This article is more than three months old

Inside the crypto war room: How a whitehat hacker helped recover $450 million

Inside the crypto war room: How a whitehat hacker helped recover $450 million
People & cultureDeFi
Whitehat hacker Ogle is a big believer that negotiating with blackhat hackers is the best approach for DeFi teams. Credit: Darren Joseph
  • A whitehat hacker explains how he helps recover funds stolen in DeFi hacks.
  • Negotiating is often the most productive approach.
  • But some security researchers have criticised making deals with blackhat hackers.

When hackers strike, DeFi teams often feel helpless.

Many don’t want to turn to the cops, and identifying those responsible is increasingly difficult.

That leaves few options, but there is one that offers hope — negotiation.

There’s just one problem — the developers behind DeFi protocols are notoriously bad at dealing with such issues.

“It’s just not a skill set that exists in crypto very much,” Ogle, a pseudonymous whitehat hacker, told DL News in an interview.

“A lot of folks in crypto are 23 years old and they haven’t really done anything.”

Big believer

Ogle is a big believer that negotiating with blackhat hackers is a sound, and perhaps the only approach DeFi teams can take when their projects have been ripped off.

To that end, he’s helped recover more than $450 million from more than 40 separate hacks and exploits.

Join the community to get our latest stories and updates
Crypto lost in hacks and exploits is down from its peak in 2022.

His biggest success? Helping secure the $240 million recovery for Euler Finance in April 2023.

Ogle’s other negotiations include the July 2023 Curve Finance liquidity pool hacks and the April 2023 Sentiment hack.

“I’ve been around the block and dealt with very difficult people, dealt with big egos,” he said.

Negotiating with hackers, no surprise, isn’t easy.

Chances are they have no interest in talking to representatives of the projects they just exploited. And even if they do engage, it can often be a waste of time.

When crypto exchange KyberSwap lost $48 million to an exploit in December, the hacker responded to negotiations by demanding control over the protocol, its founding company, and all its assets, in exchange for returning users’ funds.

Even so, Ogle said negotiating beats doing nothing, which is usually the harsh reality after a hack.

A losing position

When a DeFi protocol gets hacked it’s all hands on deck.

Behind closed doors, teams of crypto security experts form online war rooms — places to share information, strategise, and find the best way to recover the stolen assets.

“I tend to get yanked into these rooms once in a while,” Ogle said.

Hacked DeFi projects are almost always starting from a losing position — something hackers know very well.

Many projects don’t want to bring in law enforcement for the investigation. They feel the authorities will probably never catch the culprit. They may not even have the resources to do so.

Law enforcement’s perceived poor understanding of crypto is another worry.

“There’s not a whole lot of value to tracing down an address, or tracing down a person, if you’re not willing to get law enforcement involved,” Ogle said.

Instead, most projects look for a way to get the hacker to return funds on their own fruition, something Ogle specialises in.

A credible threat

Ogle’s journey into hack recovery started in 2021 with a little known DeFi protocol called StableMagnet.

The protocol’s creators took advantage of a quirk in how code is stored on blockchains to steal $27 million from users.

But StableMagnet’s creators made mistakes. This let Ogle track them as they fled from Hong Kong to Manchester, England.

After Ogle did all the legwork, he handed the information off to local police who arrested the perpetrators.

Tracking hackers is difficult and takes time. There’s no guarantee of success.

But, Ogle said, he only needed to track down hackers once to show it was possible.

“We have an example of people actually being arrested, which hadn’t existed at that point,” Ogle said.

In other words, the StableMagnet arrests could be used as a threat.

“The threat was, hey, look, I’m involved in this one. I’ve gotten people arrested before. You should be afraid. And so if you are afraid, then let’s do a deal.”

The deal

Hacking and programming have always been Ogle’s hobbies. But he also studied business at university and has started and sold tech businesses in Silicon Valley and in New York City.

It’s the negotiation skills Ogle honed in his professional career that he relies on the most in war rooms.

The deal Ogle tries to strike with hackers is that they return 90% of the stolen funds and keep 10%. In return, Ogle and the other security researchers involved promise to cease attempts to track the hacker down.

Some security researchers have criticised such deals, saying that the principle of letting hackers get away with 10% only encourages them.

Ogle sees things differently.

“When you’re dealing with regular people who have lost everything, none of them really care about the principle — they want their money back,” he said.

Sussing hackers out

Ogle’s negotiation skills proved their worth in April 2023, when he helped secure the return of $240 million for DeFi lending protocol Euler Finance.

“They worked on it for a while, but had a little bit of difficulty with the recovery part of it. So after a couple of weeks, they called me in to help out,” he said.

Ogle’s tactics worked.

The Euler hacker, who told DL News he is an Argentine called Federico Jaime, returned all the stolen funds, minus $2 million he sent through Tornado Cash, and another $200,000 he sent to North Korean hackers Lazarus Group.

“For hackers who are just starting out: don’t be stupid, don’t steal, do bounties, etc,” Jaime said after returning the funds.

“You have to suss out what the type of person you’re dealing with,” Ogle said.

“If they’re an opportunistic thief, who just picked up a wallet on the ground because they walked past it, that’s different than someone who organises a break in, right?”

Tim Craig is a DeFi Correspondent at DL News. Got a tip? Email him at tim@dlnews.com.

Related Topics