If you want your funds back, get inside the hacker’s mind

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack


Midjourney modified by Blockworks


After a Web3 protocol is hacked, the people affected naturally expect that the protocol will do their very best to recover their lost funds. 

And this task undeniably often involves communicating with the attacker: a crucial step, because the exploiter usually holds all the cards. The hackers have full control of the stolen capital and can choose to communicate with the project — or disappear forever. 

Understanding the mentality of a hacker and their potential motivations is therefore key to a successful outcome (or as successful an outcome can be in the case of an anonymous crypto hack). 

There are many factors behind why an individual would exploit a Web3 project. The ability to find a weakness in a project’s code, as well as the ability to exploit said weakness, can be seen as a sign of competence. And if the attack is somehow novel or unusual, the hacker could see their successful exploit as a point of pride or a claim to bragging rights. Narcissism and hacking go together fairly well.

For blockchain projects, exploits also come with a substantial profit potential. Due to crypto’s decentralized nature, the oft-haziness of a project’s jurisdictions and the idea that “code is law,” hackers can often get away with keeping everything they steal. However, it has recently become more common for hackers to actually return most of their profits in exchange for a promise of immunity, or even in some cases, a “thank you” and a bug bounty reward. This was the case with Curve, Alchemix, HTX, Stars Arena and others. These deals appear to depend on how identifiable the hacker is and how much of the funds they are willing to return. 

Read more from our opinion section: Blockchain needs standards

Some exploiters imply innocence, claiming to be driven by curiosity and exploration. The famous phrase “I accidentally killed it” by the exploiter of the Parity wallet self-destruct vulnerability is a wonderful example — the exploiter claims to have been sending self-destruct instructions to random contracts. Up until their hack actually works, I actually trust that most hackers find themselves in some kind of disbelief that they could actually be successful.

The final and perhaps darkest motivation behind an exploit can be pure hatred: A hacker may execute an exploit just to cause people harm. The attackers can steal funds and never use them, or just burn them forever. In an industry full of passionate philosophers with anarchist tendencies, it should not be too surprising that some hackers would also like to present their actions as some kind of statement. For example, after a recent $48 million hack, Kyber Network depositors and liquidity providers were “offered” a 50% rebate on their funds by the hacker with the words “I know this is probably less than what you wanted. However, it is also more than you deserve.” 

When communicating with a hacker while trying to recover funds, it’s essential that the project takes the hacker’s motivation into account. 

If the exploit was executed by an organized group, the group will most likely not communicate in the first place, and the chance of any funds being returned is unfortunately very low. But if the attacker did not have malicious intentions, like in the case of a white hat hacker just looking to draw attention to a code vulnerability, they will likely reach out alone and arrange for the return of the funds (or whatever is left). 

If the primary motivating factor is financial gain, the affected project offering a substantial reward for indemnity can yield results. The likelihood of this happening increases when the hacker leaves some personally identifiable information behind, like IP addresses recovered either from ISPs, VPN providers or infrastructure providers. This identifying information can also include traces of where they sourced the network funds, like ether, for paying the network fees to execute their hack. Especially under such conditions, the financially motivated hackers face a choice of taking a lot of money illegally, or substantially less — but still a lot of money — with some level of indemnity. 

One still needs to balance the fine line between scaring the attacker away and convincing them that returning the funds is the best outcome for them. This strategy can still be applied when the hacker’s motivation is to cause damage or make a statement — but the likelihood of success is much lower. 

And how does one know where to contact a hacker? It’s easy. They don’t. Hackers themselves have several options for reaching out to the project they hacked. This includes signed messages on-chain or via anonymous social media accounts. If one wants to have a conversation with a hacker, the best thing to do is make it known and offer some convenient communication channel that protects that hacker’s privacy. This will maximize the chance of getting a response.

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2023

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Unlocked by Template.png


With the spot ETH ETF approval, the institutions are coming. stETH - given its dominance in marketshare, existing liquid market structures, and highly desirable properties - is poised for institutions.


Plus, the rise of RWAs could bring about a significant shift in how real-world investments are managed and accessed


The distributed cell plan provider started selling its own hotspots in October 2023


The Brazil-based asset manager’s filing comes during a year of milestone bitcoin and ether fund approvals


The purchase of five sites in Georgia set to help CleanSpark hit its mid-year operating hash rate target of 20 EH/s


Plus, it’s beginning to look like we may be in for a cruel summer



Engaging with XDC provides access to cutting-edge financial tools and places investors at the forefront of the trade finance revolution