A white hat hacker and a journalist walk into a bar.

My conversation with crypto’s most well-known white hat hacker

It’s been said before, but Samczsun is like Batman. He dwells quietly in the shadows, hiding his identity behind a mask. If trouble is brewing in crypto’s Gotham City, its denizens expect him to speed to the rescue.

In place of a bat signal, he’s got a Telegram hotline.

Hacked? Wallet drained? Message SEAL 911. A team of experts called the Security Alliance (SEAL), which Samczsun founded last year, is ready to respond. “The best cybersecurity researchers in crypto are just one Telegram message away,” he says.

I interviewed Samczsun last week as part of the PGP* (Pretty Good Policy) for Crypto breakfast, a monthly gathering of crypto policy insiders in Washington, DC. He appeared remotely, using an anime-style avatar and a voice modifier because he chooses to remain pseudonymous.

The theme was “the developing state of crypto incident response.” But cybersecurity is always developing, he said. “Security is not a solved game and never will be.” SEAL is focused on preparedness and adaptation—the more quickly the right experts can be deployed after something goes wrong, the more likely it is that the situation can be rectified.

The project is bigger than crypto. As Samczsun explained, SEAL is a bridge between the old web and a mysterious new one made of blockchains. That puts it in a prime position to help governments counter national security threats like North Korea’s Lazarus Group.

The dark forest

Before SEAL, there was just Samczsun.

Five years ago, decentralized finance (DeFi) was in its early days, but it was already attracting some of the world’s most sophisticated hackers. It seemed like every time there was a big hack, Samczsun was among the first on the scene. He led many operations that successfully recovered funds. But a couple of encounters with a particularly alarming adversary may have had the biggest effect on his career trajectory.

“This is a horror story.” That’s the first sentence of a now-famous blog post, authored in August of 2020 by Dan Robinson and Georgios Konstantopoulos, two researchers at the venture capital firm Paradigm. The post, Ethereum is a Dark Forest, recounted an attempt to rescue funds from a vulnerable smart contract and described a new species of “monster” lurking deep within Ethereum.

Robinson had discovered a bug in one of the smart contracts underlying Uniswap, already the most popular decentralized exchange. He saw how the vulnerability could be exploited to pilfer money from the protocol. He also knew he could try to take the money himself, to preempt an adversarial actor running off with it. But doing so, at least in the conventional way, would play right into the hands of the faceless monsters lurking in the shadows.

Technically, they were lurking in Ethereum’s mempool, which is like a waiting area for pending transactions. “It’s no secret that the Ethereum blockchain is a highly adversarial environment,” the researchers wrote. But “the mempool is something worse: a dark forest.”

The Dark Forest is the title of a science fiction book by the writer Cixin Liu, which, as Robinson and Konstantopoulos put it, describes “an environment in which detection means certain death at the hands of advanced predators.” The predators in this case were bots programmed to pounce on certain kinds of pending transactions in Ethereum’s mempool. Robinson knew that if any were watching, sending a regular transaction to rescue the funds wouldn’t work; the transaction “would get instantly sniped in-flight.” He assembled a small team, including Konstantopoulos, and consulted other security researchers, including Samczsun.

The team devised an elaborate strategy to “obfuscate” the rescue transaction by deploying custom smart contracts and splitting the transaction into two. You should read the post if you are interested in the technical details, which are gnarly. But the goal was to slow an attacker just enough to get the good guys’ transaction across the line first.

The attempt failed after the team initially struggled to get their rescue transactions included in a block. Again, check out the post for all the technical details, but the story ends with a frontrunning bot scoring the loot. “Time pressure got to us, and we got sloppy,” the researchers wrote.

It wasn’t all for nothing, though. The episode set the stage for a similar one soon after. This time, a team led by Samczsun beat the mempool monsters to the punch. Crucially, they were able to work directly with a miner in Asia to get their transaction included in a block without having to send it to the public mempool. Samczsun and other key players documented the dramatic operation in a second blog post called Escaping the Dark Forest.

“Like any good VC”

Shortly after these two encounters, Paradigm hired Samczsun full time. He initially focused on auditing smart contracts for the firm’s portfolio companies, drawing on what had thus far been his core professional skillset. But after a while, he told me, “I realized was that I wanted to really be doing something more with my time than solving these one-off problems.”

