Ogle Catches the Crypto Crooks

Hacks happen. And in the world of decentralized finance (DeFi), hacks happen a lot. Ogle, who goes by @cryptogle on X (formerly Twitter) and ogle.eth on-chain, is one of a number of people attempting to professionalize the industry of recovering funds. So far, according to his website, Ogle has helped to recover more than $350 million from crypto protocol exploits.

Ogle shows up where he's needed. He's on Crypto Twitter, of course, as well as Discord, Telegram and in ENS messages. He has a team of researchers at Ogle Security Group, who he pays out of pocket. And, he's part of a less official group of Web3 natives who often help to track down moving funds, including Alicia Katz, samczsun and ZachXTB.

This profile is part of CoinDesk's Most Influential 2023. For the full list, click here.

Not much is known about Ogle's civilian life. He calls himself a tech native and has founded and led a few Web2 firms, where he picked up knowledge of security best practices. He declined to name which ones, though he said one was a "household name." Today, he's inventing best practices for negotiating with crypto criminals: he's the guy who came up with the 10% figure that keeps popping up during conversations with hackers, return 90% to the protocol and walk away with the rest.

He's helped recover funds in some of the largest hacks to date: Euler, Alchemix and, currently, is negotiating with the KyberSwap hacker. The most "complex" was Curve, which involved four different companies and potentially four different exploiters. Ogle is also building a security-focused blockchain, called Glue, "to try to solve some of the commonly exploited problems at the chain layer," he said in a text message interview.

As a kid, he said, he was part of a group called CyberArmy, a "white hat" (pen testers for the greater good), which was founded in the late 90s. In a recent episode of the "Unchained" podcast, he also mentions having a skillset honed by Web1 (back then it was called the "information superhighway"), though that could have been an attempt as misdirection.

"When I was a kid I was constantly trying to break into things and deconstruct systems, but without any malicious intent whatsoever. Not every hacker is malicious. They're usually just very curious and perhaps don't follow rules very well," he said via text. In a Cointelegraph video interview he said learned a lot about the cyber world and its denizens by studying hacking and cracking with the longview of trying to stop "bullies."

It's a moral code that doesn't always square with the law, or with expectations. There isn't much justice, for instance, in derailing a young kid's life by dropping a dime on them. And while he often offers his services free-of-charge, the line of work is often thankless. He can spend hours, days or weeks in negotiation with a hacker, only for the DAO or protocol dev team who gets their money (or their users' money) back to ghost him.

Worse, many "promise and never deliver" a bounty; he said it happens more than you would think. Though Ogle also has a paid service used for "slightly more formal work" on hacks. It costs $6,500/month to have him on-call in case things break. It's also a way to separate funds and legal liability, a first step to professionalizing the industry.

There would be a fleet of Ogles in the world, he said, if the industry could work out the funding model. Right now, people who spot exploits are incentivized to break, enter and steal rather than disclose — you may get caught, but you have a better chance of getting paid. He might consider hiring the truly "exceptional" for Ogle Security.

He's made appearances, and often played a starring role, in negotiations with hackers for years. He lost count of exactly how many; it's around 40. He breaks the job up into two parts, asset recovery, or "using blockchain analytics and law-enforcement approved negotiation techniques" to regain stolen funds, and crisis communications, where he helps impacted teams calm their communities.

The best thing DeFi protocols can do, he said, is get a real audit. An actual one. The next best thing is to come up with a game plan for a hack, in case the worst happens. And when it does, keep cool. Profile the suspect, keep track of the funds on-chain and communicate with the community.

Even old protocols can be at risk. In late November, one of the oldest decentralized exchanges, KyberSwap, was nearly flushed clean. Ogle called it one of the most sophisticated hacks he's ever seen. It had to be. It was an exploit that went unexploited forever.

See also: Calling a Hack an Exploit Minimizes Human Error | Opinion

Ogle can't talk much about the Kyber attack while negotiations are ongoing. The hacker started off on a strong footing: total control over Kyber the company and "temporary full authority and ownership" over KyberDAO.

There's usually a type, a psychological profile of a hacker: young, smart and hungry, and usually under 25 years old and living in Asia. Sometimes, after the negotiation is over, they remain friends. "I'm the only one that knows, sometimes," he said, adding that they can't tell their friends or family. By staying in touch, he learns more about the mentality of The Common Crypto Crook, aiding future recoveries.

"Discussions don't usually go wrong," he said. "The goal is to be fair to everyone involved, and most attackers realize that what's being offered is a better outcome for them." It beats the looming fear of persecution and disclosure that may follow a hacker to the grave, and nowadays with most crypto exchanges trying to stay above the law it's becoming harder and harder to cash out.

How exactly did he get this job?

It started with StableMagnet, a decentralized protocol that offered significantly higher returns than rival lenders like Aave. I bet you can guess where this is going: It was a rug. People's "hard earned money," gone. Ogle viewed it as an opportunity. Harder to guess: doing a little sleuthing and making a few calls led to what is commonly discussed as the first ever DeFi hack recovery. It was the first of many monumental occurances.

"The money was returned by the police in Manchester, U.K. in USDT. So they [the bobbies] acknowledged theft of crypto and paid it back in a different crypto coin than was stolen, which was in my view a governmental acknowledgement of crypto as 'money.'"

He found a username, a clue. Then a Github account. Then other Github accounts they were connected to and connect those to actual humans and find similarities between them, like where they went to school. He found their friends, girlfriends and family and then went to the school registrar. They were in Hong Kong.

He contacted them on Signal, WhatsApp and Telegram. They didn't want to play ball.

After he reached out directly, they fled to England — it was two and half years ago, in the midst of the COVID pandemic, and England was one of the few places they could fly to from Hong Kong. Ogle figured they were smart, that they knew only idiots would go to London, so he started calling hotels in Manchester, where the hackers would have to stay during a 10-day quarantine.

He pretended to be a family member, asking if the hotel had a guest of a certain name. Eventually, he hears, "I'm not allowed to say if we have a guest by that name, but, if we do, I'll take the message and I'll give it to them and if they happen to be here you know you know they'll they'll have the message," he said, putting on a British accent.

"I'm like, Bingo." He calls the police; he doesn't like bringing in law enforcement unless he needs to. He's turned down work before because his clients said they intend to call the FBI, after he's promised a hacker they'd be safe if they return the funds. "There has to be some honor among thieves," he said.

CORRECTION (DEC. 4, 2023): Ogle helped broker the negotiation with Alchemix, not Alchemy.