The address poisoning attacker who drained $68 million worth of Wrapped Bitcoin (WBTC) was exposed through “digital evidence,” including a “device fingerprint,” according to statements made on May 23 by Match Systems CEO Andrey Kutin. These pieces of digital evidence eventually strengthened the victims’ hand in negotiations and resulted in the return of all the funds, he claimed.
According to the Match Systems CEO, the attacker did not use regulated exchanges compliant with Know Your Customer and Anti-Money Laundering requirements. Therefore, researchers couldn’t prove the person’s identity definitively. However, they discovered “secondary” or “circumstantial” evidence that the person they were investigating had not practiced proper due diligence and that stolen funds had fallen into their hands due to negligence. This is what strengthened their hand in negotiations.
The $68 million address poisoning attack occurred on May 5 against an Ethereum account that begins with “0x1e.” The attacker created a fake transaction that appeared to transfer the victim’s token to themselves. This confused the victim and caused them to believe that the attacker’s address was safe, as it created the appearance that the victim had voluntarily sent funds to this address in the past.
As a result, the victim sent $68 million worth of WBTC to the attacker’s address, causing losses of 97% to the account.
However, on May 10, the attacker sent nearly all of the stolen funds back to the victim, resulting in a near-full recovery. At the time, blockchain security platform Match Systems claimed that this sudden turn of events was the result of negotiations it had facilitated between the two parties. The team claimed that the Cryptex cryptocurrency exchange had also helped with these negotiations.
In a May 23 conversation with Cointelegraph, Match Systems’ Kutin revealed new details about how they convinced the attacker to return the stolen funds.
According to Kutin, the team first became aware of the poisoning attack on the day it happened, as multiple social media accounts began claiming that a crypto “whale” had transferred $68 million in WBTC to a new address. The team quickly realized the transfer was due to an address poisoning attack. However, the victim’s identity was unknown, and there was no obvious way to contact them.
The Match Systems team decided to post a message to the Ethereum network, addressing it to the victim. “If the hacker does not make a refund, please contact us for help,” the message stated.
In response, a “third party” contacted the Match researchers, Kutin stated. The victim did not want to identify themselves, so they used a liaison to facilitate communication. Cryptex also became involved during this period and offered to help facilitate negotiations.
The attacker did not seed their wallet with funds from a regulated exchange, nor did they attempt to cash out the stolen loot through one of these exchanges. As a result, there was no easy way to determine the attacker’s identity.
However, the team was able to trace some of the attacker’s transactions to IP addresses in Hong Kong, Kutin claimed. These addresses became the springboard for further investigation.
In a May 8 blog post, blockchain security platform SlowMist also claimed to have discovered the IP addresses. According to it, the addresses were found through SlowMist’s "intelligence network.” The IP addresses appeared to be related to “mobile stations” or cell phone towers, although SlowMist could not completely rule out the possibility that they were VPN servers.
According to Kutin, Match Systems was able to connect these IP addresses to further pieces of “digital evidence” that could be used to identify the attacker, including a “device fingerprint.”
A “device fingerprint” can include information such as the user’s operating system, processor type, memory, screen resolution, browser version, plugins and extensions, time zone settings, language preferences, installed fonts, average typing speed, and browning habits, among other data, according to cybersecurity platform Trust Decision.
Related: AssangeDAO’s crypto activities suspicious, analysts urge caution
Kutin claimed that such digital evidence is the only way to catch cybercriminals in today’s environment. Attackers rarely attempt to cash out through regulated exchanges anymore. Today, there are “special laundering services” that make it easy for hackers to trade their crypto for cash.
The United States sometimes prosecutes these laundering services, but “maybe they have self-destroyed chats, and there will be nothing in their phones or their devices,” making it impossible for authorities to gather evidence against them, Kutin suggested. People have become “well educated on both sides.”
Instead of attempting to go after these laundering services, Match Systems focuses on finding a “very thin thread” of digital evidence that can be used to identify a scammer. This thin thread can include IP addresses, device fingerprints, and other “tips and tricks.”
The evidence was “secondary” or “circumstantial,” Kutin acknowledged. Since it only proved that a device was used to launder the stolen funds, it could not be tied directly to the attack itself. However, it could still prove that the person who performed the transactions had not practiced due diligence in determining the source of the funds received.
“Oh no, we received the stolen money. It’s not our stolen money,” Kutin said, mimicking what he often hears from attackers. But “you must know the very simple principle of due diligence,” he said.
The team used this evidence in negotiations with the attacker, who it contacted using a blockchain message and attempted to start a conversation. The end result was that the attacker returned all of the funds and has not yet been prosecuted.
Kutin acknowledged that this could be seen as a bad result since the attacker was no longer of public interest for prosecution. However, he argued that the result is better than most alternatives, as at least the victim was able to recover all of their funds. “It could be a not very good end because the criminal will go away without any punishment, but it’s not very bad for both sides,” he argued.
Address poisoning attacks are a common problem for blockchain users, although most do not result in the massive losses originally seen in this case. Experts suggest that users should inspect the sending address in every transaction to ensure they do not fall victim to this type of attack.
Related: Cybersecurity experts catch hacker selling stolen tokens on Telegram