What Are The Different Types Of Crypto Hackers?

25 Jul 2022

Ruben MerreNGRAVE Co-founder & CEO

What Are The Different Types Of Crypto Hackers?

We can broadly group crypto hackers by intent (malicious vs benevolent), but the reality is far more complex. Many types of crypto hackers have different motivations and strategies.

  • Article Quick Links:
  • What is the likelihood of restitution after a crypto hack?
  • Polygon & Poly Network White Hat Hackers
  • Ronin Network State-Sponsored Hack
  • Restitution & Bail-ins
  • The dangers of reaching out for help
  • Prevention is the best cure

Storing, trading and transacting crypto exposes you to a multitude of online hacking threats. Those threats vary in sophistication because hackers are a diverse group. Breaking down hackers by strategy and motivation exposes their level of sophistication but what the victims of hacks really want to know is whether their funds will be returned? Unfortunately, it isn’t as cut and dried as simply hoping the hackers get caught.

Before we look at the different types of hackers that now exist across the cryptocurrency ecosystem, it is worth agreeing on what we mean by the term ‘hacker’ because it is thrown about without much qualification.

A hacker is someone who uses their knowledge of computers to overcome a specific challenge or problem using non-standard means.

You’ll notice that this definition doesn’t mention anything about harmful intent because hacking is just about finding novel ways to achieve goals which can be for good or bad.

The positive connotations of hacking are evident in job titles like ‘growth hacker’ - finding clever ways to acquire new customers - or across social media where ‘life hacks’ - creative solutions to everyday challenges - are such a popular concept.

Though we can broadly group crypto hackers by intent - black hat (malicious), white hat (benevolent) - the reality is far more complex with several different types of crypto hackers differentiated by motivation and strategy.

Taking inspiration from a report by ScienceDirect, we can break down those hacker types and differing motivational factors:

Different types of crypto hackers. Source: https://www.sciencedirect.com/science/article/pii/S245195882200001X

What is the likelihood of restitution after a crypto hack?

Though strategy and motivation expose hackers’ level of sophistication, what unfortunate victims of hacks really want to know is whether their funds will be returned?

Regardless of whether the crypto service used is centralised or decentralised, your funds won’t be covered by government deposit protection. 

Some services might provide their own insurance scheme but this is rare, so the chances of restitution then come down to how you are hacked:

  • Personal Hack - If you are the victim of a personal hack, such as a device/wallet, your only hope is to report the crime and hope that police have the resources to investigate, which is sadly very unlikely.

  • Provider Hack - If you are a user of a crypto business/service provider that gets hacked, unless the hackers are especially unsophisticated, the chances of legal restitution are slim. Though on-chain forensics can follow the trail of stolen funds, pursuing the formal road to legal restitution is generally long and painful. In reality, your chances of being made whole will mainly rest on the ability of the business to cover the losses themselves. 

We can use some examples to illustrate.

Twitter Bitcoin Scam Solved In Two Weeks

Twitter Bitcoin Scam

One of the most memorable crypto-related hacks took place on July 15th 2020, when some of the most prominent Twitter accounts, including Barack Obama, Elon Musk and Bill Gates, were hacked and started tweeting details of a classic Bitcoin scam. It urged followers to send Bitcoin and receive double back as a charitable gesture.

Within a few hours, the hackers had netted over $100,000, but Twitter was soon able to restore control over the accounts, and within two weeks the FBI had caught the perpetrators.

Though the speed with which the hackers were caught may have been connected to the attention the case generated in the media, the primary factor was the sloppiness of those responsible who fall under the Novice/Script Kiddie category.

The plan was hatched on a forum that traded access to social media accounts that, ironically, had been hacked. Law enforcement obtained a copy of the forum database and cross-referenced user accounts, private messages, IP addresses, and email addresses with external information held by crypto exchanges used to withdraw the proceeds of the scam.

The motivations and methods of the hackers made law enforcement’s job easier as well as providing a clear path to restitution for those Twitter users who could prove that they were duped by the scam.

Unfortunately, most crypto hacks lack such a clear breadcrumb trail or public interest angle, making investigation and restitution exceptionally challenging. 

More sophisticated hackers will leave far fewer clues and take measures to cover their tracks, for example, laundering stolen funds through services like Tornado Cash, leaving funds untouched for months or even years, or using complicated schemes to obfuscate the trail.

Eight years of torture for Mt.Gox victims

Mt. Gox - The biggest hack

One of crypto’s most prominent misconceptions is that it is anonymous. In truth, it is far more transparent than centralised financial systems. Anyone with an internet connection open can view every single Bitcoin transaction. That visibility can help track down stolen funds, but when the theft occurs from a centralised exchange, transparency disappears, as illustrated by the Mt.Gox hack.

The Japanese-based exchange went offline in February 2014, leaving 850,000 BTC (750k from customers & 100k belonging to the Exchange) unaccounted for, roughly 7% of Bitcoin’s entire supply. 

