The dilemma of white hat rescue: Should they only notify the project party or directly transfer the assets?

Original Title: 《Meet the Vigilantes Who Hack Millions in Crypto to Save It From Thieves》

Original Author: Lorenzo Franceschi-Bicchierai

Translation by: Guo Qianwen, Chain Catcher

On the morning of March 9, LP was still asleep when she suddenly started receiving calls on Telegram. According to her, this was definitely not a good sign. She put on her button-up pajamas, pulled back the bedroom curtains, yanked her laptop out from under the blanket, and put in her contact lenses. It was time to save other people's cryptocurrency—by hacking them first.

LP is an engineer with a PhD who previously worked at a law firm in Silicon Valley and is now the founder of cybersecurity companies RugDoc and Paladin Blockchain Security. For privacy reasons, she prefers not to use her real name. She wants everyone to know that cryptocurrency doesn't just mean "living in the basement of good people."

The call was from a colleague who informed her that investors in a cryptocurrency protocol called Fantasm were being attacked, with millions of dollars in liquidity locked by investors at that time.

By the time she woke up and opened her laptop, she began collaborating with two colleagues to try to outsmart the hackers and save as much cryptocurrency as possible. In the world of cryptocurrency, due to the irreversibility of blockchain, stolen funds often disappear forever, and saving the funds means needing to hack the hackers first.

LP said, "These robbers can find very easy ways to exploit vulnerabilities, and suddenly, millions of dollars are stolen."

The race against the hackers began. LP's colleague had already identified the vulnerability being exploited by the hackers, and with his help, LP wrote a series of smart contracts to exploit the vulnerability before the hackers could.

"Well, we just saved your life, you should give us something."

Because actions on the blockchain are public, the hacking incident quickly escalated. The white hat actions of LP and her colleagues faced many twists and turns, recorded on the blockchain, and the hackers could also notice their activities. At this point, other speculative hackers saw what was happening and even began to take advantage of the situation to make a profit. But in the end, LP and her two colleagues successfully saved tens of thousands of dollars and helped the project fix the vulnerability, stopping the hackers' attack. However, according to LP, the hackers still netted about 800 ETH, worth about $1.5 million at the time.

"Many people suffered losses; it's not the best outcome, but it didn't escalate to an irreversible state," LP said.

According to LP, the entire operation lasted about half an hour.

White Hat Hackers

The emergence of "white hat hackers" can be traced back to the early days of the internet, originally stemming from the Western movie trope of "good guys wear white hats, bad guys wear black hats." In the world of cybersecurity, white hat hackers are recognized as the good hackers, like LP.

However, in the world of cryptocurrency, the lines between white and black are not clearly defined.

Some hackers exploit vulnerabilities to steal funds and then publicly claim that they will return the funds if rewarded. For example, in the bizarre hacking incident involving Poly Network, the company repeatedly publicly pleaded with the hackers, referring to them as "Mr. White Hat," after which they returned the stolen cryptocurrency—about $600 million. The recent Multichain hacking incident is another example. We cannot determine whether the hackers in these cases were white hats all along; perhaps they changed their minds after the theft, as the funds were in their crypto wallets, under global scrutiny, increasing the pressure.

There are also "white hat hackers" like LP, who aggressively attack to save funds, often racing against malicious hackers, sometimes without the consent of the target wallet or cryptocurrency protocol users. These hackers always intend to return the funds to their rightful owners.

The term first gained popularity in this context around 2016, when a group of volunteer programmers calling themselves the Robin Hood group raced against hackers who had stolen millions of dollars in ETH from the DAO, one of the most promising organizations in the cryptocurrency space at the time. The group defeated the hackers and saved about $15 million in ETH, an event widely referred to as the "white hat hacker incident." The following year, this group, now calling themselves the White Hat Group, saved $200 million in cryptocurrency after the Ethereum client Parity was hacked.

Recently, with the increase in hacking attacks against cryptocurrency protocols and users, this practice has become more frequent. According to a report from blockchain security company Immunefi, hackers and scammers have stolen about $1.23 billion in cryptocurrency in just the first three months of this year.

Motherboard interviewed five individuals, including LP, who claimed to have direct experience participating in such white hat activities.

Stephen Tong, co-founder of blockchain security company Zellic, told Motherboard in an online chat, "In Web3, white hat hackers are seen as heroes and are sought after. It's definitely a win-win situation. People recognize this behavior because if I don’t do it, then who will? At least I'm better than some black hats. That's our mindset."

The legality of white hat hackers stealing from others' wallets or protocols without consent remains unclear.

Lawyer Preston Byrne, who studies cryptocurrency issues, told Motherboard in an email, "While white hat hackers are noble, this activity is still fraught with risk if done without the consent of the target. Disclosing vulnerabilities is one thing, but infringing on the rights of third-party fund owners for any reason is another. If the target is unhappy with the hacking for some reason, the hacker could face civil and criminal liability."

The final outcome may depend on the thoughts of the organization or individual from whom the cryptocurrency was taken without consent by the white hat hacker.

Preston said, "The issue with white hat/gray hat hackers is that some targets may thank them for disclosing vulnerabilities, but others may be furious and call the police. When white hat hackers discover vulnerabilities in a smart contract system, the best course of action is to privately notify the developers and leave it at that—you’re not Superman, and saving the world is not your responsibility."

