The hacker returned almost all the funds from the stolen $68 million to the user

The criminal, who defrauded the victim out of $68 million using an address poisoning scheme, expressed his willingness to negotiate by publishing two corresponding messages and gave the user 51 ETH (~$153,800) on the morning of May 9th. Then, within a few days, almost the entire amount was returned. This is evidenced by on-chain data on the Etherscan platform.

Source: Etherscan

“Please leave your Telegram, I will contact you,” the scammer wrote to the victim twice.
Communication took place through the Input Data field in the Ethereum transaction. The attacker responded to the request after the injured party demanded the return of most of the funds on May 5. The 51 ETH transferred amounted to only 4.2% of the requested amount.

“There is no turning back after this,” the victim wrote, adding:
“We both know that it is impossible to clean these funds. You will be hunted down.”
The victim suggested that the hacker keep 10% of the stolen amount for himself and return the remaining 90% by May 6.

Source: Etherscan.

Negotiations began following an incident in which the attacker allegedly tricked the victim into transferring 1,155 wBTC (equivalent to $68 million at the time) to his account using the “address spoofing” method.

An analysis of blockchain data shows that on the morning of May 3, the attacker used a smart contract to transfer 0.05 tokens from the victim’s account to his own account. On Etherscan, this token did not have a specific name and was designated as “ERC-20”. Typically, attackers cannot transfer tokens without the owner’s permission, but this token had non-standard characteristics that made it possible to transfer it from one account to another without the user’s consent.

Later that same day, the victim apparently mistakenly sent 1,155 wBTC to the address provided. The address may have looked similar to the one the victim typically used to make transfers to the centralized exchange (the start and end of the address were the same), or there was another reason why the address might have looked familiar.

Additionally, the victim could see that they had “already sent 0.05 tokens to this address” in the past and therefore assumed it was safe. However, the 0.05 tokens were sent by the attacker and appear to have only come from the victim.
Update and return of stolen funds
Update for May 11. According to the analytics company PeckShield, the hacker returned almost all of the stolen funds - 22,960 ETH (~$67.1 million).

Source: X-account PeckShield

The attacker, having probably reached an agreement with the victim on Telegram, began to return the funds in installments. Within a few days, he returned almost all of the stolen funds in a series of small transactions.

PeckShield data as of May 9

AML Crypto opinion
It is worth noting that this incident had an almost perfect happy ending for everyone except the police. The user promptly returned almost all of his funds and paid a relatively small amount for a valuable lesson in crypto security, the attacker received a good reward for his “cyber efforts,” the media received an interesting story, and other victims of crypto scammers hoped for a good outcome of their situation.

But on the other hand, law enforcement agencies never caught or punished the attacker. And the chance of cryptocurrencies being stolen, as in this case, is minimal and instills false optimism in other users who have lost their funds.

If you have become a victim of fraud, we advise you to read our article: How to return stolen funds, in which we described in detail the refund scheme and all your steps towards restoring the funds. And of course, you should seek help from professionals.

We also remind you that you can check your crypto wallet for cleanliness, perform AML address verification, track a transaction - this and more can be done in our Btrace solution. Free AML wallet verification for every new user.
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.




We also recommend