If you want your funds back, get inside the hacker’s mind

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack


Midjourney modified by Blockworks


After a Web3 protocol is hacked, the people affected naturally expect that the protocol will do their very best to recover their lost funds. 

And this task undeniably often involves communicating with the attacker: a crucial step, because the exploiter usually holds all the cards. The hackers have full control of the stolen capital and can choose to communicate with the project — or disappear forever. 

Understanding the mentality of a hacker and their potential motivations is therefore key to a successful outcome (or as successful an outcome can be in the case of an anonymous crypto hack). 

There are many factors behind why an individual would exploit a Web3 project. The ability to find a weakness in a project’s code, as well as the ability to exploit said weakness, can be seen as a sign of competence. And if the attack is somehow novel or unusual, the hacker could see their successful exploit as a point of pride or a claim to bragging rights. Narcissism and hacking go together fairly well.

For blockchain projects, exploits also come with a substantial profit potential. Due to crypto’s decentralized nature, the oft-haziness of a project’s jurisdictions and the idea that “code is law,” hackers can often get away with keeping everything they steal. However, it has recently become more common for hackers to actually return most of their profits in exchange for a promise of immunity, or even in some cases, a “thank you” and a bug bounty reward. This was the case with Curve, Alchemix, HTX, Stars Arena and others. These deals appear to depend on how identifiable the hacker is and how much of the funds they are willing to return. 

Read more from our opinion section: Blockchain needs standards

Some exploiters imply innocence, claiming to be driven by curiosity and exploration. The famous phrase “I accidentally killed it” by the exploiter of the Parity wallet self-destruct vulnerability is a wonderful example — the exploiter claims to have been sending self-destruct instructions to random contracts. Up until their hack actually works, I actually trust that most hackers find themselves in some kind of disbelief that they could actually be successful.

The final and perhaps darkest motivation behind an exploit can be pure hatred: A hacker may execute an exploit just to cause people harm. The attackers can steal funds and never use them, or just burn them forever. In an industry full of passionate philosophers with anarchist tendencies, it should not be too surprising that some hackers would also like to present their actions as some kind of statement. For example, after a recent $48 million hack, Kyber Network depositors and liquidity providers were “offered” a 50% rebate on their funds by the hacker with the words “I know this is probably less than what you wanted. However, it is also more than you deserve.” 

When communicating with a hacker while trying to recover funds, it’s essential that the project takes the hacker’s motivation into account. 

If the exploit was executed by an organized group, the group will most likely not communicate in the first place, and the chance of any funds being returned is unfortunately very low. But if the attacker did not have malicious intentions, like in the case of a white hat hacker just looking to draw attention to a code vulnerability, they will likely reach out alone and arrange for the return of the funds (or whatever is left). 

If the primary motivating factor is financial gain, the affected project offering a substantial reward for indemnity can yield results. The likelihood of this happening increases when the hacker leaves some personally identifiable information behind, like IP addresses recovered either from ISPs, VPN providers or infrastructure providers. This identifying information can also include traces of where they sourced the network funds, like ether, for paying the network fees to execute their hack. Especially under such conditions, the financially motivated hackers face a choice of taking a lot of money illegally, or substantially less — but still a lot of money — with some level of indemnity. 

One still needs to balance the fine line between scaring the attacker away and convincing them that returning the funds is the best outcome for them. This strategy can still be applied when the hacker’s motivation is to cause damage or make a statement — but the likelihood of success is much lower. 

And how does one know where to contact a hacker? It’s easy. They don’t. Hackers themselves have several options for reaching out to the project they hacked. This includes signed messages on-chain or via anonymous social media accounts. If one wants to have a conversation with a hacker, the best thing to do is make it known and offer some convenient communication channel that protects that hacker’s privacy. This will maximize the chance of getting a response.

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Top Icon.png


Osmosis thrived in H2 2023 on the back of increased DeFi activity deriving from recently launched Cosmos-related projects and better market conditions. With new value accrual mechanisms for the native token, Osmosis is well-positioned to continue its strong performance in 2024.



Though the opposing flow trend is likely to slow over time, industry watchers note, bitcoin fund assets could one day eclipse the $90 billion gold ETF space


Celestia had the first mover advantage. EigenDA has staked ether. What sets Avail apart?


Bitcoin moved 1% higher Monday morning in New York, Matrixport analysts say $62,000 could happen next month


It’s hard to believe right now that crypto — even with all of its flexibility and massive capabilities — could ever be like cash on the internet


Michael Saylor announced Monday morning that MicroStrategy bought 3k more bitcoin after the X account was compromised over the weekend


Plus, Pudgy Penguins grows its brand and a group of Autoglyphs sell for $14.5 million