Governing Blockchain Security: White Hat Hackers ‘Code of Conduct’

Kelsie Nabben, August, 2024

Note: This post is in reference to blockchain security governance and accountability research supported by a grant under the Ethereum Foundation Academic Grants Round (2024). Some ideas presented in this post are being developed into a forthcoming co-authored book chapter with Dr. Primavera De Filippi.

Abstract

This post is an effort to articulate some of the ethics, incentives, and infrastructure that undergird blockchain security, and by extension blockchain ecosystems. Exploring the nature and state of blockchain security along these substrates, I argue that security is often presented as an individual responsibility in the rhetoric of blockchain as trustless and non-custodial, yet, security in practice is also a collective effort. Therefore, incentives and infrastructure beyond ideology and ethics are required to secure the blockchain ecosystem to align incentives for hackers to engage in white hat activities.

Contents/TLDR:

• The state of blockchain security
• Private governance domains: Pirates, prisons, cartels, & blockchain
• White hat governance
• Blockchain white hat hacker governance & Code of Conduct
• Next steps (an open source red-teaming security tool kit)

“Incentives and infrastructure beyond ideology and ethics”. Image courtesy of ChatGPT

Introduction

With a record year of $3.7 billion stolen from cryptocurrency projects in 2022 (TRM Labs, 2023), the greatest risk to reputation and survival of public blockchains is cybersecurity hacks. Cybersecurity plays a prominent role in decentralised, blockchain-based networks, where there is no central authority that can intervene in response to security exploits. Blockchain protocols operate according to a set of deterministic rulesets that are expressed in software code and automatically executed by the underlying technological framework (known as the “rule of code” (De Filippi and Wright, 2018)). This context favours an ethos of minimised subjective, human-led bureaucratic processes in favour of protocol-enforceable rules, or “governance minimization’ (Ehrsam, 2020; Nabben, et. al., 2022). Yet, in the case of security exploits, frauds, and scams, few measures of accountability or resources exist for protocols and end-users alike.

Meanwhile, private-order governance efforts are emerging to address security concerns and develop the social, institutional, technical, and economic infrastructure needed to improve the state of blockchain security. Public and permissionless blockchains can be characterised as a domain of private governance — which refers to the various forms of self-governance, self-regulation, and private enforcement that private individuals, companies and organisations use in lawless or extra-legal domains (such as pirates, prisons, and gangs) to create order, facilitate exchange, and protect property rights (Stringham, 2015, 2017).

The Web3 “Security Alliance” (SEAL) is a Not-For-Profit initiative that provides a platform for security community coordination (SEAL, n.d.). Initiatives include SEAL 911 emergency reporting channel, SEAL Wargames security training drills, the SEAL Safe Harbor legal template for protocol communities to consent ex ante to white-hat support in the case of an active exploit, and SEAL-ISAC Information Sharing and Analysis Centre to develop and share threat intelligence and proactively disseminate industry best practices.

Blockchain security is provided by a number of actors, including security firms, code auditors, bug-bounty platforms, analytics companies, and protocol security teams. Security is also provided by ‘white hat’ or ‘ethical’ hackers (Coleman, 2012), who use their skills to improve that state of blockchain security by finding and reporting vulnerabilities, and helping to fix them before malicious attackers (‘black hat hacker’) can exploit them, or actively exploiting these vulnerabilities to rescue user funds.

Hacker culture and politics are areas of keen interest to anthropology, public policy, law, and ethics (Nissenbaum, 2004; Coleman & Golub, 2008; Coleman, 2015), which provide useful guidance to understand technological development (Levy, 1984; Brand, 1995; Levy, 1999; Turner, 2010). Since the famous hack of ‘The DAO’ in 2016 (Naves, et. al., 2019), white hackers have shown to play a crucial role in the history and development of cryptocurrency and blockchain projects, and are responsible for rescuing millions of dollars of cryptocurrency funds each year (Lindea, 2024; Cavez-Dreyfuss & Wilson, 2021). Yet, thus far, little research exists on how blockchain security is governed, or how white hat hackers, as key actors in blockchain networks (Latour, 2007), fit into the private governance landscape of blockchain ecosystems. Furthermore, there are very few articulations of the culture or guiding principles of white hat hackers (EC-Council, n.d.; Grimes, 2017), and even fewer that relate to blockchain specifically (Seal-911. (n.d.))..

