Topic: [ON HOLD] Thoughts: paying hackers to get accounts back: ethical or not? (Read 618 times)

I was just about to post this same line of thought. This offer will lead to an explosion of account theft. Just think of it, If I can steal 4 accounts per day, and willing to accept the $25 for recovery, then I get $100/ day. Cool deal 

As good as the steps are, it is rather an incentive for account theft than a solution. IMO

Well it sounds like this project likely served its intended purpose.

Good news!
In my opinion it is important that DT members are marking all hacked accounts, and in no case becoming a reseller between thieves and victims because this can have negative affect to the reputation of the forum.
It is necessary to entrust the restoring accounts procedure to the administrators that they make it as efficient as possible.
And I think that all members should be reminded by email that they need to write BTC addresses in the topic "Stake your Bitcoin address here" for their profiles secure.

3 days later:

That means I can put this idea on hold now.

Yeah, hilariousandco can unlock accounts, but he can't restore it, so he can't help in such cases unfortunately.

Does this mean that any rank account is worth only $25? There may be some hackers who don’t think that they may get more money through account trading. In addition, some account buyers may have spent more than $25 to purchase an account, and they will not be willing to hand over the account.
Although OP's idea is great, I think this may exceed the permissions of ordinary forum users, which is equivalent to creating a new "forum rule".
To solve this problem fundamentally, maybe 2fA will be a more reasonable way.

Global Moderator hilariousandco can unlock accounts too (he just can't unban them). It could still work if the account credentials are transfered, but it's one more hoop to jump through.

The last thing I read about it was "before the end of this year", but that wasn't an official announcement.

Interesting idea and I have mixed feelings about it. I don't think we should support hackers by paying ransom them. There is a risk that such services can lead to more attempts to hack accounts because these smartasses will see it as another opportunity to benefit. But probably I would agree to hacker full market price of account (which is probably more than $25 or $50) to get it back. Luckily my account was restored by Cyrus last year.
Another thing - I'm not sure that such services would be really effective. People who find their account hacked usually use link that they got to email to lock account or ask moderators to lock account. Hacker can't do anything with locked account, so he can't return account to original owner after getting ransom. Only theymos or Cyrus can recover locked account. I still hope that one day theymos will release automated account recovery system and such services that you're offering wont be needed.

Thanks for testing, that is as I expected. And it proves once again theymos isn't dumb

Maybe. But what if it helps a few people get their account back?

What I try to prevent with a fixed amount, is the hacker trying to raise the price by negotiating. They're still free to do so, but I don't want to get involved as a middle man.

Theymos believes in freedom, account trades are allowed, so I don't see how this would break any forum rules.

If I start this (in Meta), theymos will read it eventually.

I don't think a response from theymos should be required to move forward, only an inquiry to theymos to see if he has concerns about the transaction, he may not answer and the transaction may move forward after a day or two without a response, however if he does respond,  his advice can be taken into account.

You think that they would reply back in a suitable time frame? Most account recoveries aren't being responded to when sent directly to them or posted publicly so I doubt that they would be willing to work with someone offering a service like this. You would probably require permission from theymos on whether this service could be allowed but I don't see why not. I'm just against it because its encouraging paying for ransom.

I am against using a fixed price. If an account owner is willing to pay $50, and a hacker wants $50 to give the account back, I don't see an issue with facilitating that if you are okay with facilitating a transfer for $25, or some other arbitrary number.

I would also obtain a separate signed message from the purported account owner to make sure someone is not effectively buying a stolen account. You should also solicit the opinion of theymos or another admin for each transfer prior to facilitating the transaction in order to give them an opportunity to voice concerns about giving the account back to the claimed owner.

If you are going to say your service is "no questions asked" and subsequently txid and/or address details, you will lose credibility with any hackers who want to use your service. Ditto if you later use that information for some kind of investigation. Also, you should keep in mind that a hacker may tell you to send the bounty to an innocent 3rd party's address in an effort to frame them as a hacker.

If implemented, the correct sub for this would be services, not meta.

I am on the fence if this is something I would offer myself, probably not. Although perhaps it would put pressure on the admins to put more effort into account recoveries.

Although, its a good idea. I think encouraging hackers to basically take ransom payments is not a good idea. A lot of the hackers will reject it anyway because they can earn more with it or sell it on for more and those who finally got a conscious will likely give it back without any sort of payment. I think leaving it to the admins who can research thoroughly into each case and determine the rightful owner is the best way. I don't like encouraging hackers to give it back for a price as that's just morally wrong in my eyes. Of course right now we have a problem with accounts not being recovered even with sufficient evidence and I have pleaded and created a thread asking for theymos to promote Hilariousandco or give someone the permissions to recover accounts. I expect most of the accounts being hacked are a result of the 2015 hack and once the backlog has been got through there won't be too many requests to do per week. I think giving someone a dedicated job to recover these accounts isn't a bad idea at all.

So instead of taking things into your own hands maybe we can sign some sort of petition for theymos to see that we are sick and tired of seeing hacked accounts on meta and then not even being replied to. I think creating a support system which would tell you where you are in the queue and its actually being worked on could help reduce the amount of threads too.

That means is wrong.

Now it is confirmed.

It locked from the original email account after 2 changes.

"Sorry EmailAcctLockingerTesting, you are banned from using this forum!
For security, your account has been locked. Email [email protected]"

I'll test it.
Change my email twice and see if the first email can lock it still.

I'm not so sure that's how it works. If the older link was void then there would be no point in the 2-week lock, as there are a slew of disposable emails online.

I don't dare to test this hypothesis, though.

Yes, I was talking about this locking the account link in the email. Sorry I messed it up with confirmation/activation terms   You can bypass this 2 weeks waiting times if you do this two email steps because once you add your second email then the locking the account link goes to your first email (the temporary email) and the older locking the account link in the main account's email do not work anymore.

Nah, you're pretty legit

Possibly. But making $25 from a hacked account can be done already, while the account value drops hard once it has red trust.

It's the "click this link to lock the account" that makes me wait 2 weeks.

I was thinking of one thread in Meta where people can report their hacked account with evidence.

My thoughs exactly

Red trust from DT is the part that makes the account worthless for most signature spam purposes. Anyone who can't be trusted with $25 shouldn't be on DT anyway.

I realized this possibility after I opened this topic. If my motives are questioned, I won't do it.