If you want your funds back, get inside the hacker’s mind
After a Web3 protocol is hacked, the people affected naturally expect that the protocol will do their very best to recover their lost funds.
And this task undeniably often involves communicating with the attacker: a crucial step, because the exploiter usually holds all the cards. The hackers have full control of the stolen capital and can choose to communicate with the project — or disappear forever.
Understanding the mentality of a hacker and their potential motivations is therefore key to a successful outcome (or as successful an outcome can be in the case of an anonymous crypto hack).
There are many factors behind why an individual would exploit a Web3 project. The ability to find a weakness in a project’s code, as well as the ability to exploit said weakness, can be seen as a sign of competence. And if the attack is somehow novel or unusual, the hacker could see their successful exploit as a point of pride or a claim to bragging rights. Narcissism and hacking go together fairly well.
For blockchain projects, exploits also come with a substantial profit potential. Due to crypto’s decentralized nature, the oft-haziness of a project’s jurisdictions and the idea that “code is law,” hackers can often get away with keeping everything they steal. However, it has recently become more common for hackers to actually return most of their profits in exchange for a promise of immunity, or even in some cases, a “thank you” and a bug bounty reward. This was the case with Curve, Alchemix, HTX, Stars Arena and others. These deals appear to depend on how identifiable the hacker is and how much of the funds they are willing to return.
Read more from our opinion section: Blockchain needs standards
Some exploiters imply innocence, claiming to be driven by curiosity and exploration. The famous phrase “I accidentally killed it” by the exploiter of the Parity wallet self-destruct vulnerability is a wonderful example — the exploiter claims to have been sending self-destruct instructions to random contracts. Up until their hack actually works, I actually trust that most hackers find themselves in some kind of disbelief that they could actually be successful.
The final and perhaps darkest motivation behind an exploit can be pure hatred: A hacker may execute an exploit just to cause people harm. The attackers can steal funds and never use them, or just burn them forever. In an industry full of passionate philosophers with anarchist tendencies, it should not be too surprising that some hackers would also like to present their actions as some kind of statement. For example, after a recent $48 million hack, Kyber Network depositors and liquidity providers were “offered” a 50% rebate on their funds by the hacker with the words “I know this is probably less than what you wanted. However, it is also more than you deserve.”
When communicating with a hacker while trying to recover funds, it’s essential that the project takes the hacker’s motivation into account.
If the exploit was executed by an organized group, the group will most likely not communicate in the first place, and the chance of any funds being returned is unfortunately very low. But if the attacker did not have malicious intentions, like in the case of a white hat hacker just looking to draw attention to a code vulnerability, they will likely reach out alone and arrange for the return of the funds (or whatever is left).
If the primary motivating factor is financial gain, the affected project offering a substantial reward for indemnity can yield results. The likelihood of this happening increases when the hacker leaves some personally identifiable information behind, like IP addresses recovered either from ISPs, VPN providers or infrastructure providers. This identifying information can also include traces of where they sourced the network funds, like ether, for paying the network fees to execute their hack. Especially under such conditions, the financially motivated hackers face a choice of taking a lot of money illegally, or substantially less — but still a lot of money — with some level of indemnity.
One still needs to balance the fine line between scaring the attacker away and convincing them that returning the funds is the best outcome for them. This strategy can still be applied when the hacker’s motivation is to cause damage or make a statement — but the likelihood of success is much lower.
And how does one know where to contact a hacker? It’s easy. They don’t. Hackers themselves have several options for reaching out to the project they hacked. This includes signed messages on-chain or via anonymous social media accounts. If one wants to have a conversation with a hacker, the best thing to do is make it known and offer some convenient communication channel that protects that hacker’s privacy. This will maximize the chance of getting a response.
Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.
Martin Derka, Ph.D., is the Head of New Initiatives at Quantstamp, a web3 security company. He has years of experience in the development of smart contracts and platforms built on Ethereum, specializing in DeFi security and economic manipulations. At Quantstamp, Martin assists with both securing projects prior to deployment, and crisis management in the aftermath of an exploit.