A malicious actor, rather than a white hat hacker, evidently aimed to pilfer the funds before any investigative intervention took place, as indicated by the trail of on-chain transactions preceding the return.
In a surprising turn of events, a staggering $71 million worth of stolen cryptocurrencies from a recent wallet poisoning scam has been returned to the victim.
An anonymous attacker unexpectedly returned a staggering $71 million worth of Ether (ETH) tokens on May 12, in response to a high-profile phishing incident that had garnered significant attention within the cryptocurrency community.
Lookonchain, an on-chain security firm, dissected the particulars in a post on X on May 13th:
“SlowMist_Team released a report on this incident 3 days ago, tracking multiple attacker’ IPs possibly from Hong Kong (the use of VPNs has not been ruled out). After that, the attacker replied to the whale and returned all the funds.”
In an event related to a May 3 attack, an unknown individual returned $71 million worth of Ether (ETH) tokens on May 12, linked to an incident wherein an investor inadvertently transferred $71 million worth of Wrapped Bitcoin (WBTC) to a bait wallet address, falling prey to a wallet poisoning scam.
The scammer devised a wallet address bearing a close resemblance in alphanumeric characters to the intended recipient’s address, further manipulating the victim by initiating a small transaction to the victim’s account to instill a false sense of trust and security.
Like most investors, the victim endeavored to confirm the wallet address by visually comparing the initial and concluding characters, and then proceeding to transfer a substantial portion of their assets – a staggering 97% – to the fraudulent address, convinced of its authenticity.
Although the beginning and ending characters of the fraudulent wallet address matched the legitimate one, a distinct variation would have been discernible in the middle characters, frequently concealed on various platforms to elevate visual appeal, unintentionally abetting deceptive tactics.
In other news, North Korean hackers are targetting cryptocurrency firms with a new malware called Durian.
Although the stolen funds were fully returned, an analysis of on-chain transactions that transpired before the event points to the possibility that this outcome was not the exploiter’s original plan.
In the immediate aftermath of acquiring the stolen funds, the attacker rapidly executed a conversion of the 1,155 WBTC into approximately 23,000 ETH, aligning with a well-established practice among malevolent hackers to capitalize on the obfuscating capabilities of privacy protocols and cryptocurrency mixing services, such as Tornado Cash, to launder the stolen assets effectively.
On May 8, the attacker initiated a strategic dissemination of the stolen funds, distributing them among a network of over 400 crypto wallets, which eventually led to the consolidation of the assets into more than 150 individual wallets, preceding the unforeseen return of the stolen funds.
The return of the stolen funds closely followed the publication of an analysis by on-chain security firm SlowMist, shedding light on the attacker’s possible Hong Kong-based IP addresses, implying that the heightened prospect of identification and potential repercussions may have instilled fear in the thief, prompting the return of the assets.
The May 10 incident report released by SlowMist brings to light a larger picture, wherein the $71 million WBTC theft emerges as just one piece of a much more extensive network of phishing attempts linked to the WBTC thief.
“Upon investigating this fee address, we observed that from April 19 to May 3, this address initiated over 20,000 small transactions, distributing small amounts of ETH to various addresses for phishing purposes.”
According to a recent report by on-chain intelligence firm CertiK, the total value of cryptocurrencies stolen from hacks and scams experienced a significant decline in April, reaching a historic low of $25.7 million, representing the lowest monthly total since CertiK began tracking such data in 2021.