Euler Hacker Was ‘Just a Regular Guy’

It was a staggering haul — $200M in assorted cryptocurrencies. But the hacker who drained DeFi protocol Euler last month was “just a regular guy,” according to one of the people who helped negotiate the return of the stolen tokens.

“It’s not always North Korea doing a sophisticated hack,” Ogle, a pseudonymous, independent security researcher, told The Defiant. “Like, it’s often just a curious young person who happens to be clever and sees an opportunity.” And that was the case in the Euler hack, which was the sixth biggest in DeFi history, according to Rekt.

On Tuesday, three weeks after the exploit, Euler announced the hacker — who referred to himself as “Jacob” — had returned almost $230M in ETH and DAI. With ETH up almost 20% since the hack, he ended up returning a higher dollar amount than he drained.

Jacob did not return 1,100 ETH ($2M) he had sent to Tornado Cash, a sanctioned protocol used to mask the movement of crypto; 100 ETH he sent to another hacker with ties to North Korea; and 88 ETH he sent to one of his victims. On its governance forum, Euler said the crypto sent to North Korea and Tornado Cash had “potential sanctions issues.”

$230M Recovered

Still, it was “one the largest recoveries in DeFi history,” Euler boasted on Twitter. “Ultimately, after a period of lengthy negotiation, [Jacob was] convinced to do the right thing for Euler users.”

Ogle did some of that convincing. In an interview with The Defiant, he shared information about the “wacky” hacker, the negotiation process, and mistakes that companies often make when trying to recover stolen crypto.

Euler publicly thanked Ogle and others who assisted in the recovery effort, and in a statement to The Defiant, a spokesperson for the organization said “Ogle joined one of the Euler war rooms because of his experience handling strategy and negotiations in other notable incidents. We are grateful for his support and contributions.”

On March 12, Jacob took advantage of a vulnerability in a smart contract function called ‘donateToReserve’. The function was added as part of a major overhaul last year and allows users to donate small balances to Euler’s reserve.

Jacob made off with nearly $136M of Lido Finance’s stETH, $34M of USDC, $18.5M of WBTC and $8.8M in DAI, based on prices at the time of the hack.

Euler is widely integrated with DeFi protocols, and the attack impacted the entire ecosystem. Euler is a money market protocol on Ethereum that held over $500M of user deposits before the exploit.

Euler Hack Shines Light on Promise – and Peril – of DeFi Composability

$200M Exploit Leaves Over A Dozen Protocols Reeling

The Defiant

A Euro-pegged stablecoin lost its peg. Decentralized exchange Balancer said its emergency subDAO paused all liquidity pools containing Euler-boosted USD (bbeUSD). Users of protocols that had integrated Euler were, in some cases, unable to withdraw their money. One, a DeFi founder, lost his life savings — and some of his confidence in “composability,” a key feature that separates decentralized finance from the traditional system it seeks to replace.

Bounty Offered

Euler immediately made Jacob a generous offer — keep 10%, send us the rest, and we’ll forget all about it. But Euler’s deadline came and went. It’s become common practice for DeFi teams to engage in similar negotiations with hackers. In March, for example, a hacker who exploited Tender.Fi returned the crypto for a $97,000 bounty.

Around that time, a mutual acquaintance referred the company to Ogle, who had helped recover crypto assets stolen from Stable Magnet in 2021 (More recently, Ogle helped recover almost $1M in funds stolen from liquidity protocol Sentiment). The company also offered a $1M bounty to anyone who could provide information that would help it identify the exploiter.

The search was a success.

“We know everything about the guy,” Ogle said. “We know who he is, where he’s at, who he’s connected to.”

Once Euler had found him, all it had to do was convince him to return the stolen crypto. But it’s no easy task. In traditional finance, rife with middlemen, illegitimate or illegal transactions can be reversed, and victims of trickery or theft are often made whole.

On-chain Negotiations

In the peer-to-peer world of crypto, there are few middlemen, transactions are final, and stolen assets rarely make their way back to their rightful owners.

But a week after the exploit, Jacob sent Euler a message embedded in an Ethereum transaction.

“We want to make this easy on all those affected. No intention of keeping what is not ours,” the message read. “Setting up secure communication. Let us come to an agreement.”

In another: “Jacob here. I don’t think what I say will help me in any way but I still want to say it. I fucked up. I didn’t want to, but I messed with others’ money, others’ jobs, others’ lives. I really fucked up. I’m sorry. I didn’t mean all that. I really didn’t fucking mean all that. Forgive me.”

Ogle declined to share details that might identify the hacker, but said it was clear the man was in over his head.

“The reason he sent those kinds of wacky messages is because the guy’s kind of wacky,” Ogle said. “And he’s also under extraordinary stress, you know? He can’t sleep, he didn’t mean to be in this position, but through his anxiety, he did stupid stuff. Like, he sent 100 ETH to DPRK. … He’s just trying to throw people off and make people think, ‘oh, it was North Korea.’”

Had it been North Korea, it is unlikely Euler would have been able to recover the crypto.

“Whenever you have North Korea do it, then they’re doing, like, proper OpSec,” Ogle said. “They’re preparing this stuff for a month, they’re using computers that they just bought at the store, and went to a different country to log on, and went through Tor and, you know, did everything you’re supposed to do if you’re gonna do it, right.”

The “typical” DeFi hacker isn’t so savvy.

‘Web2 Noobs’

“A lot of these Web3 guys, they might be experts in Web3, but they’re total noobs when it comes to Web2,” Ogle said. “They know how to crack Solidity [the programming language of Ethereum], but they don’t know how to use proper security stuff on their computers, on their networks.”

Jacob eventually caved. Euler on Tuesday said it had recovered “all of the recoverable stolen assets.”

According to Ogle, the company will not pursue charges. But it might not be the end of Jacob’s troubles.

“Had this guy not sent anything to DPRK, I think everything’s over at this point,” Ogle said. “Since he did, we don’t know if everything’s over.”

Euler has put forward a proposal to return the crypto to affected users and companies. The protocol’s EUL governance token is down 4% since the recovery was announced Tuesday afternoon.

EUL Price. Source: Coingecko

[[ Note: This story was updated to add a statement from Euler in the 7th paragraph. The article was first published on Thursday, April 6, and was temporarily taken down for review. ]]