Grasping the underlying reasons for a hacker’s mindset, which can range from mere curiosity to outright malevolence, is equally important as comprehending the technical methods they used to carry out the hack.
When a Web3 protocol suffers a hack, those impacted naturally expect the protocol to make every effort to recover their lost funds.
A critical part of this process often involves engaging with the hacker mindset, as the attacker typically has complete control over the situation. They possess the stolen funds and have the choice to either interact with the project team or vanish without a trace.
Therefore, understanding a hacker’s mindset and their possible incentives is crucial for any hope of a positive resolution in the event of an anonymous cryptocurrency hack.
The reasons an individual might target a Web3 project are varied. The skill to identify and exploit a flaw in a project’s code can be seen as a demonstration of their technical prowess. Moreover, if the attack is particularly innovative or unique, the hacker’s mindset might view their successful breach as a badge of honor or a source of boasting rights. Often, there’s a strong correlation between narcissistic traits and the inclination to hack.
In the realm of blockchain projects, exploits often come hand in hand with the potential for substantial profits. The decentralized nature of cryptocurrencies, coupled with the ambiguity surrounding the jurisdiction of many projects and the principle that “code is law,” allows hackers to frequently abscond with their ill-gotten gains.
However, a noteworthy trend has emerged in recent times, wherein hackers opt to return a significant portion of their profits in exchange for guarantees of immunity or, in some instances, a simple “thank you” along with a bug bounty reward. Notable cases of such arrangements include Curve, Alchemix, HTX, Stars Arena, and others. The terms of these agreements seem to hinge on factors like the hacker’s level of identifiability and the extent to which they are willing to return the pilfered funds.
Some individuals behind these exploits may even claim innocence, suggesting that their actions were driven by curiosity and a spirit of exploration. A prime example is the memorable phrase coined by the exploiter of the Parity wallet self-destruct vulnerability: “I accidentally killed it.” In such cases, it’s plausible that many hackers are initially in disbelief that their actions could yield successful results until they actually achieve their goals.
The ultimate and, perhaps, the darkest motivation driving an exploit can be rooted in pure hatred. Some hackers carry out exploits with the sole intention of causing harm to individuals or organizations. These attackers may steal funds without any intention of using them or even destroy them permanently. In an industry characterized by passionate individuals with anarchist inclinations, it shouldn’t come as a surprise that some hackers seek to portray their actions as a statement.For instance, in the aftermath of a recent $48 million hack, Kyber Network depositors and liquidity providers were confronted with an unusual proposition from the hacker. The hacker offered a 50% rebate on the stolen funds along with the words, “I know this is probably less than what you wanted. However, it is also more than you deserve.”When engaging with a hacker while attempting to recover funds, it’s vital for the project to consider the hacker’s motivation. If the exploit was carried out by an organized group with malicious intent, communication is unlikely, and the prospects of fund recovery are unfortunately slim. However, in cases where the attacker’s intentions were not malicious, such as those of a white hat hacker aiming to highlight a code vulnerability, they are more likely to reach out independently and facilitate the return of the funds, or what remains of them.
When the primary driving force behind a hacker’s actions is financial gain, there’s a potential avenue for resolution: the affected project can offer a substantial reward as indemnity. This approach becomes more promising when the hacker leaves behind identifiable information, such as IP addresses retrieved from ISPs, VPN providers, or infrastructure providers. Additionally, traces of the source of network funds, like ether used to pay network fees for executing the hack, can be valuable.
Under such circumstances, financially motivated hackers face a critical choice between illicitly obtaining a large sum of money or accepting a somewhat lesser, yet still significant amount, in exchange for some level of indemnification. Striking the right balance between discouraging the attacker and persuading them that returning the funds is in their best interest is crucial. This strategy can also be applied when the hacker’s motivation is to cause harm or make a statement, although the chances of success are considerably lower.
But how does one initiate contact with a hacker? In most cases, they don’t. Hackers often provide various options for reaching out to the projects they’ve targeted. This may include signed messages on the blockchain or through anonymous social media accounts. To engage in a dialogue with a hacker, it’s advisable to make the intention known and offer a secure communication channel that safeguards the hacker’s privacy. This approach maximizes the chances of receiving a response.
Understanding the motivations behind a hacker’s actions — from curiosity to malice — is just as crucial as understanding how they executed the hack. Driven by a mix of fascination, financial gain or sometimes even hatred, the thought process of a hacker is as complex as the exploits they execute.
Martin Derka, Ph.D., is the Head of New Initiatives at Quantstamp, a web3 security company. He has years of experience in the development of smart contracts and platforms built on Ethereum, specializing in DeFi security and economic manipulations. At Quantstamp, Martin assists with both securing projects prior to deployment, and crisis management in the aftermath of an exploit.