You've been hacked, what now?
You work for a crypto company, project, or DAO and someone alerts you that you've been hacked. What do you do next? Here's a quick emergency cheat sheet!
You work for a crypto company, project, or DAO and someone alerts you that you've been hacked. What do you do next? Here's a quick emergency cheat sheet. Followed by a slightly longer text on how to be better prepared for the worst.
First - DON'T PANIC
Stay calm and validate if there's any merit to the claim. Remember that most hacking and bug reports are fraudulent and want you to pay up. If necessary, bring in additional subject matter experts who understand your critical infrastructure and smart contracts and can quickly assess the damage.
Second - Setup a War Room
Throughout the incident, be sure to follow these best practices until the security incident has been contained and eradicated and you have recovered from it.
- Have clear responsibilities. It must always be clear who is responsible and authorized to make decisions in the incident response.
- Involve SEAL 911 (see more) or other external help if a significant amount of your or protocol users' assets are at risk and you're not 100% sure you can handle the situation alone
- Involve Legal & Comms and other relevant functions as early and as extensively as possible
- Communicate broadly within the team. Never take any action before communicating with the rest of your team!
- Balance external communication. Do not communicate too little, but do not communicate too much either. Scheduled updates, such as hourly, are a good way to stay on track.
- Log and retain all information.
Third - Post Mortem
Investigate the root cause and take corrective action to prevent the problem from happening again.
Be Better Prepared
Most organizations struggle to respond appropriately to security incidents. That's fine if only your company is at risk. But it's not OK when your protocol holds millions of user assets. Remember, we're all in the financial services industry, and losing other people's money is not a trivial offense.
The NIST Cybersecurity Framework (NCSF) is a proven and flexible framework that also works very well in the crypto industry. Be sure to adapt it to your own unique needs! The FTC has a surprisingly useful NCSF page to get you started. The core components of the NIST Cybersecurity Framework are:
- Identify
- Develop the organizational understanding: clarify responsibilities, i.e. have a CISO role.
- Protect critical infrastructure and information: Identify and protect the critical infrastructure such as private keys, source code, smart contracts, servers.
- Protect
- Maintain current safeguards: Implement security policies and procedures to protect systems, assets, data, and information.
- Detect threats and vulnerabilities: Develop and implement continuous security monitoring capabilities. After all you should already know about the next security incident before it's reported on social media!
- Detect
- Analyze and assess: Use information from security monitoring and other sources to identify anomalies and potential incidents.
- Automate and integrate: Use automated tools to improve detection and analysis.
- Respond (to an on-going attack)
- Communicate and coordinate: Establish communication channels and coordinate with relevant stakeholders.
- Contain, eradicate, and recover: Develop response actions to contain, eradicate, and recover from incidents.
- Prepare for emergencies by playing wargames.
- Recover (after an attack)
- Restore services and systems: Develop and maintain plans to restore services and systems after an incident.
- Communicate and coordinate: Maintain communication and coordination with stakeholders during recovery.
- Improve: Conduct post-incident activities to improve the incident response plan.
Using the NCSF should put you in much better shape by preventing most attacks and allowing you to respond to the remaining attacks with experience and knowledge of where to focus.
Bonus: Opsec Considerations
If there's only one thing you take away from this article (other than the article URL to come back to in case of emergency), let it be one of these:
- Use 2FA everywhere. It adds an extra layer of security that prevents unauthorized access even if credentials are compromised. This reduces the risk of theft and improves overall account security.
- Don't hire North Korea (to develop code or manage private keys), see e.g. North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks
- Don't store private keys in the cloud, ever (not even in a password manager): Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
I plan to write more about these later, but the links should be enough to get you started for now.
More from Markus Perdrizat
This article will always be available at https://maol.ch/2025/01/13/youve-been-hacked-what-now/
Previously on the ACK Newsletter: Crypto 2025 Predictions