Methodology

Through a multi-month digital ethnography, data was collected under ethics approval via online chat channels on the chat application “Telegram”, GitHub open source repositories, internal and external project documentation, observation and participation in group calls relating to various SEAL initiatives, and ethnographic interviews.

This research explores blockchains security as a unique domain of private-order governance, and the role of white hat hackers, and other stakeholders, in ensuring security and accountability (referring to responsibility for actions and enforcement of consequences in a network (Nabben, 2023a)). What our research (Nabben and De Filippi, forthcoming) finds is that security in public and permissionless blockchain systems relies on a hybrid mode of off-chain and on-chain accountability, designed as a private-order solution that combines social norms, legal mechanisms, technological tools, and economic incentives. The research also finds that further work is required across the blockchain industry to structure and support the infrastructure and incentives to align white hat hackers as security responders, as well as improve the practices of protocol security teams and end users.

This post provides an overview of some ideas and insights from this study. More will be shared in the forthcoming, academic publication.

The State of Blockchain Security

The state of security in blockchain as a platform for digital interactions is clearly lacking. A comment appeared in the Seals chat, expressing that the bar is very low, and referring to the fact that it took one blockchain project team six days to realise $600 million was missing, in one of the largest hacks in crypto history of a ‘bridge’ between two blockchains (Rekt, 2022). Others reacted with a vomiting face and rolling on the floor laughing emojis, reinforcing the shared understanding for the need to address the current state of blockchain security.

A recent illustration of this is a strange unfolding of events in June 2024 between blockchain security auditing firm ‘Certik’, that allegedly stole $3 million in funds by exploiting a bug in well known cryptocurrency exchange ‘Kraken’, instead of responsibly reporting the bug via their bug bounty program (Samczsun, 2024a; AndrewMohawk, 2024). Certik claimed their actions were in the name of ‘white hat hacking’ to demonstrate Kraken’s security vulnerabilities, whilst Kraken is treating it as a criminal case.

“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable…” stated Chief Security Officer at Kraken (Percoco, 2024).

Blockchain security experts were outraged that these actions undermine trust in crypto security, put users at risk, and were claimed to be taken in the name of white hat hacking. Security Alliance white hats state, “Ethical hacking means you report vulnerabilities immediately to prevent exploitation and help the community” (AndrewMohawk, 2024), and “stop fucking it up for the rest of us” (Samczsun, 2024b). Yet, what it means to be a blockchain white hat hacker remains uncodified.

Other conversations in the ‘Seals’ chat are telling of the state of security in the blockchain industry.

“…I think we have a long way to go as an industry. We severely lack fundamentals and web3 organizations rarely think beyond the network…even just basic personal security fundamentals and opsec, carrying keys around, leaving devices unattended, etc. In this space of remote and decentralized work contribution from a beautifully uncontrolled environment we do not focus on what that means to organizational security posture. Sharing intelligence is certainly a part of the equation, but I don’t think we’ve truly decided how to act on intelligence in a coordinated way — I really hope to get that out of this group”.

In another thread, one white hat shared:

“I was helping a blockchain protocol last night and they were highly unprepared for it on the web2 side, no logs configured, not sure about IAM roles, not sure what was open on the net or how creds are kept, no environment safety net for gh (GitHub) secrets, etc. Its super boring but I think a ‘sensible security’ guide for web2 assets for web3 companies might be a good idea.”

In an earlier effort to help projects improve their security posture in the blockchain industry, security researchers have developed resources, such as the “Rekt Test” (Immunefi, 2023), as a simple and widely applicable evaluation of security controls to help people assess the security level of a blockchain system. While these measures are simple to implement, they are not always practised. Furthermore, exploits are not only occurring and addressable at the level of protocol security. The many types of exploits occurring include phishing scams, DDOS attacks, ‘pig butchering scams’, fake URLs, and more (Nabben, 2024).