A Tokyo security firm concluded that “most or all of the missing bitcoins were stolen straight out of the Mt. Gox hot wallet over time, beginning in late 2011” . The CEO was separately charged with unrelated embezzlement meaning the hack was both black hat and an inside job.

Eight years later and customers are still waiting for their share of the 200k bitcoin that was later recovered, with long overdue distribution expected sometime in late 2022. 

The Mt.Gox case illustrates the difficulty of both pinpointing the perpetrators and establishing a fair system of restitution.

The hack happened eight years ago when bitcoin was worth just $556. The significant increase in its value has meant that how customers get repaid is extremely important. A plan voted on by victims will see them paid back in BTC rather than a dollar equivalent amount which is the difference between a modest return or a life-changing sum.

Polygon & Poly Network White Hat Hackers

Polygon narrowly avoids billion dollar disaster

In November 2021 a ‘White Hat’ hacker saved Polygon, the Ethereum scaling platform, from what could easily have been the record for the biggest ever DEFI heist.

A vulnerability in a Polygon Smart Contract put 9 billion MATIC tokens, worth a staggering $20bn, at risk. Though the vulnerability caused the loss of $1.4million that was like a birthday present compared to the potential damage had the alarm not been raised.

You might think of Leon Spacewalker - the pseudonym of the White Hat Hacker - as a good Samaritan be he was paid $2.2million for his work.

Given the difficulties of moving large amounts of stolen crypto, some White Hat hackers may be acting pragmatically rather than altruistically. Leon Spacewallker walked away with a life-changing sum and the thanks of the community. They could have opted to steal 1000x more but would face the struggle of extracting the funds without leaving a trail and spending the rest of their life looking over their shoulder. 

It could well be that by raising the level of white hat bounties more hackers are incentivised to take this trade-off. 

In some cases, you can almost see the hacker changing sides in real-time, as in the case of the $600million reprieve for the Poly Network from ‘Mr. White Hat’ in August 2021.

A total of $610million in crypto was stolen after a hacker exploited a vulnerability in cross-chain Smart Contracts. A bizarre back-and-forth between Poly and the Hacker on Twitter ensued, eventually resulting in the return of all funds, with Poly christening him ‘Mr. White Hat’ and assigning the title of an unofficial security advisor.

Ronin Network State-Sponsored Hack

Ronin network state-sponsored Hack

The decision to wear a White Hat - take the reward and a pat on the back from the community - or Black Hat - disappearing into the shadows with all the loot and associated risks - may lead to indecision at the individual level. Still, with such rich pickings, many hacks are carried out by organised crime games or at the nation-state level where their intent is unambiguous.

The Lazarus Group is the most notorious state-sponsored hacking group deemed responsible for numerous high-level financial hacks, including the Wannacry ransomware and the attempt to steal $1bn from Bangladesh Bank in 2016 via the SWIFT network. 

In the case of the latter, the group were only able to successfully launder a small proportion of the $1bn they initially stole. The complexity of moving the funds through the international banking system is possibly one of the reasons the Lazarus Group have turned their attention to crypto.

In March 2022, the Ronin Network, an Ethereum side-chain processing transactions for the play-to-earn game Axie Infinity, was hacked for a massive $615million with the finger pointed at the Lazarus Group. 

The sophistication of the Ronin attack contrasts with other more opportunistic exploits and is characteristic of a state-sponsored hacker. The exploit took months of planning and mixed social engineering with an acute understanding of the multi-sig key security set-up employed.

The professionalism of the hack was underlined by efforts to maximise the profit by shorting AXS - the in-game token - following the attack. The hackers assumed news would quickly filter through to the market of the attack and send the price of AXS plummeting. 

In a bizarre twist, the exploit went unnoticed for a week, so the opportunistic short position was liquidated. Nevertheless, the tactic underlined the singlemindedness of the hackers to maximise their haul, ruling out any chance of a Poly Network-type change of heart.

In order to provide restitution Sky Mavis, the game developer, was instead forced to raise more funds from VCs to make users whole and hope to recoup the hit from their DAO treasury via future law enforcement, with a ceiling set at two years for successful prosecution. 

The massive decline in AXS value during the recent bear market will put more pressure on the DAO and any plan to make good the loss.

“Out of the total amount stolen, around $400 million belongs to users. The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed. The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the stolen funds are not fully recovered within two years, the Axie DAO will vote on the next steps for the treasury” Sky Mavis' (Axie Infinity owners) quote to Cointelegraph.

Restitution & Bail-ins

Once a protocol or exchange has been hacked, dealing with restitution becomes a balancing act between trying to make users whole, avoiding insolvency and retaining credibility. 

The DAO Hack experienced in the early days of Ethereum forced the drastic action of a blockchain fork, creating two chains, one that erased the hack and one that left the coins with the attacker. 

Implementing God-mode in that way questions the whole concept of decentralisation and the debate remains relevant with Solana coming close to using a similar tactic to deal with a huge potential liquidation on Solend one of its biggest DEFI protocols.

When a centralised service is hacked the available remedies are very different. When crypto exchange Bitfinex was hacked for 120,000 BTC in 2016 the scale of loss was so great it would have forced the company into bankruptcy. Instead, the offshore exchange came up with a rescue plan that required a 36% haircut from their customers with the balance in the form of an IOU.

