Original title: "Meet the Vigilantes Who Hack Millions in Crypto to Save It From Thieves》

Original Author: Lorenzo Franceschi-Bicchierai

Compilation of the original text: Guo Qianwen, Chain Catcher

Compilation of the original text: Guo Qianwen, Chain Catcher

In the early morning of March 9th, while LP was still asleep, he suddenly started receiving Telegram calls. According to her, this is never a good sign. In her button-down pajamas, she draws the bedroom curtains, pulls her laptop out of the blankets, and puts on her contact lenses. It’s time to save other people’s cryptocurrencies—hack them first.

LP, an engineer with a Ph.D. who worked at a Silicon Valley law firm and is currently the founder of cybersecurity firms RugDoc and Paladin Blockchain Security, spoke on condition of anonymity to protect privacy. She wants everyone to know that cryptocurrency isn’t just about the “basement full of nice people” scenario.

It was a colleague of hers who was on the phone, telling her about an attack on investors in a cryptocurrency protocol called Fantasm, which had millions of dollars in liquidity locked up by investors.

Once she sobered up, opened her laptop, and teamed up with two colleagues to try to defeat the hackers and save as much cryptocurrency as possible. In the world of cryptocurrencies, where stolen funds are usually lost forever due to the irreversible nature of the blockchain, saving funds means hacking before the thieves do.

"These money grabbers can find a very easy way to exploit a vulnerability, and all of a sudden, millions of dollars are stolen," LP said.

The race against hackers begins. LP's colleagues have discovered the loopholes that hackers are exploiting. With his help, LP wrote a series of smart contracts in order to exploit the loopholes before hackers.

"Well, we saved your life, you should give us something."

Hacks quickly intensified due to the publicity of actions on the blockchain. The white hat actions of LP and colleagues have been recorded on the blockchain after several twists and turns, and hackers can also notice their activities. At this point, other opportunistic hackers saw what was happening, and even started cashing in on the opportunity. But in the end, LP and her two colleagues managed to save tens of thousands of dollars and help the project fix bugs and prevent hackers from attacking. However, the hacker still netted around 800 ETH, worth about $1.5 million as of now, according to LP.

According to LP, the entire operation lasted about half an hour.

secondary title

white hat hacker

The emergence of "white hat hackers" can be traced back to the beginning of the invention of the Internet. It originally came from the setting of "good guys wear white hats and bad guys wear black hats" in Western movies. In the world of network security, white hat hackers are recognized as righteous hackers, such as LP.

However, in the world of cryptocurrencies, the lines between black and white are not so clear-cut.

Some hackers have exploited loopholes to steal funds, then publicly announced that they would return the funds if they were rewarded. For example, in the bizarre hack of the Poly Network, the company repeatedly publicly pleaded with the hackers, calling them Mr. White Hats, after which they returned the stolen cryptocurrency-about $600 million, and the recent Multichain hack. an example. We can’t be sure if the hackers in these cases were white hats throughout, maybe they changed their minds after the theft, as the funds were sitting in their encrypted wallets and the pressure was heightened by the world’s attention.

There are also "white hat hackers" like LPs who launch attacks violently, salvaging funds, often racing against nefarious hackers, sometimes without the consent of the targeted wallet or cryptocurrency protocol user. The intention always held by these hackers is to return the funds to their rightful owners.

The word first caught on in this context perhaps in 2016, when volunteer programmers calling themselves the Robin Hood team competed with hackers who stole millions of dollars in ETH from The DAO, then the most promising prospect in the cryptocurrency space. one of the organizations. At the time, the group saved roughly $15 million in ETH by defeating the hackers, an event widely known as the "white hat hack." The following year, the group, now calling itself the White Hat Group, saved $200 million in cryptocurrency after ethereum client Parity was hacked.

This practice has become more frequent in recent times with hacks targeting cryptocurrency protocols and users. According to a report by blockchain cybersecurity firm Immunefi, hackers and scammers have stolen an estimated $1.23 billion in cryptocurrencies just in the first three months of this year.

Motherboard interviewed five people, including LP, who said they had direct experience of being involved in this type of white hat activity.

Stephen Tong, co-founder of blockchain security firm Zellic, told Motherboard in an online chat, “In Web3, white hat hackers are being sought after as heroes. It’s definitely a win-win situation. People approve of this behavior, Because if I'm not doing it, who else is going to? At least I'm better than some black hats. That's our mentality."

It is unclear whether white hat hackers are legally justified in stealing other people's wallets or agreements without their consent.

Preston Byrne, a lawyer who studies cryptocurrency issues, told Motherboard in an email: "White hat hacking is noble, but the activity is fraught with risk without the consent of the target of the operation. It is one thing to disclose a vulnerability, regardless of the reason. Violating the rights of third-party fund owners for one reason is another, and if the target becomes dissatisfied with the hack for some reason, the hacker could be held civilly and criminally liable.”

The end result may depend on the thoughts of the organization or individual whose cryptocurrency was taken by a white hat hacker without their consent.

“The problem with white hat/grey hat hackers is that some campaign target might thank them for telling them about the vulnerability, but someone else might throw a fit and call the police,” Preston said. When a white hat hacker discovers a vulnerability in a smart contract system When the time comes, the best thing to do is to privately inform the developers and leave it at that - you're not superhuman, and it's not your job to save the world."

