The activity itself is illegal, i.e. this whole deal.
This means that the buyer is not protected by law.
Take care of anonymity, and, of course, throw it away.
1) Since the customer is trying to steal your data, he can be considered an enemy for you, and you should definitely try to weaken him, for example, by throwing him for money. (he will not be able to repeat the operation)
2) He is not protected by law, so he will not be able to do anything, say, sue.
Amazing care for a site owner.
I see no reason not to throw the customer for money, unless these few user hashes are a serious threat to you.

The burglar, in any case, must be punished. If there is a legal way to do this, then you must follow the law. If you don't have it, drop it, of course.

The main thing is that the same customer does not read this post (:

Punish - yes, but spend the money on donations and at least to the project that is used on your site. Money is bad, crazy. And you still earn.

I would not. Intimidate, talk - yes, you can. But throwing 30,000 rubles, real rubles, is ... This is not right. Moreover, the customer has not done anything yet.
In fact, you're throwing $1,000 at a person who has (so far) done nothing wrong. And you did by throwing it. As a result, the innocent suffered, and you, under the pretext of world justice, were enriched by $ 1,000.
And in general, will your upbringing and worldview allow you to throw a person? Even a potential attacker? I couldn't. I would also ask here, but the question would be formulated as follows: “How to punish a potential hacker of my site?”.

Um ... even I’m reading it for the sixth time and I don’t understand who demands money from whom, for what, and how you want to appropriate it.

I would have sneered. But I wouldn’t throw money at it, at least not for serious ones.

It's definitely worth a lesson :)
I wonder how many of these database buyers are now nervous after reading this post?))

Replace passwords for user accounts immediately and try to find and fix the vulnerability through which the information leaked. Only then take action against the burglar.

1. contact the zak
2. justify the difficulty of the task
3. trade at least up to $1.5-$2k
4. don't come back after receiving the money
5. ????
6. PROFIT
I do not see anything shameful in punishing such people - if robbers climb into your apartment, you will ask - do they rob and climb into the right apartment?

Punish the person, and give at least half of the money to the orphanage. The attacker's money will go to a good cause. I wanted to do something nasty, but it turned out good =)

Stealing from a thief is not considered a crime

Throwing an asshole - it certainly does not hurt. If you do it carefully, and so that users do not suffer.
But, in my opinion, a more important question is who is the customer, and why does he need a dump of your database.

What prevents you from partially copying (duplicate with some changes) any accounts or creating new ones to provide to the customer? This is the database of your project, you have full access to it, and you have the cards in your hands.

Punish, and direct the money to improve the security of the site.

Of course punish.

I see no moral barriers to throw someone who wants to rob you. That is to say, preventive measures. There will be science.

This is the same as posting a notice at the entrance: “I am looking for a robber who is ready to take out all the equipment from the N-th apartment of this entrance. Budget: $1000. To verify the professionalism of the robber, provide the iPad and HTC from this apartment, after which we can cooperate with you.”
If I saw such an announcement on my house, I would be very angry and I would punish such a person very severely. The same should be done with the website. Planning such a negative activity is already a criminal activity.
My opinion: DEFINITELY PUNISH!

I don’t know about you, but here (in Ukraine) it’s quite easy to find a common language with law enforcement agencies in such situations. It's almost done. Pros: a clear conscience, experience in similar cases for the future, a beautiful piece of paper / history, useful contacts; cons: $1000 :)

what is your site so valuable?

To the question "Is it ethical to throw ..." the answer is no, it does not matter how the sentence ends, because throwing is not ethical. Another thing is that this is probably not the situation when you need to think first of all about ethics.