The actions of white hat hackers involve extracting cryptocurrency from users or even hackers' wallets, which can be compared to the controversial concept of hacking back. In cybersecurity, hacking back generally refers to victims of data breaches attempting to recover stolen files themselves, gathering information about the hacker's whereabouts and identity—to launch a counter-hack. Although this behavior is controversial, retaliatory hacking does exist, but it is conducted secretly due to legal risks.

Some participants in white hat activities in the cryptocurrency world try to avoid the risk of being sued.

Emiliano Bonassi is a blockchain cybersecurity researcher who has participated in several white hat actions. In one case last year, the wallets of users on the cryptocurrency investment platform Primitive Finance were exposed, allowing anyone who could exploit the vulnerability to access them.

"The only way we could save the protocol's users was to extract the funds from their wallets and then notify them. So this is the worst-case scenario you might encounter because you basically have to take users' funds," Bonassi told Motherboard over the phone.

Bonassi worked with Immunefi founder Mitchell Amador and researchers from cryptocurrency security company Dedaub, all of whom were intermediaries in the case. Most importantly, according to the post-investigation by the white hat hackers, employees of Primitive Finance were also involved in the rescue from the beginning.

Unlike LP, Bonassi and his colleagues did not use their own wallets to hold the funds; they simply showed the protocol developers how to conduct a white hat attack.

"We demonstrated how to execute it, developed execution scripts, simulated it, and then told them, 'We support you; you execute it. If anything goes wrong, we will take action.'"

Some blockchain security researchers are fully aware of the risks involved—using their own wallets and attacking vulnerable wallets without the consent of the wallet owners or protocol builders is fraught with danger.

A cybersecurity researcher who spoke to Motherboard on the condition of anonymity said that using wallets while saving others' cryptocurrency is risky, and he admitted to doing so in some cases in the past.

"It's quite concerning, so maybe I shouldn't be in the spotlight. The whole industry is a bit tense right now, which is why I no longer actively participate in these activities," the researcher told Motherboard over the phone.

Others completely refrain from using their own wallets.

"My personal principle is that I will never send a transaction alone. I absolutely will not hold other people's funds. Samczsun (a pseudonym), a security researcher at cryptocurrency investment firm Paradigm, told Motherboard over the phone, "My principle is to provide you with all the information you need to get up to speed as quickly as possible, and then leave the decision to you. I won't intervene and take over the whole thing; if you want me to help, I will. If you prefer to handle this issue yourself, I'm happy to step aside and let you deal with it."

"For me personally, I am not very willing to investigate such incidents where I temporarily acquire and dispose of nine-figure assets." Samczsun has participated in several white hat hacker activities, saving millions in cryptocurrency (including $350 million in the Sushi Swap case and nearly $10 million in the Lien Finance case). "So if possible, I would completely avoid such situations. I'm not sure if the Good Samaritan Law applies to blockchain, which encourages people to help those in danger or distress in emergencies without worrying about being sued if they inadvertently cause harm or death."

Preston believes Samczsun's approach is correct because the Computer Fraud and Abuse Act penalizes actions that cause loss, such as taking cryptocurrency from someone's wallet, even if it is not fraud.

"If you decide to handle it on your own, to avoid suspicion, you absolutely should not do so. This is playing with fire; remember, you could attract the attention of prosecutors," Preston said.

"The only way we could save the protocol's users was to extract the funds from their wallets."

At a meeting organized by Chainalysis last month, Elizabeth Roper, head of the Cybercrime and Identity Theft Bureau of the New York County District Attorney's Office, said, white hat hackers exist in a legally "real gray area," which may be a field prosecutors want to focus on.

Roper said, "If it ultimately saves every user on the platform and a large amount of funds, and the person doing it immediately discloses the incident, maybe we wouldn't use resources to prosecute it. But it must be emphasized that this needs to be discussed on a case-by-case basis."

When asked if she would worry about facing unjust consequences, LP said that the cryptocurrency projects she typically participates in are relatively small and often not based in the U.S., so she conducts a risk assessment and believes that offering help would not expose her to prosecution risks.

LP said, "It’s unlikely to be prosecuted, but I am very likely to save other people's funds and ensure they don't go completely bankrupt, which would be a very bad day for them."

For white hat hackers, a more likely outcome is that they receive rewards for the "trouble" they caused. The Fantasm case was not the only rescue operation LP and her team at RugDoc undertook. In that case, they did not request a reward. But at other times, they have made requests.

"If it's a large, notorious project with remaining funds, we would say, 'Well, we just saved your life here; you should give us something,'" LP said.

Bonassi said that if there is no official bug bounty, the usual standard reward is 10% of the funds that would have been stolen. But he has also participated in white hat attacks without any compensation in the past because he wanted to help the involved cryptocurrency projects and contribute to the entire ecosystem.

For Bonassi, white hat hacker actions are not only about stopping potential hackers; they are also a learning opportunity for everyone to participate.

The larger the reward, the more motivated researchers are to seek out and report vulnerabilities.

He said, "We initially offered a bounty of $10,000, then $100,000. Now we have bounties of $1 million and $10 million. Perhaps next year, we will see bounties in the hundreds of millions or billions. Because Web3 is different from other industries, here, hacking attacks can happen in seconds and yield unlimited profits. Therefore, we need to promote large incentives to ensure system security."