The practice of white hat hacking, which involves taking cryptocurrency from users or even hackers' wallets, can be compared to the controversial concept of hacking back. In the world of cybersecurity, counter-hacking basically refers to the victim of a data breach trying to recover stolen files on their own, gathering information about the hacker's whereabouts and identity -- in order to hack. While the move was controversial, the push back against the hackers did exist, but it was done in secret because of the legal risks.

Some white hat actors in the cryptocurrency world are trying to avoid the risk of prosecution.

Emiliano Bonassi is a blockchain cybersecurity researcher who has also been involved in several white hat operations. In one case last year, the wallets of users of the cryptocurrency investment platform Primitive Finance were exposed and accessible to anyone with a knack for exploiting a vulnerability.

“The only way we can save users of the protocol is to siphon funds from their wallets and notify them. So that’s the worst case scenario you can have because you’re basically siphoning users’ funds.” Bonassi Tell Motherboard on the phone.

Bonassi worked alongside Immunefi founder Mitchell Amador and researchers at cryptocurrency cybersecurity firm Dedaub as intermediaries in the case. On top of that, Primitive Finance employees were also involved in the rescue from the very beginning, according to a post-mortem investigation by the white hat hackers.

Unlike LPs, Bonassi and his colleagues did not use their own wallets to hold funds, but merely showed protocol developers how to conduct white hat attacks.

“We showed them how to execute, we developed execution scripts, we did simulations, and we said to them, we support you, you execute. If everything goes wrong, we will take action.”

Some blockchain network security researchers are fully aware of the risks - using their own wallets and attacking vulnerable wallets without the consent of the wallet owner or protocol builder are full of risks.

A cybersecurity researcher who spoke to Motherboard on the condition of anonymity precisely because of the risk of using a wallet when saving someone else’s cryptocurrency said he has done so in a few cases in the past.

“It’s kind of concerning, so maybe I shouldn’t be in the public eye. The whole industry is kind of nervous right now, which is why I’m not actively involved in these activities anymore,” the researcher told Motherboard by phone.

Others don't use their wallets at all.

“My personal principle is that I would never send a transaction alone. I would also never escrow other people’s funds. Samczsun (pseudonym), a security researcher who works for the cryptocurrency investment company Paradigm, told Motherboard on the phone, “My The principle is that I provide you with all the information you need, let you grasp the situation as soon as possible, and then leave the decision to you. I'm not going to step in and forcefully take over the whole thing myself, if you want me to help, I will. If you're willing to handle this yourself, then I'd be more than happy to step aside and let you handle it. "

"Personally, I would be reluctant to investigate such an incident if I want to temporarily acquire and dispose of nine-figure assets." Samczsun has participated in several white hat hacking activities, saving millions in crypto currency ($350 million in the Sushi Swap case and nearly $10 million in the Lien Finance case). “So if I could, I would avoid it altogether. I’m not sure if the Good Samaritan Law, the law that encourages people to help people in danger or distress in emergency situations, also applies to blockchain , without fear of being sued if they inadvertently cause injury or death."

Preston thinks Samczsun is right because the Computer Fraud and Abuse Act penalizes actions that cause losses, such as taking cryptocurrency from someone’s wallet, even if it is not fraudulent.

"If you decide to go it alone, you definitely shouldn't do it to avoid suspicion. It's playing with fire and remember, you risk getting the attention of prosecutors," Preston said.

“The only way we can save users of the protocol is by siphoning funds out of their wallets.”At a conference organized by Chainalysis last month, Elizabeth Roper, Chief of the Cybercrime and Identity Theft Bureau of the New York County District Attorney's Office, said,

White hat hacking is a legal "true gray area," and it's an area prosecutors might want to focus on.

"If it ended up saving every user on the platform and a lot of money, and the person who did it went public immediately, maybe we wouldn't use the resources to prosecute it," Roper said. But again, it needs to be done on a case-by-case basis. case discussion."

When asked if she would be worried about unwarranted disasters, LP said that usually the cryptocurrency projects she participates in are small in scale and are not even located in the United States, so she has done a risk assessment and believes that providing help will not face the risk of prosecution.

LP said, "It's very unlikely that I will be sued, but it is very possible for me to save other people's funds and make sure they don't go completely broke, and then it will be a very bad day for them."

A more likely outcome for white hat hackers is that they get rewarded for the "trouble" they cause. The Fantasm case isn't the only salvage effort by LP and her team at RugDoc. In that case, they didn't ask for a reward. But at other times, they demand something.

"If it's a big, notorious project and they have money left over, we'll say, 'Well, we just saved your life here, and you should give us something,'" LP said.

If there were no official bug bounty, the usual standard reward would be 10 percent of the funds that would have been stolen, Bonassi said. But he has also participated in white hat attacks in the past without any compensation, because he wanted to help the cryptocurrency projects involved, and he wanted to contribute to the entire ecosystem.

For Bonassi, white hat hacking isn't just about deterring would-be hackers, it's also a learning opportunity for everyone.

The larger the reward, the more motivated researchers are to find and report bugs."