While the trustlessness of blockchains is about built-in cryptography, hacking is about people. This requires trust, competency, and reputation. SEAL reports having been involved in saving over $50,000,000 USD to date. The types of incidents tackled by SEAL 911 include identifying root causes of exploits, tracing stolen funds, pointing to resources on best practice responses, and recovering stolen social media accounts. “If you look at the recent 100 tickets at SEAL 911, it’s at least 90% phished people losing their tokens via malicious approvals and compromised private keys”, explains pcaversaccio, a white hat hacker who leads SEAL-911 and covers regular shifts to respond to requests that come in via SEAL 911’s request channel.

“We block hundreds of malicious URLs on a daily basis. These blacklists are consumed by wallets like MetaMask” to protect users. SEAL 911 activities also include documenting and disseminating ways to respond to more novel but increasingly common types of scams — such as “pig butchering”, whereby someone forms a trusted online relationship before being exploited for money (Sha Zhu Pan, 2023). “The remaining 10% are tickets that disclose responsibly potential vulnerabilities by white hats (e.g. empty ERC4626 vault attacks, empty market attacks, reentrancy attacks, uninitialised proxy issues, access control issues) or projects reaching out since they got hacked and need our support for the aftermath of the exploit (e.g. hacker negotiations). I personally think that the number of rounding error attacks has increased in recent months as the complexity of the maths has increased even further.”

As blockchain applications grow more complex, and this complexity is not abstracted away from end users at the application level, the advised mindset from pcaversaccio is to “BE FUCKING PARANOID ABOUT EVERYTHING YOU TOUCH IN THIS SPACE :)”. If Web3 is to become a workable alternative to some of the failings of Web2 (Nabben, 2023b), people need to unlearn the convenience of Web2 and learn to secure their own assets. Even still, there is a role for the collective security provision in the race between security experts and black-hat hackers / organised criminal groups for techniques that extend beyond general consumer knowledge and abilities.

Private governance domains: Pirates, prisons, cartels, & blockchain

Although domains of private-governance may be characterised as lawless, they do in fact have codes of rule making, coordination, and regulation that create order. Cryptocurrency communities, especially in some, early anarchic visions of cyberspace, (Ludlow, 2001; Nabben, 2023c), can be approached as domains of private governance. For example, pirate bandits govern through institutional checks and balances to effectively organise and minimise conflict. These include reputation, threat of mutiny against captain predication, written constitutions, as well as separation of powers to ensure incentives remain aligned towards collective profit maximisation (Leeson, 2007; Casey, 1991).

Similarly, prison gangs form extra-legal governance institutions to address insufficient formal governance in prison systems. These include decentralised mechanisms of ostracism, based on inmate demographics (Skarbek, 2016). In other jurisdictions, the institutional mechanisms produced by prison gangs consist of reciprocal relations of mutual aid and protection between inmates and prison guards (Darke, 2018; Guadalupe. et. al., 2021).

Furthermore, cartels as a domain of private governance seeks to control market uncertainties and gain collective profits, whilst managing order throughout the cartel itself without relying on binding legal contracts or legal arbitration. Governance techniques to do so rely on social mechanisms of communication protocols, reciprocity, and reputation to build trust (Jaspers, 2017).

Although blockchain governance is digital and functions according to the rule of code at the protocol level, these domains of private governance are similar in that there are internal, private governance dynamics at play at the social level, within a broader context of formal legal controls. The section that follows focuses on white hat hackers in the domain of blockchains, and the rules of how they self organise.

White hat governance

The insights from this research reveal that the social coordination and institutional scaffolding that SEAL provides to secure the blockchain industry constitute a bridge between the “endogenous” code-based protocol rules of a blockchain, and the “exogenous” legal rules that regulate the blockchain industry (BlockchainGov, forthcoming). Our analysis shows how different accountability mechanisms operate at various levels of blockchain governance, from purely on-chain systems implemented at the protocol level, to hybrid on-chain and off-chain models of private order security, to exclusively off-chain public-order accountability frameworks enforced by external legal and regulatory measures.

Blockchain White Hat Hackers: Code of Conduct

Some have attempted to articulate the ethics of hackers. Steven Levy, for example, in the book “Hackers: Heroes of the Computer Revolution” described the ‘the hacker ethic’ as including “information should be free” and“Mistrust authority — promote decentralization” (of information systems and power structures) (1984, pp. 26–36). While this hacker lineage is informative of hacker culture today, an ethos specific to blockchain security white hat hackers is needed to align interests and incentives with the ecosystem.

