It was early in the morning on March 9 when LP, who was still asleep, started getting calls on her Telegram. According to her, that is never a good sign. Still in her button-down pajamas with her bedroom shades drawn, she reached under the blanket and grabbed her laptop, and put in her contact lenses. It was time to try to save someone else’s cryptocurrency—by hacking them first.
LP, who prefers not to use her real name to protect her privacy, is an engineer with a PhD who used to work at a Silicon Valley law firm and the founder of the cybersecurity companies RugDoc and Paladin Blockchain Security. She wants everyone to know that crypto is “more than basement dwelling white men," she told Motherboard.
The Telegram caller was one of her colleagues who told her that someone was hacking the investors of a cryptocurrency protocol called Fantasm, which at the time had millions of dollars in liquidity locked up by investors, according to LP.
Once she was awake enough to get on her laptop, she said she started working with two colleagues to save as much cryptocurrency as they could, in an attempt to beat the hacker and limit the damage. In the world of crypto, where stolen funds are usually gone for good due to the irreversible nature of the blockchain, rescuing funds like this means doing the hacking before the thief can.
“An exploiter found out there was a very, very easy way to exploit this thing,” LP said. “All of a sudden millions of dollars were getting drained from it.”
The race against the hacker was on. With the help of a colleague, who had been able to figure out the vulnerability that the hacker was exploiting, LP said she wrote a series of smart contracts designed to exploit the vulnerability faster than the hacker could.
“Alright, guys, we just saved your butts here, you should give us something.”
Because actions on the blockchain are public, hacking events can quickly become feeding frenzies. LP and her colleagues' exploit took some trial and error, which was recorded on the blockchain, so the hacker was able to notice their activities. At that point there were even other opportunistic hackers who saw what was happening and started draining funds, too. But LP and her two colleagues were able to save tens of thousands of dollars, and help the project fix the bug and stop the hack. However, the hacker still netted around 800 ETH, worth around $1.5 million as of this writing, according to LP.
“A lot of people lost money, and it wasn't the happiest of endings. But it wasn't as terrible as it could have been,” said LP.
The whole operation took around half an hour, according to LP.
The term “white hat” is as old as the internet, and it originally comes from Western movies, where the good guys wore white hats, and the bad guys black hats. In the world of cybersecurity, a white hat is universally known to refer to a hacker with benevolent intentions, like LP.
In the world of crypto, though, colors tend to bleed.
There are the hackers who take advantage of vulnerabilities to steal money, then publicly announce that, actually, they are going to return it as long as they get a reward. This happened in the bizarre case of the Poly Network hack, where the hacker returned the stolen crypto—around $600 million—after the company repeatedly and publicly pleaded with them, calling them Mr. White Hat, and in the more recent hack on Multichain. In these cases, it’s unclear if the hackers were really white hats all along or if they changed their minds after stealing the money and feeling the pressure as it sat in their crypto wallets, watched by the entire world.
There are also the people who do “white hatting” like LP, who swoop in and save funds, often in a race with malicious hackers and sometimes without the consent of the users whose wallets are being targeted or the crypto protocol that’s being hacked. These hackers always maintain the intention of returning the funds to the legitimate owners.
Do you have information about white hat hacks in the world of crypto? Or do you know of other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Perhaps the first time the term became popular in this context was in 2016, when volunteer coders calling themselves the Robin Hood Group raced against the hackers who were stealing millions of dollars in ETH from The Decentralized Autonomous Organization (DAO), at the time one of the most promising organizations in crypto. In that case, the group was able to fight back against the hackers and saved around $15 million in ETH, an event that was widely referred to as a white hat hack. The following year, the same group, now calling themselves the White Hat Group, saved $200 million in crypto after a hack on Ethereum client Parity.
In recent times, the practice has become relatively more frequent along with the hacks targeting crypto protocols and users. Just in the first three months of this year, hackers and scammers have stolen approximately $1.23 billion in crypto, according to a report by blockchain cybersecurity company Immunefi.
For this story, Motherboard spoke to five people, including LP, who said they have had direct experience participating in this kind of white hatting.
“In Web3, white hats really are held in high regard as heroes. It’s definitely a win-win situation,” Stephen Tong, the co-founder of blockchain security firm Zellic, told Motherboard in an online chat. “It's accepted because if I don't do it, then who else is gonna do it? Better me than some black hat. That’s the mentality.”
It’s unclear if white hatting other people’s wallets, or other people’s protocols without their prior consent, is above board, legally speaking.
“White-hat hacking, while noble, in crypto is nonetheless fraught with risk in the absence of the affirmative consent of the target,” Preston Byrne, a lawyer who specializes in issues surrounding crypto, told Motherboard in an email. “Disclosing a vulnerability is one thing; assuming the rights of an owner over third party funds, regardless of the reason, is quite another, and if the target is displeased with the hack for whatever reason this could expose the hacker to civil and criminal liability.”
That outcome may depend on the whims of the organization or individual whose crypto was taken by the white hat without their knowledge or consent.
“The issue with a white/gray hat hacker is that where one target would (quite rightly) be grateful to be notified about a vulnerability, another target might blow their stack and call the police instead,” Preston said. “The best approach when a white hat identifies a vulnerability in a smart contract system is to privately notify the devs and leave it at that. You’re not Superman and saving the world is not your problem.”
