwards anyway. I like to keep it all public, so there's no doubt this information is known. If the account thief doesn't want to be traced, he'll have to use a mixer.

Also, you should keep in mind that a hacker may tell you to send the bounty to an innocent 3rd party's address in an effort to frame them as a hacker.

Argh! I have no answer to this. If someone is willing to lose $25 to frame someone, it can indeed be done. Someone could even use the addy from my profile.

If implemented, the correct sub for this would be services, not meta.

I've been able to slightly bend board-rules before, and this can potentially reduce the number of topics in Meta, that's why I chose that board. If a Mod disagrees, it'll find it's way to Services.

I am on the fence if this is something I would offer myself, probably not. Although perhaps it would put pressure on the admins to put more effort into account recoveries.

By all means, go ahead! I don't mind "competition" in an unpaid service.
Considering the Merit system was rolled out shortly after some DT2s started tagging spammers, I'd be very happy if this speeds up account recoveries and I can end this service before it's even started

You would probably require permission from theymos on whether this service could be allowed but I don't see why not.

Theymos believes in freedom, account trades are allowed, so I don't see how this would break any forum rules.

I'm just against it because its encouraging paying for ransom.

ransom:

a large amount of money that is demanded in exchange for someone who has been taken prisoner, or sometimes for an animal

I don't think this fits the definition.

I don't think a response from theymos should be required to move forward, only an inquiry to theymos to see if he has concerns about the transaction, he may not answer and the transaction may move forward after a day or two without a response, however if he does respond,  his advice can be taken into account.

If I start this (in Meta), theymos will read it eventually.

[LTU_btc]

Interesting idea and I have mixed feelings about it. I don't think we should support hackers by paying ransom them. There is a risk that such services can lead to more attempts to hack accounts because these smartasses will see it as another opportunity to benefit. But probably I would agree to hacker full market price of account (which is probably more than $25 or $50) to get it back. Luckily my account was restored by Cyrus last year.
Another thing - I'm not sure that such services would be really effective. People who find their account hacked usually use link that they got to email to lock account or ask moderators to lock account. Hacker can't do anything with locked account, so he can't return account to original owner after getting ransom. Only theymos or Cyrus can recover locked account. I still hope that one day theymos will release automated account recovery system and such services that you're offering wont be needed.