“Conceptually, doing these audits was sort of like putting in one unit of work and getting out one unit of work,” he said. “And what I wanted to do was figure out how I could leverage up on that, like any good VC.” He decided the best thing he could do for crypto was to use the reputation he had built as its most celebrated white hat hacker to coordinate an industry-wide effort focused on making crypto safer. Hence SEAL.

The first thing the organization did was establish the SEAL 911 system. “Once you message, we can triage what your problem is,” he said. “We can connect you with all the right people.” In crypto, that’s no small undertaking. Some of the most talented folks make themselves intentionally difficult to reach. You have to know the right Telegram and Twitter handles. More importantly, the people on the other end of those handles have to trust you.

Over the past year, SEAL has added several other initiatives, including an information sharing platform and a program for “wargaming” new protocols. It has also pioneered something called the Safe Harbor Agreement for White Hat Hackers, which shields white hats from legal liability in case they have to hack a protocol themselves as part of a rescue mission. All of these are fed by threat intelligence data collected via SEAL 911.

Crypto 🤝 the government

Crypto’s cyberthreat landscape evolves fast. “When we first launched SEAL, smart contract hacks were sort of the bread and butter of cybercriminals. Almost every ticket that we got was a smart contract hack,” Samczsun said during the PGP* breakfast. “Today, that cannot be farther from the truth.” Much more common now are attacks on individuals, he said, often through social engineering—for example, using a phony email or social media message to lure an individual into sharing access to their wallet.

Social engineering was at the center of a hack in March that led to what the New York Times called “the biggest crypto heist in history.” Behind the billion-dollar theft from the Bybit exchange was one of the most fearsome monsters in crypto’s dark forest: North Korea’s Lazarus Group.

The SEAL team saw the Bybit hack happening immediately. “It’s very hard not to see a billion dollars moving out of a crypto exchange’s wallet,” Samczsun said. Through the hotline, they quickly confirmed this movement was not intentional and immediately began mapping the flow of stolen funds and flagging associated blockchain addresses for other exchanges and partners.

Still, as it turns out, “our pattern matching completely failed us in this case,” he said.

SEAL had seen many examples before of Lazarus targeting exchanges directly. It was common for them to infiltrate a target exchange by first compromising an employee. This time, Lazarus broke in by first compromising an employee of Safe, Bybit’s wallet provider. Lazarus gained enough access to surreptitiously modify the software’s user interface and dupe multiple Bybit executives into signing away a billion dollars in crypto. The attack and subsequent operation to launder stolen funds reflected unprecedented sophistication.

Since so many politicians view cryptocurrency as a negative force that must be contained, Lazarus arguably represents an existential threat to the crypto industry. It’s important to bear in mind that Tornado Cash developers Roman Storm and Alexey Pertsev were only prosecuted after the North Koreans allegedly used the system to launder hundreds of millions in funds they stole from the crypto video game Axie Infinity, even though Tornado Cash had been running for years.

But Lazarus may also represent an opportunity for crypto to gain political goodwill, at least if Samczsun has anything to do with it.

That’s because Lazarus is not just a threat to crypto, but also to the US government and others. If those governments want the best shot at stifling the group, they may need SEAL’s help. Some policymakers already seem to understand that. In January, the governments of the US, Japan, and South Korea issued a joint statement warning the crypto industry about North Korea’s cyber program and pushing for more collaboration between the public and private sectors to secure valuable financial infrastructure. The statement mentioned SEAL as an example of the kind of effort it encouraged.

Samczsun said last year his team learned that the FBI has a unit dedicated to tracking Lazarus. The unit is often able to tip off targets to impending threats before they get hacked. But while that works well in web2, he said, web3 presents challenging terrain. “In web2 you have a handful of big players,” he said. “They are almost certainly happy to set up direct connections with the government themselves.” In crypto, that’s… not the case. “A lot of actors in crypto are not interested at all in communicating with any government.” Many don’t use email, LinkedIn, or their real names, and tend to distrust others by default. It’s a dark forest, after all.

