Recently, $71 million worth of cryptocurrency stolen in a wallet poisoning scam was fortunately but mysteriously returned to the victims.
An unknown attacker returned $71 million worth of Ether (ETH) tokens on May 12 after a high-profile phishing incident caught the attention of several blockchain research firms. Lookonchain, an on-chain security company, unpacked the details with X. post May 13:
“SlowMist_Team published a report on this incident three days ago, tracing the IPs of several attackers believed to be from Hong Kong (VPN use was not ruled out). “Afterwards, the attacker responded to Whale and returned all the funds.”
This is a surprising development following an attack on May 3 in which an investor fell victim to a wallet poisoning scam by sending $71 million worth of Wrapped Bitcoin (WBTC) to a bait wallet address. The scammer created a wallet address with similar alphanumeric characters and made small transactions into the victim’s account.
Related: El Salvador launches $360 million Bitcoin financial monitoring website
Like most investors, the victim verified the wallet address by matching the first and last few characters and transferred 97% of the assets to the wallet address. However, the difference would have been noticeable in the middle characters, who are often hidden on platforms to improve visual appeal.
White hat hacker, good Samaritan, or scared thief?
Despite returning all stolen funds, the on-chain transactions leading up to this incident suggest that this was not the exploiter’s initial intention.
After receiving the stolen funds, the attacker immediately converted 1,155 WBTC into approximately 23,000 ETH. This is a popular move by malicious hackers, who can help launder stolen funds through cryptocurrency mixing services and privacy protocols such as Tornado Cash.
On May 8, the attackers began dispersing funds across more than 400 cryptocurrency wallets, eventually spreading them across more than 150 separate wallets before returning the assets.
The return of funds came shortly after the on-chain security company. slow mist published an analysis of the attacker’s potential Hong Kong-based IPs, suggesting that the thieves were hurt by the potential consequences.
According to SlowMist’s May 10 incident report, the $71 million theft was just one part of a phishing attempt involving WBTC.
“After investigating this fee address, we determined that more than 20,000 microtransactions were initiated from this address between April 19 and May 3, resulting in small amounts of ETH being distributed to various addresses for phishing purposes.”
The amount of cryptocurrency stolen through hacks and fraud fell to $25.7 million in April, the lowest historical figure since on-chain intelligence firm CertiK began tracking the data in 2021.
Related: Ether becomes inflationary for the first time since the Merge.