The address-poisoning attacker who tricked a user into sending them 1,155 Wrapped Bitcoin (wBTC) worth $68 million at the time has returned nearly all of the stolen funds, blockchain data shows. The funds were swapped for Ether while held by the attacker, with the price of ETH falling since.
However, the attacker sent back approximately 22,960 Ether (ETH) worth $65.7 million, representing over 96% of the United States dollar value of the funds initially stolen.
At 8:47 am UTC on May 10, multiple wallets began sending ETH to the account. The first transfer was for 29.999 ETH ($87,199 based on the ETH price at the time). Over the next day, over 225 wallet transactions were made from various accounts to send ETH to the victim’s address. The value of each transaction ranged from 29 to 67 ETH.
By the end of the series of transactions, the wallet had a balance of over 29,000 ETH.
The transfers occurred after a series of messages had been exchanged between the victim and the attacker. The victim initially agreed to allow the attacker to keep 10% of the funds as a bounty. However, the attacker has returned more than 90% of the funds at the time of publication.
In a report from Match Systems seen by Cointelegraph, the platform claimed to have discovered information that “strengthened” the victim’s negotiating position, implying that security experts were making progress toward identifying who the attacker was. It stated:
"The Match Systems team conducted a detailed analysis of the incident and identified several opportunities to strengthen the negotiating position for subsequent communication with the attacker. Today as a result of negotiations with the attacker, conducted with the participation of the cybersecurity agency Match Systems [...] and the Cryptex cryptocurrency exchange [...], the hacker returned the entire stolen amount of 22,960 ETH to the victim. At the moment, the victim has no complaints against the attacker."
Address poisoning attacks can cause substantial losses to crypto users. Experts suggest that they can be avoided by carefully inspecting the receiving address before each transaction is sent.
Related: DEA gets duped: Agency loses $55K in address poisoning scam
Update 5-11-2024 at 3:24 pm: This article has been updated to include more text from the Match Systems statement.