That IOU was a BFX token equivalent to $1 of lost funds. Thanks to an increase in bitcoin’s price all customers had redeemed their BFX within eight months or exchanged them for shares in the parent company, iFinex. 

Those who took the share route received RRT tokens (Recovery Right Token) designed to provide restitution should the stolen funds be found. 30 million RRT were issued at a value of a $1 a-piece and against all the odds the original perpetrators were caught in February of this year - six years down the road - meaning those RRT holders would be paid out.

But rather than leave customers feeling satisfied the recovery of the stolen bitcoin has opened a massive can of worms that again highlights the problem of restitution. 

At the time of the hack bitcoin’s price was $600, but when recovered the price was over $40,000. Bitfinex stated that customers had been made whole, but unsurprisingly the victims felt a little different given the appreciation. What happens to the recovered billions remains an open question.

Bitfinex-style bail-ins are likely to become a standard ploy to enable restitution after hacks. Badger DAO used the approach when the front end of the DEFI protocol was hacked for $150million in value in December 2021. 

Ironically, one of Badger’s biggest victims was the CEFI platform Celsius Network which has since run into serious liquidity issues triggered by the market downturn, pausing withdrawals in June. Amid Radio silence from the company, the architects of the Bitfinex rescue plan are proposing a similar bail-in for Celsius 1.7million customers.

Get the latest insights on crypto, security, blockchain, and more.

By signing up, you agree to receive our marketing offers following our Privacy Policy. You can unsubscribe at any time.

The dangers of reaching out for help

As we’ve seen with protocol or exchange hacks the chances of restitution are slim and the road to recovery of funds is long and uncertain. Being on the wrong end of a hack is a miserable experience leaving the victim both confused and powerless. 

Where the hack happens on an individual level it’s natural to look anywhere for help. Some people share their experiences of being hacked as a way to warn others, which is a useful public service, but the chances of finding a knight in shining armour on social media or forums are low. In fact but this can actually make things worse.

Hackers feed off desperation and distress, so by reaching out you stand a very good chance of inviting even more problems as scammers will try and sell you false promises of assistance.

Once your wallet has been exploited your best chance of recovery is if you can quickly trace funds back to an exchange and request that they freeze the funds but few users have the skills or presence of mind to do this fast enough.

As this Reddit poster discovered, once your funds have gone, efforts to retrieve them can often be just throwing good money after bad:

I hired a private investigator......they have been working on my case for about 6 months and traced about 6 different transactions, I have a report from the company, I filed a local police report and now they are on the hunt for these guys. I am really trying to be realistic with my expectations, I am just curious if anyone here has every recovered stolen Bitcoin? Reddit

Prevention is the best cure

The harsh reality of hacks is that prevention is the best cure, this is equally true at the operator and individual level.

For operators there are a number of tactics:

  • Offering bug bounties

  • Paying top-dollar for the best devs

  • Holding White Hat hacking events

  • Getting code/smart contracts externally audited

  • Penetration testing/security reviews

  • Using Multi Party Computation (MPC), Multi-sig wallet management and/or external custodians

NGRAVE’s CTO and co-founder, Xavier Hendrickx, was motivated by his experiences with hacks to create a secure hardware wallet. When working with Swarm City in 2017, the ICO lost 44,000 ETH through the “(Multi-sig) Parity hack”. Hendrickx became involved with a white hat hack group which preventively hacked other projects to prevent the loss of $208M in value.

The focus on proactive prevention is at the core of NGRAVE’s continued focus on the security of ZERO - our flagship hardware wallet - LIQUID - a companion mobile app - and GRAPHENE - our unique Seed recovery system. All three are regularly opened up to White Hat hackers and penetration testers.

How to prevent from getting crypto-hacked

On a personal level, the best way to prevent yourself from becoming another crypto hacking statistic can be summarised in three points:

  1. Educate yourself about online security best practices. The NGRAVE Academy has plenty of content to help in that regard.

  2. Constantly reviewing all aspects of your online security.

  3. Store your crypto on a hardware wallet like the NGRAVE ZERO and your recovery Seed offline, ideally on the GRAPHENE dual-plate stainless steel recovery system.

There are many different types of crypto hackers each with varying motivation and sophistication. Should you fall victim restitution is unlikely and where available almost always complex so best to put all your energy into prevention. To protect your crypto you should embrace its most fundamental characteristic, the ability to self-custody, best achieved via a hardware wallet.

NGRAVE Co-founder & CEO
Ruben Merre

Ruben is a repeat tech entrepreneur. His focus is on digital asset security and financial empowerment. He is co-founder and CEO of NGRAVE, the creator of “ZERO” - the world’s most secure hardware wallet for crypto storage. In 2021, he was selected for Belgium’s 40 under 40. Before that, he was a finalist in scale-ups.eu’s Disruptive Innovator of the Year 2020 Award, and nominated in Google/PWC/Trends’ Digital Pioneer 2020.