Critical to the governance of blockchain security and role of white hats is their own codes of ethics or conduct, as well as the reputation that binds and governs participation in groups such as SEAL. For example, the SEAL 911 initiative has its own Code of Conduct (Seal-911, n.d.). What emerged throughout this research are the following principles as a broader set of social norms, that form a ‘Blockchain White Hat Hackers Code of Conduct’ to ensure off chain accountability:

1. Break confidentiality and you’re out
2. The security inner circle is not permissionless but reputational
3. Act ethically, meaning don’t exploit information for personal gain
4. Always respect user privacy
5. Don’t trust, verify
6. Do not underestimate your opponents
7. Ship.

Each of these principles are elaborated in the section that follows.

1. Break confidentiality and you’re out

Security requires trust (Nissenbaum, 2015), even in the ‘trustless’, deterministic context of blockchain.

For example, in the Seals chat, an admin posted the message:

“Not many things can get you kicked out of SEAL…but breaking confidentiality of this group is one of them…because trust is the most important thing we have. Trusting and respecting each other even if we don’t always agree. So keep what is said/discussed private and if you leak know that I will find out…”.

2. The security inner circle is not permissionless but reputational

While participation in blockchain protocols according to pre-prescribed rule-sets is accessible to anyone (a.k.a., “permissionless” (Nabben and Zargham, 2022)), security groups are not. Instead, they are based on reputation, which is built on past behaviours as a predictor of future success.

The admin’s message to the Seals chat continued:

“SEAL is not permissionless…Everyone here has power to shape our internet’s future which is an honour, but also a responsibility”.

3. Act ethically, meaning don’t exploit information for personal gain

As set out in the SEAL-911 Code of Conduct, acting ethically means “Do not exploit any sensitive information advantage in any way to gain a personal, commercial, or other malicious advantage” (Seal-911, n.d.).

This was heavily emphasised throughout the research.

“I think this is very important point”, emphasises pcaversaccio, a white hat hacker who covers regular shifts to respond to requests that come in via SEAL 911’s request channel.

In other conversations in the Seals chat, security contributors exclaimed their disgust with unethical and incompetent behaviour:

“it makes me so angry that people are careful with others funds, its substantial for some of them and you should do your god damn best to make sure they dont lose it from you being dumb”.

This principle is enforced via collective action to kick someone out and publicly disclose misbehaviour, where needed. Thus, accountability in this case is social and normative.

4. Always respect user privacy

Information management is key to information security. Practices, such as deleting help tickets that come to SEAL-911 and not retaining any sensitive information are crucial to respecting privacy, and thus preserving trust and the right to be a white hat.

5. Don’t trust, verify

While traditional digital network security is oriented around delegated stakeholder responsibilities for protecting centralised structures with clear boundaries, cybersecurity in blockchain-based networks deals with the unique challenges of decentralised networks and ecosystem contexts. While distribution of network data across nodes to operate a protocol can enhance network resilience, decentralised security also includes individual responsibility for managing cryptographic keys, ensuring the security of smart contracts, systemic risk of cascade failure across both technology and cryptocurrency token price, and more. Some characteristics of blockchain as decentralised and permissionless systems can make it insecure to participate, such as immutable transactions, start-up culture whereby anyone can deploy code, and no central authority for recourse.

Ryan Wegner, SEAL-ISAC lead remarked in an interview that the state of blockchain security “varies a lot from project to project. It seems poor because it’s easy to find the projects that aren’t doing well because they lack basic security processes and practices and these mistakes are public on the blockchain for everyone to see”….”Because the bar is so low to actually deploy a project, they don’t think about security until much further down the track. Unlike Web2, Web3 startups are often responsible for protecting millions in TVL (total value locked) of retail funds, and security professionals are forced to reverse engineer products in production to retroactively apply security best practices…like adding seat belts to a plane that’s already in flight”, states Ryan.

While blockchain promotes a culture of individual control and responsibility of one’s digital assets, blockchain security is inherently a collective effort. Samczsun commented in a different chat: “I think long terms we have to stop pretending like the majority of users actually “dyor” (Do Your Own Research) or whatever…In other words the idea that “we just empower users with all the information they need to make an informed choice” doesn’t work in the world where most people barely have enough of an attention span to see that they clicked on a link that said “CLAIM AIRDROP NOW OR YOU”LL LOSE GENERATIONAL WEALTH” and their wallet said “hey are you really sure you want to approve this transaction on this sketchy website” because they just want to print””.

6. Do not underestimate your opponents

White hats understand the seriousness of their engagements, and although clever, they do not under-estimate threats. SEAL is not impervious to its own cybersecurity threat. Upon the launch of SEAL initiative websites, contributors remarked, “we should keep in mind whatever we deploy is gonna get ddosed (denial of service attacked) to hell and back”. While they proactively set up their infrastructure to protect against this as much as possible, Samczsun remarked after the launch, “also I was a fool and underestimated the squatters”, referring to people buying up SEAL-related Web domains to imitate the brand.

In blockchain, North Korean hacker group ‘Lazarus’ is known to have laundered over $200 million USD from over 25 cryptocurrency projects in hacks between 2020 and 2023, as traced in open source intelligence investigations (ZachXBT, 2024), with other analytics firms estimated over $3 billion since 2017. Participants in the Seals chat remarked how developers working in crypto are often targeted with fake help requests or false interview tasks, asking them to hack suspicious files. “Mostly DPRK” others replied, thanking the person posting for the heads up. It has been said that the strategy of infiltrating crypto companies as staff has raked in over $600 million annually (across industries).

For these reasons, some white hats choose to maintain pseudonymity, to not publicise their day-to-day physical identity.

7. Ship

Ultimately, what is valued is getting stuff done. SEAL is product led, and solution oriented. For example, the SEAL-ISAC initiative was spun up in rapid timing. Instead of beginning with a large membership base that had to pay fees (unlike ISAC’s in other industries, SEAL-ISAC is free), the initiative began with an opensource platform and actionable insights from day 1.

Moral Infrastructure To Support White Hat Hacking

While these social norms encourage ethical conduct, the desire to maintain good conscience is not enough to ensure the sustainability of white hat participation in the blockchain industry. A key take-away of this research is that further thinking is required across the ecosystem to structure security infrastructure and processes to align incentives for hackers to engage in white hat activities.

Researchers have observed how there is an ethical spectrum of hackers, from “black hat” hackers who break into systems for personal gain, to”white hat” hackers who help to secure systems, and “gray hat” hackers, who might break laws but do so based on ethical principles (Coleman, 2012; Goerzen & Coleman, 2022). Some SEAL’s are ideologically motivated by the right to “transact value of any form in a privacy-preserving, censorship-resistant and secure way”, as stated by PCaverssacio in “The Ethereum Cypherpunk Manifesto” (2024). Yet, incentives and infrastructure beyond ethics and ideology are required to secure the future of the blockchain ecosystem.

“I know several top talent whitehats with the skills to help, but aren’t motivated by altruism. They need the potential financial reward to be involved. I’ve rarely seen bounties deter black hats, but we need more whitehats in the fight & pretending they’re all motivated by public good is how government security fell behind big tech’s” remarked one contributor.

Others responded in agreement with the “100” emoji, remarking that everyone will have different moral compasses and financial goals but the right mix of incentives are needed to align efforts.

SEAL initiatives, particularly the SEAL-Safe Harbour legal framework, addresses this in terms of clarifying legal liability and also economic incentives, prior to an active exploit. Such initiatives acknowledge that white hats can be driven by a mix of public good, competitive financial incentives, and clearer terms of engagement when supporting protocols and communities, so that the blockchain industry can attract the talent needed to strengthen its security infrastructure.

Next Steps…

In an effort to contribute to the necessary incentives and infrastructure beyond pure ideology and ethics to secure the blockchain ecosystem, the second part of this EF supported grant is to disseminate an open-source repository of blockchain security best practices in collaboration with Isaac Patka (SEAL Wargames / Shield3) and Holterhus (SEAL Wargames). The open-source red teaming toolkit is informed not only by academic insights and learnings but from numerous SEAL Wargames drills with multiple, major blockchain protocols.

Stay tuned.

Acknowledgments:

This output was supported by an Ethereum Foundation Academic Grants Round 2024, in conjunction with Isaac Patka, Holterhus, and Primavera De Filippi. With thanks to the Security Alliance for allowing me to research and for feedback, and Tara Merk for editorial feedback.

References:

AndrewMohawk (@AndrewMohawk). (2024). “CertiK found a bug in Kraken’s system that let them create fake account balances without having the funds. Instead of reporting it right away, they tested it over FIVE DAYS days, minting and moving millions of dollars. Risky and unethical af” (Tweet). June 29. Twitter. https://twitter.com/AndrewMohawk/status/1807066799353024626. Accessed June 30, 2024.

Brand, S. (1995). We owe it all to the hippies. Time Magazine, 145(12).

Casey, L. A. (1991). Pirate Constitutionalism: An Essay in Self-Government Essay. Journal of Law & Politics, 8(3), 477–538.

Coleman, E. G., & Golub, A. (2008). Hacker practice: Moral genres and the cultural articulation of liberalism. Anthropological Theory, 8(3), 255–277. https://doi.org/10.1177/1463499608093814

Coleman. G. (2012). Coding Freedom. Princeton University Press. Retrieved May 9, 2024, from https://press.princeton.edu/books/paperback/9780691144610/coding-freedom

Coleman. G. (2015). Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous: 9781781689837: Verso Books. Retrieved May 9, 2024, from https://www.amazon.com/Hacker-Hoaxer-Whistleblower-Spy-Faces/dp/1781689830

Darke, S. (2018). Self-Governing Prison Communities. In: Conviviality and Survival. Palgrave Studies in Prisons and Penology. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-319-92210-2_1

De Filippi, P. & Wright, A. (2018). Blockchain and the Law: The Rule of Code. Cambridge, MA and London, England: Harvard University Press. https://doi.org/10.4159/9780674985933

EC-Council. (n.d.). “Code Of Ethics.” EC-Council. Retrieved July 2, 2024, from https://www.eccouncil.org/code-of-ethics/

Ehrsam, F. (2020). “Governance Minimization.” October 28). Paradigm. Available online: https://www.paradigm.xyz/2020/10/870#what-governance-minimization-is-not. Accessed May 1, 2024.

Goerzen, M., & Coleman, G. (2022). Wearing Many Hats. Data and Society (REsearch report). Available online: https://datasociety.net/wp-content/uploads/2022/03/WMH_final01062022Rev.pdf. Accessed 14 May, 2024.

Grimes, R. A. (2017). “Hacker Code of Ethics.”. In Hacking the Hacker (pp. 271–274). John Wiley & Sons, Ltd. https://doi.org/10.1002/9781119396260.ch50.

Guadalupe, J.L.P., Cavallaro, J., and L. Nuñovero. (2021). “Towards a Governance Model of Ungovernable Prisons: How Recognition of Inmate Organizations, Dialogue, and Mutual Respect Can Transform Violent Prisons in Latin America”, 70. Cath. U. L. Rev. 367 (2021). Available at: https://scholarship.law.edu/lawreview/vol70/iss3/7.

Immunefi. (2023). “The Rekt Test”. Immunefi (blog). August 16. Available online: https://medium.com/immunefi/the-rekt-test-9834fc7467fb. Accessed May 13, 2024.

Jaspers, J.D. (2017). “Managing Cartels: how Cartel Participants Create Stability in the Absence of law.” Eur J Crim Policy Res 23, 319–335. https://doi.org/10.1007/s10610-016-9329-7.

Leeson, Peter T. “An-arrgh-chy: The law and economics of pirate organization.” Journal of political economy 115, no. 6 (2007): 1049–1094. https://doi.org/10.1086/526403.

Levy, S. (1984) Hackers: Heroes of the Computer Revolution. New York: Delta.

Levy, S.(1999) Crypto: How the Code Rebels Beat the Government: Saving Privacy in the Digital Age. New York: Viking.

Ludlow, P. Crypto Anarchy, Cyberstates, and Pirate Utopias. 2001. MIT Press.

Nabben, K. (2023a). Blockchain Governance: Accountability in Decentralised Technology Communities. (n.d.). Retrieved May 15, 2024, from https://kelsienabben.substack.com/p/blockchain-governance-accountability.

Nabben, K. (2023b). Web3 as ‘self-infrastructuring’: The challenge is how. Big Data & Society, 10(1). https://doi.org/10.1177/20539517231159002.

Nabben, K. (2023c). Cryptoeconomics as governance: An intellectual history from “Crypto Anarchy” to “Cryptoeconomics.” Internet Histories, 7(3), 254–276. https://doi.org/10.1080/24701475.2023.2183643.

Nabben, K. (2024, April 24). SEALing Crypto Security: A Web3 Information Sharing and Analysis Center (ISAC) (Substack newsletter). Available online: https://kelsienabben.substack.com/p/sealing-the-future-of-cryptocurrency. Accessed 14 May, 2024.

Nabben, K. & Zargham, M. (2022). “Permissionlessness.” Internet Policy Review, 11(2). https://doi.org/10.14763/2022.2.1656

Nabben, K., Burrrata, Zargham, M., and Zartler, J. (2022). “DAO Vulnerabilities: A Map of Lido Governance Risks & Opportunities”. BlockScience. Available online: https://medium.com/block-science/dao-vulnerabilities-a-map-of-lido-governance-risks-opportunities-92bc6384ff68. Accessed April 18, 2024.

Nissenbaum, Helen (2004) `Hackers and the Contested Ontology of Cyberspace’, New Media and Society (6)2: 195–217.

Nissenbaum, Helen. (2015). ‘Securing Trust Online: Wisdom or Oxymoron?’. Boston University Law Review, June 2001 Volume 81, №3 635–664.

Pcaverssacio (2024). “The Ethereum Cypherpunk Manifesto”. HackMD. Available online. https://hackmd.io/@pcaversaccio/the-ethereum-cypherpunk-manifesto. Accessed July 1, 2024.

Percoco, N. (@c7five). (2024, June 19). “In the essence of transparency…”. (Tweet). Twitter. https://twitter.com/c7five/status/1803403632689189154. Accessed 30 June, 2024.

Rekt. (2022). Ronin Network — Rekt. Rekt. Available online: https://www.rekt.news/. Accessed 14 May, 2024.

samczsun (@samczsun). (2024a). Sending my thoughts and prayers to the investment partners that have to explain why their portco hacked an american exchange, stole 3m dollars, and laundered it through an ofac-sanctioned protocol https://t.co/jWU1Gxoj66 (Tweet). June 19. Twitter. https://twitter.com/samczsun/status/1803563434124124252

samczsun (@samczsun). (2024b). Send certik to zero so they can stop fucking it up for the rest of us (Tweet). June 25. Twitter. https://twitter.com/samczsun/status/1805738423182868958

Seal-911. (n.d.). “SEAL 911 Code of Conduct”. GitHub. Available online: https://github.com/security-alliance/seal-911/blob/main/CODE_OF_CONDUCT.md. Accessed 13 May, 2024.

Sha Zhu Pan (2023). “Sha Zhu Pan Victim Runbook (Public). Google Docs. Available online: https://docs.google.com/document/d/1insM6q8b6vMVkdaUydaJGKt0TEEOf3jlx2mlrxCvqXU/edit#heading=h.k3ce66xgstxg. Accessed May 13, 2024.

Skarbek, D. (2016). “Covenants without the sword? Comparing prison self-governance globally”. American Political Science Review, 110(4), 845–862. doi:10.1017/S0003055416000563.

Stringham, E.P. (2015). Private Governance: Creating Order in Economic and Social Life (New York, 2015; online edn, Oxford Academic, 20 Aug. 2015), https://doi.org/10.1093/acprof:oso/9780199365166.001.0001. Accessed 16 Apr. 2024.

Stringham, E.P. (2017). Private Governance. In: The Routledge Handbook of Libertarianism by Brennan, J, van der Vossen, B., & Schmidtz, D (Eds.). https://doi.org/10.4324/9781317486794

TRM Labs (2023). “Illicit Crypto Ecosystem Report”. June, 2023. Available online: https://www.trmlabs.com/report. Accessed May 1, 2024.

Turner, F. (2010). From Counterculture to Cyberculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism. University of Chicago Press.

ZachXBT. (2024). “How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023”. Mirror.xyz (blog). Available online: https://zachxbt.mirror.xyz/B0-UJtxN41cJhpPtKv0v2LZ8u-0PwZ4ecMPEdX4l8vE. Accessed 14 May, 2024.