If you want your funds back, get inside the hacker’s mind

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack

by Martin Derka /
article-image

Midjourney modified by Blockworks

share

After a Web3 protocol is hacked, the people affected naturally expect that the protocol will do their very best to recover their lost funds. 

And this task undeniably often involves communicating with the attacker: a crucial step, because the exploiter usually holds all the cards. The hackers have full control of the stolen capital and can choose to communicate with the project — or disappear forever. 

Understanding the mentality of a hacker and their potential motivations is therefore key to a successful outcome (or as successful an outcome can be in the case of an anonymous crypto hack). 

There are many factors behind why an individual would exploit a Web3 project. The ability to find a weakness in a project’s code, as well as the ability to exploit said weakness, can be seen as a sign of competence. And if the attack is somehow novel or unusual, the hacker could see their successful exploit as a point of pride or a claim to bragging rights. Narcissism and hacking go together fairly well.

For blockchain projects, exploits also come with a substantial profit potential. Due to crypto’s decentralized nature, the oft-haziness of a project’s jurisdictions and the idea that “code is law,” hackers can often get away with keeping everything they steal. However, it has recently become more common for hackers to actually return most of their profits in exchange for a promise of immunity, or even in some cases, a “thank you” and a bug bounty reward. This was the case with Curve, Alchemix, HTX, Stars Arena and others. These deals appear to depend on how identifiable the hacker is and how much of the funds they are willing to return. 

Read more from our opinion section: Blockchain needs standards

Some exploiters imply innocence, claiming to be driven by curiosity and exploration. The famous phrase “I accidentally killed it” by the exploiter of the Parity wallet self-destruct vulnerability is a wonderful example — the exploiter claims to have been sending self-destruct instructions to random contracts. Up until their hack actually works, I actually trust that most hackers find themselves in some kind of disbelief that they could actually be successful.

The final and perhaps darkest motivation behind an exploit can be pure hatred: A hacker may execute an exploit just to cause people harm. The attackers can steal funds and never use them, or just burn them forever. In an industry full of passionate philosophers with anarchist tendencies, it should not be too surprising that some hackers would also like to present their actions as some kind of statement. For example, after a recent $48 million hack, Kyber Network depositors and liquidity providers were “offered” a 50% rebate on their funds by the hacker with the words “I know this is probably less than what you wanted. However, it is also more than you deserve.” 

When communicating with a hacker while trying to recover funds, it’s essential that the project takes the hacker’s motivation into account. 

If the exploit was executed by an organized group, the group will most likely not communicate in the first place, and the chance of any funds being returned is unfortunately very low. But if the attacker did not have malicious intentions, like in the case of a white hat hacker just looking to draw attention to a code vulnerability, they will likely reach out alone and arrange for the return of the funds (or whatever is left). 

If the primary motivating factor is financial gain, the affected project offering a substantial reward for indemnity can yield results. The likelihood of this happening increases when the hacker leaves some personally identifiable information behind, like IP addresses recovered either from ISPs, VPN providers or infrastructure providers. This identifying information can also include traces of where they sourced the network funds, like ether, for paying the network fees to execute their hack. Especially under such conditions, the financially motivated hackers face a choice of taking a lot of money illegally, or substantially less — but still a lot of money — with some level of indemnity. 

One still needs to balance the fine line between scaring the attacker away and convincing them that returning the funds is the best outcome for them. This strategy can still be applied when the hacker’s motivation is to cause damage or make a statement — but the likelihood of success is much lower. 

And how does one know where to contact a hacker? It’s easy. They don’t. Hackers themselves have several options for reaching out to the project they hacked. This includes signed messages on-chain or via anonymous social media accounts. If one wants to have a conversation with a hacker, the best thing to do is make it known and offer some convenient communication channel that protects that hacker’s privacy. This will maximize the chance of getting a response.

Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.

Martin Derka, Ph.D., is the Head of New Initiatives at Quantstamp, a web3 security company. He has years of experience in the development of smart contracts and platforms built on Ethereum, specializing in DeFi security and economic manipulations. At Quantstamp, Martin assists with both securing projects prior to deployment, and crisis management in the aftermath of an exploit.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Tags

Upcoming Events

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

learn more

recent research

Research report HL cover.jpg

Research

Hyperliquid Deep Dive: The Future of Perp DEXs

It's increasingly apparent that orderbooks represent the most efficient model for perpetual trading, with the primary obstacle being that the most popular blockchains are ill-suited for hosting a fully onchain orderbook. Hyperliquid is a perpetual trading protocol built on its own L1 that aims to replicate the user experience of centralized exchanges while offering a fully onchain orderbook.

by Carolina

/

news

article-image

BusinessFinance

Anchorage, Arca Labs link up in bid to advance tokenization adoption

The tokenization of real-world assets is set to continue as a “defining trend” for institutional crypto in 2024, Anchorage Digital CEO says

by Ben Strack /
article-image

Finance

What could drive BTC price with halving complete, ETF demand stalled

Upcoming macroeconomic clarity, or a lack thereof, is likely to be a key contributor to bitcoin’s next price movement

by Ben Strack /
article-image

DeFi

A look into Runes, a new Bitcoin token standard for issuing fungible tokens

Runes protocol will bring versatility to Bitcoin, but some are worried about the increased fees

by Bessie Liu /
article-image

People

Former Binance CEO Changpeng Zhao sentenced to 4 months in prison

The sentencing closes the book on the DOJ’s settlement with Binance and its former CEO

by Katherine Ross /
article-image

People

DOJ charges Roger Ver with tax fraud

Roger Ver was arrested in Spain on Tuesday, the DOJ said

by Katherine Ross /
article-image

Op-Ed

Samourai Wallet matters more than your memecoins

This case is a big deal — so big, in fact, that one wonders whether the crypto community fully appreciates its gravity

by Michael McSweeney /