The practice of white hat hacking when it involves taking crypto from users’ wallets or even the hackers’ wallets could be compared to the controversial concept of hacking back. In cybersecurity, hacking back happens when the victim of a data breach goes and tries to recover the stolen files on their own, and collect information on the hackers’ whereabouts and identities—hacking the hackers, basically. While highly controversial, hacking back does happen, albeit in secret, given the legal risks.
Some people involved in white hatting in the world of crypto try to avoid the risk of getting prosecuted.
Emiliano Bonassi is a blockchain cybersecurity researcher who has also participated in several white hat operations. In one case last year, the wallets of the users of Primitive Finance, a crypto investing platform, were exposed to anyone who knew how to exploit a bug.
“The only way that we could save the users of the protocol was to drain funds from their wallet, and then notify them. So this is the worst case you may experience because you have to basically drain the funds of your users,” Bonassi told Motherboard in a call.
Bonassi worked with Immunefi founder Mitchell Amador as an intermediary in this case, and researchers from crypto cybersecurity firm Dedaub. Crucially, people from Primitive Finance were involved in the rescue from the very beginning, according to a postmortem of the white hat hack.
Unlike LP, Bonassi and the people working with him did not use their own wallets to save the funds and only showed the protocol developers how to do the white hat hack themselves.
“We demonstrated to them how to perform, we developed the scripts to perform, we simulated, and after we said to them: ‘We have your back, you execute the command, if everything goes wrong, we will take action,’” Bonassi said.
Some blockchain cybersecurity researchers are well aware of the risks of using their own wallets, and hacking without the consent of the users with the vulnerable wallets, or the devs who built the vulnerable protocol.
A cybersecurity researcher who spoke to Motherboard asked to remain anonymous precisely because of the risk of using people’s wallets when saving other people’s crypto, something he said he had done in some cases in the past.
“It is worrying, which is maybe a good reason not to go ahead and publish names. This whole business is a bit stressful, which is why I'm not actively doing this anymore,” the researcher told Motherboard in a call.
Others just flat-out never use their own wallets.
“As a personal policy, I don’t ever send out transactions on my own. And I certainly won’t take funds into my own custody,” samczsun, a pseudonymous security researcher who works at crypto investing firm Paradigm, told Motherboard in a phone call. “My policy is: ‘I’ll give you everything you need to know, to get you up to speed. And then I will let you make the decisions.’ I see myself not as someone that steps in and takes the reins by force. If you want me to help, I'll help. If you'd rather handle this by yourself, I'm happy to step to the side and let you take care of it.”
“The implications of temporarily acquiring nine figures of assets, and then disposing of them, for me personally, is something that I don't really want to find out,” said samczsun, who has worked on several white hat hacks that saved millions in crypto ($350 million in the case of Sushi Swap, and almost $10 million in the case of Lien Finance). “And so if possible, I just avoid that entirely. I’m not sure if the Good Samaritan law extends to blockchain," referring to laws that encourage people to help someone who is in danger or distress in an emergency situation without having to worry about getting sued if they inadvertently cause injury or death.
According to Preston, samczsun has the right approach, given that the Computer Fraud and Abuse Act (CFAA) can penalize actions that cause loss, such as taking crypto from someone’s wallet, even when they are not otherwise fraudulent.
“If you decide to take curative matters into your own hands, and for avoidance of doubt you absolutely should not do this, you are playing with fire, so keep in mind that you run the risk of attracting a prosecutor’s attention,” Preston said.
“The only way that we could save the users of the protocol was to drain funds from their wallet.”
At a conference organized by Chainalysis last month, Elizabeth Roper, the chief of the cybercrime and identity theft bureau at the New York County District Attorney's Office, said that white hatting is “a real gray area” of the law and it could be something prosecutors may want to look at.
“If it ends up saving everyone, every user on the platform and a bunch of money and the person who did it kind of immediately discloses it,” Roper said, “maybe we wouldn't use our resources to prosecute that person, but again it depends on the specific case.”
When asked if she’s worried about unwanted consequences, LP appeared calm. She explained that for her the risk-benefit calculation is based on the fact that oftentimes the crypto project involved is relatively small, may not even be based in the U.S., and probably won’t file charges if she helps them.
“It’s very unlikely I'm gonna get prosecuted, but it's very likely that I can maybe save some of these funds and make sure that someone doesn't go completely broke and have a very bad week, month, year, whatever,” LP said.
One outcome that is more likely for white hatters is to get a reward for their trouble. The Fantasm case is not the only time LP and her team at RugDoc have rescued funds. In that case, they didn’t ask for a reward. Other times, they have.
“If it's a large and notorious project that is going to have funds leftover, we will be like: ‘Alright, guys, we just saved your butts here, you should give us something,” LP said.
Bonassi said that usually the standard reward, if there is no official bug bounty, is 10 percent of the money that could have been stolen. But he has pulled off white hat hacks and reported vulnerabilities with no compensation in the past, out of a willingness to help not just the crypto project involved, but the whole ecosystem. Other than stopping a potential hack, Bonassi also likes to think as white hat hacks as a learning opportunity for everyone involved.
And the larger the reward, the more likely researchers will be motivated to go out, find bugs, and report them.
“We started with bug bounties of 10k, then 100k. Now we have bug bounties of 1 million, 10 million. Probably in the next year, we are going to see hundreds of millions—billions,” Bonassi said. “Because the difference between Web3 and other industries is with a hack that occurs in a few seconds, you get access to an infinite amount of money. So we need to push big incentives to make it safe.”