What Is a Grey Hat?

In this guide, we will learn: What Is a Grey Hat? – guide 2023

The law tends to be very black-and-white when it comes to the legality of things like hacking. Either something is – or is not – a crime. Ethics, however, can be much more nuanced. While the ethics of something may be taken into account in a criminal setting, either with a lack of enforcement or softer sentences, this is not guaranteed in any way.

The term grey hat hacker refers to hackers that walk this tightrope. Often their actions are illegal, but they have some ethical justification or framework. Technically, it also covers those that act legally but unethically. That group, however, is a lot smaller than the first.

The problem with black hat hackers is that they victimize innocent people, just going about their lives. It doesn’t matter if you’re a hospital with patients whose lives hang in the balance if you’re critical national infrastructure, a nuclear facility, or responsible for the pensions of millions of people. Anyone is acceptable as a victim to them because their goal is, typically, to benefit themselves.

The modus operandi of grey hat hackers varies, but often they use illegal acts while attempting to minimize the harm their actions cause. This typically takes the form of acting like a white hat, identifying vulnerabilities and responsibly disclosing them, but critically doing so without permission.


A grey hat is typically motivated similarly to a white hat hacker. They want to disclose issues to improve security for the user responsibly. Generally, however, they find the legal system too restrictive and act without permission. In several cases, this is done because there was no action when the proper procedure was followed or because they were hacking for fun.

Many early computer hackers were motivated by trying to see what could be done. In many cases, these hackers didn’t do anything malicious. Technically, they would look at data, but there weren’t black markets on which to sell it. It was standard practice for these hackers to “plant a flag,” signaling that they had been there and then stop and move on. Often the flag would be something simple like a text file saying, “X was here.” This would certainly be illegal in modern times, but the applicable laws didn’t exist then. These hackers were typically doing so for fun and generally didn’t do much harm. As such, they could be called grey hats, though they could just as well be called black hats.

Sometimes, when an ethical hacker attempts to report a security vulnerability they have stumbled across, they are met with silence, dismissal, or disbelief. This then leaves the ethical hacker in a quandary. Do you keep everything secret and hope no black hat hackers notice the flaw, or do you publish the details to allow potential victims to choose not to use the insecure system while at the same time informing the black hats of the issue? It’s a difficult choice and ethically challenging.

Real-World Examples

In 2013, Khalil Shreateh, a security researcher, discovered a vulnerability that allowed one Facebook user to post as another user. He had attempted to disclose the issue adequately through Facebook’s bug bounty program. The problem, however, was rejected as “not a bug.” Frustrated and aware of the potential use of such an issue for black hats, he chose to exploit this issue in a very noticeable way.

By affecting Mark Zuckerberg’s Facebook page, he limited his actions’ fallout while clearly stating how much of a problem the vulnerability was. Facebook then quickly fixed the issue. It didn’t pay any bug bounty, as Khalil had exceeded the restrictions on the program. It also did not attempt to push charges. This is an excellent example of the hacker deciding that the ends justified the means, even though the means were illegal.

In the year 2000, two hackers, “{}” and “Hardbeat,” hacked into the website of the Apache web server. If they were black hats, they could have quietly set up malicious downloads in place of legitimate ones. Any user unlucky enough to install the web server before the hack was discovered would have been affected. Instead, they “only” defaced the website, swapping out some images. The actions didn’t harm any users and led to direct dialogue, resulting in the issue being fixed. Again, the actions were illegal, but in someone else’s hands, the situation could have been a lot worse.

Choosing a “Deserving” Victim

In some cases, grey hat hackers actively target groups to which they object. Often these objections are powerful and respected by society at large. This isn’t just political groups that you disagree with. It tends to be things like groups supporting terrorism, repressive regimes, criminal organizations, or pedophile rings. Again, all of these actions are illegal, but the grey hat chooses its targets based on a moral framework that is typically socially acceptable. They hope that their efforts help to protect people.

A grey hat that works under this principle may also consider themselves a sort of Robin Hood-like figure. They may even take this comparison very literally, steal money from their chosen “deserving” victims, and then give it to a self-defined good cause. This entire concept is highly subjective. Some people may agree that the actions, while illegal, are ethical, while others may not.


A grey hat is a hacker whose actions and motivations fall somewhere between a black and a white hat hacker. Typically, they operate under the principle that the ends justify the means. They get security vulnerabilities resolved but typically break the law in the process of doing so. This action differentiates them from white hats.

The care to minimize the fallout to victims, or in some cases to pick “deserving” victims, separates them from black hats. It is essential to understand that despite the actions of a grey hat being ethically justifiable, at least to some degree, many jurisdictions will not consider this if and when the actions come to trial.

5/5 - (41 votes)


is Senior Writer DZ-TECH, where he covers the world of technology, hacking, cybersecurity, surveillance and privacy.

Leave a Comment