That leaves “a bit of a gap between where the government’s ability to basically reach out to these crypto actors ends and where our ability to navigate in this new environment begins,” Samczsun said. SEAL has already collaborated with the FBI unit tracking Lazarus, helping them close this gap by making connections in the crypto world, he said. “That’s really been the place that we’ve been able to have the most impact.”

He wants to have more impact. Last month, he announced that he was stepping down from his role at Paradigm to focus on SEAL. “We’re interested in collaborating with as many people as possible in order to help our initiatives grow and succeed, which will help the space become more secure,” he said. —Mike Orcutt

Share

HEADLINE WATCHER

The New York Times has been all over Trump’s adventures in crypto. It may be negative in flavor, but crypto is certainly getting the prominent mainstream attention it has always craved. The Gray Lady sent a reporter to Dubai for Token2049, where he caught a panel discussion featuring Eric Trump, TRON’s Justin Sun, and Zach Witkoff, one of the founders of World Liberty Financial, the Trump family’s crypto company. Sun is the proud owner of $75 million worth of the company’s cryptocurrency. Witkoff, the son of Steve Witkoff, Donald Trump’s envoy to the Middle East (and also a World Liberty cofounder), made an announcement during the panel: MGX, a state-backed Emirati investment firm, plans to invest $2 billion in the crypto exchange Binance using USD1, a stablecoin developed by World Liberty. As the Times notes: “Virtually every detail of Mr. Witkoff’s announcement… contained a conflict of interest.”

Three more recent NYT headlines:

• Trump offers private dinner to top 220 investors in his memecoin. It’s an “an astonishing escalation of the Trump family’s efforts to profit from crypto,” the newspaper declared.

• Secret deals, foreign investments, presidential policy changes: The rise of Trump’s crypto firm. This is the most in-depth reporting we’ve seen yet on World Liberty Financial.

• Tether was accused of fraud. Now it’s a crypto darling in Washington. Policymakers in DC have long been suspicious of the stablecoin issuer. That’s changing.

  ---

North Korean hackers created fake US companies to target crypto developers. Individuals linked to the Lazarus Group created shell companies to lure crypto developers and dupe them into downloading malware, The Block reports.

Solana, Yuga Labs, and Uniswap’s Hayden Adams gave to Trump’s inauguration. A disclosure filed early this month revealed “a new slate of donors” to the inaugural committee, which brought in a historic $239 million in total, Unchained reports. Ethereum software developer Consensys and the financial services firm Cantor Fitzgerald (which holds much of Tether’s reserves) are also on the list of previously unreported donors. Adams, CEO of Uniswap Labs, donated nearly $250,000 despite his vocal support of Kamala Harris’s campaign.

Meta is ramping up its AI-driven age detection. Instagram already uses an AI system that can detect clues that a user is under 18. Now it will use AI to “proactively look for teen accounts that have an adult birthday, and change settings for users it suspects are kids,” reports The Verge.

Researchers secretly ran a massive, unauthorized AI persuasion experiment on Reddit users. They unleashed “AI-powered” bots in a popular subreddit called r/changemyview, in what 404 describes as a “large-scale experiment” examining whether “AI could be used to change people’s minds about contentious topics.” The bots made more than a thousand (convincingly human) comments over months.

Crypto VC giant Paradigm makes $50 million bet on decentralized AI startup Nous Research at $1 billion token valuation. A lot to unpack in that headline from Fortune. According to the article, Nous is using the Solana blockchain “as a key component in the process it uses to train” AI models. The article adds that the firm has created “a method for training open-source AI models that would allow people to contribute their own idle computing power,” using crypto as the incentive to contribute.

Aztec Network launches public testnet for privacy-focused Ethereum Layer 2 (The Block). This follows “successful testing of the first decentralized upgrade process for an L2,” according to Aztec.

Sam Altman’s Worldcoin gets new Orb Mini and US Launch (Blockworks). You can now scan your irises in select US cities. Also, for some reason the firm is developing a version of its iris scanner that looks like an iPhone.

Polygon spin-off Miden raises $25 million in seed funding for privacy-focused blockchain (The Block). Miden is looking to play in the same league as Aleo, Aztec, and other protocols developing confidential decentralized computing platforms using zero-knowledge cryptography.

Follow us on Twitter and Bluesky—or get corporate with us on LinkedIn.