Founder of Slow Mist：Emergency Treatment after Stolen：what should you do when you get stolen?
Especially with NFT being so hot these days, security awareness will only be established if tokens are stolen. Of course I don’t want everyone to be stolen, it’s just that many times I see many people who are very nervous, confused, and maybe even anxious after being stolen leading to a second injury.
Stop loss first
A stop is a way to stop a loss from magnifying it, and there are at least two stages:
1. the immediate rush stage. What is happening now is the most urgent, for example, you have seen that hackers are transferring your assets one after another, what should you do? Hurry up and get the rest of the assets out of here. If you have experience in jumping the gun, just do it. Depending on the type of asset, if it is the kind that can be frozen on the chain, contact as much as possible to freeze. Those who have the ability to do on-chain tracking analysis and find that funds are transferred to a centralized platform can be contacted to do the necessary risk control.
2. After the situation control stage. After the situation is stabilized, the focus should be on figuring out how not to have secondary and tertiary damage.
Protect the scene
If you find that your assets have been stolen, be calm, take a deep breath for three times and protect the scene. There are a few experiences for reference:
1. For computers, servers and other networked devices, once these are the main site of the accident, immediately cut off the network, but do not shut down (the power supply continues). Some people say that if it is a destructive virus, do not shut down, the local system files are destroyed by the virus. You are right, if you can react faster than the virus…
2. Unless you can do it yourself, wait for a security professional to intervene. This is critical, we encountered quite a few situations: when we intervene to do the analysis, the scene is already in disarray, and even key evidence (such as logs, virus files) appear to be cleaned up. The absence of a well-preserved crime scene can cause great interference to the subsequent analysis and traceability.
Analyze the causes
The purpose of analyzing the cause is to understand the adversary and output a hacker portrait. This time the incident report is very important, also called Post Mortem Report.
We have met many people who came to consult us after their coins were stolen, and it is very difficult for many of them to express themselves clearly, let alone produce a clear accident report. But I think expression can be practiced or drawn out from a gourd. For example, at least the following points should be explained.
1. Summary 1: Who, when, what happened, and how much total damage?
2. summary 2: Wallet address, hacker wallet address, coin type, quantity, a table is clearer.
3. Process description: This point is the most difficult, here you need to describe all aspects of the details of this accident process points, which will even analyze the various traces related to the hacker, the final output of the hacker portrait (which includes the motive for evil)
We are specifically in the docking, the template will be much more complex, step by step. Sometimes human memory is also problematic, and there is even a deliberate concealment of key information leading to wasted time or delayed excellent timing. So in the actual docking, the consumption is really big and we need to use our experience to guide the work well. Eventually issue an incident report with the person who lost the coins or the project, and keep this incident report updated.
Trace back to the source
According to Rocca’s law: any invasion will leave traces. As long as we check carefully, we will always find something. The process of investigation is actually forensic analysis and traceability. We will do traceability according to the hacker’s portrait from forensic analysis and continuously enrich this hacker’s portrait, which is a dynamic and iterative process.
Traceability consists of two major parts.
1. On-chain intelligence: Analyze the direction of funds for wallet addresses, such as into centralized exchanges, mixed coin platforms, etc., and monitor and warn of new transfers.
2. Off-chain intelligence: The hacker’s IP, device information, email and richer information from the collision of these points, including behavioral information.
Based on this intelligence, the tracking and tracing work will be very much, and even require the intervention of law enforcement units.
Closing the case
Of course, we all want to have a good ending, and there are public events in history that we’ve been heavily involved in that have a good ending, just to name a few:
1. Lendf.Me, valued at $25 million
SIL Finance, valued at $12.15 million
Poly Network, valued at $610 million
There are many more that we have personally experienced that are unannounced good endings, okay endings. But most of them are bad endings, which is a shame.
We have accumulated a lot of valuable experience in these processes and hope to improve the ratio of good outcomes by another step in the future. I’m not going to elaborate on it in detail because it requires a huge amount of knowledge, some of which I’m not good at. According to different scenarios, we need to master the following skills:
Smart contract security analysis and forensics
On — chain fund transfer analysis and evidence collection
Web security analysis and forensics
Linux server security analysis and forensics
Windows security analysis and forensics
MacOS security analysis and forensics
Mobile phone security analysis and forensics
Malicious code analysis and forensics
Network equipment or platform security analysis and evidence collection
Personnel safety analysis and forensics…
If you’re familiar with this, you’ll know that I mentioned all of this in the black manual that I published a little while ago. In particular, I want to emphasize it again. Welcome to refer to more security knowledge for Web3 users: