Hacking-Back: Six Justifications for Doing It and What’s Wrong With Each One

If the idea of “hacking-back” against cybercriminals who have harmed you or your company has seized you, your executive team, or your spouse as a reasonable thing to do, read

If the idea of “hacking-back” against cybercriminals who have harmed you or your company has seized you, your executive team, or your spouse as a reasonable thing to do, read on.  It’s an incredibly risky strategy.

First let’s look at why we’d ever dream of doing it in the first place: there are six likely motives or apparent “incentives” to hack back.  They are:

  • To stop the hacker. This is only possible in one of two ways:
  • Through the destruction of their capabilities. This is highly unlikely, as cybercriminals are smart enough to have redundant systems.  It also doesn’t take much for them to get going again: one PC plus some malware-as-a-service.
  • Through intimidation. Also highly unlikely – criminals have so much of an advantage that they don’t intimidate easily.
  • To deter other hackers. This would require that other hackers learn about the counter attack, but this creates another problem: any company who declares they are aggressively pursuing cybercriminals makes themselves a target (if not a trophy).  Hell hath no fury like a hacker scorned or taunted.
  • To obtain proof of the theft. This could only occur if the hack-back team succeeded in finding unencrypted stolen information on the hackers’ computers.  Even then, “proof” would have to exist in a form which law enforcement could be convinced had not been manufactured or manipulated.
  • To retrieve stolen information. This is the most laughable of them all, and yet it is the reason most often mentioned by legal bloggers, legislators and commissions as being a good reason to hack back.  It’s hard to believe that anyone with a smattering of knowledge about how computers work would think a hacker would steal something of value and not copy and encrypt it, as they have been doing for years.  Even garden-variety blackmailers like scum-of-the-earth sextortionists know to make copies.
  • Restitution – this is the first one which might make sense if you have a huge amount of resources to throw at the problem. Start by stealing something of equal value from hackers and then:   
  • Trade it for money or assets to offset the theft of your information;
  • Use it to bargain with; get attackers to undo effects of the attack (return stolen property, destroy copies, provide compensation to rectify mitigation costs).
  • Revenge – hurt them back like they hurt you. This might sound satisfying, but it might also spark a full-on battle which could become incredibly expensive as hackers destroy everything they can.  It’s also illegal. Even if a certain law enforcement agency encourages you, they are likely to scatter if the matter goes public.

Also, since innocent third parties – whose systems were infected – may be hurt by a hack-back, we must be certain we know who is ultimately responsible.  This is complicated by the fact that cybercriminals know the tools anti-cybercriminal organizations use to establish attribution.  This means they can use them to hide who they are.  For example, they will add language of another nationality to the code, launch attacks from ISPs in other countries, and even outsource their attacks to other hackers.  Because of this, absolute attribution is considered virtually impossible these days unless there is a signed confession.


Our position on hacking back is simple: it never makes sense. First, it’s illegal. Second, decisions to do this are almost always emotionally based, and the costs may skyrocket disastrously. Third, the companies who venture into hacking-back take extra risks for themselves – with potentially dire repercussions – and the innocent third parties. These companies have much more to lose in an all-out hacking war than the attackers in almost every conceivable case.

There are a few techniques of active defense which could foil future attacks, making counterstrikes unnecessary.

These should include:

  1. Internal network protections
  2. Deception/diversionary tactics like honeypots
  3. Robust auditing, tracking, and data encryption internally
  4. Continual review of new products and new techniques in this area

And of course a mature security solution capable of blocking hacking attacks should be in place.